Starting march 2023, Microsoft EDGE will be the new Adobe Reader and Acrobat if you Opt IN

I just found some Information while searching for more Infos about the 02/2023 Windows Updates/Patches. This is interesting because we mostly do AutoUpdates for Defender and EDGE Updates while we analyse and test all other monthly CUMU updates per customer and then approved them in some schema from small to big customers.

This has worked great over the last few months where other companies had problems who just auto approve Updates.

Adobe is the company with the most PDF patents for advanced features in PDF files. All the free solution offer just a part of that or pay licence fees to Adobe, as we understood to date.

Starting in March, Auto Approved EDGE updates will include the Adobe Reader Engine in MS Edge, and it seems that the Adobe Acrobat (Writer) license will also be available via Edge. This eliminates the eternal discussion about the safest way to open PDFs from the web/email (not in Chrome with the Adobe Extension) and whether to use Reader, Acrobat (Writer), or the browser. If It's all the same and takes away the issue.

Acrobat Writer updates were often delayed because they were 170-500MB in size and didn't transfer quickly via Intunes or on-premise deployment to laptops. So one product was sometimes the older.

In addition, there was always the point who to fix with what to open .PDF. Adobe spent a lot of work in in Reader manuals and explanation for Enduser. Most of the times one single user in an enterprise want's it in another way and because he from QA changes the open with procedure via IT for all employee. Often because their Quality solution or add-on did not work with the Edge PDF engine.

Adobe and Microsoft have a new partnership to integrate the Adobe Reader Engine into the MS EDGE browser, as well as Adobe Sign (which is the digital signature) for MS Cloud things mentioned.

Eventually, Adobe Reader will disappear and MS software should then direct the Edge to display PDFs. No one knows what will happen to Chrome.exe. Google and Amazon are heavy against the Azure Cloud and the new licensing model for Microsoft server OS (As we understood it would be more expensive to run MS Server outside of Azure...)

 LINKS:

https://www.adobe.com/sign/pricing/plans.html?plans=teams

https://www.adobe.com/documentcloud/integrations/microsoft.html

https://techcommunity.microsoft.com/t5/microsoft-edge-insider/microsoft-edge-and-adobe-partner-to-improve-the-pdf-experience/ba-p/3733481

Genau so was will man wohl verhindern:

https://helpx.adobe.com/de/acrobat/kb/chrome-extension-not-working.html

 Some extracted info which seems interesting for us:

How do I use the advanced Adobe Acrobat PDF features in Microsoft Edge?

Activating the advanced features with the Adobe Acrobat PDF extension in Microsoft Edge requires a paid Adobe Acrobat subscription. To activate the features, in the PDF view in Microsoft Edge, navigate to the top right corner of the window and click the button with messaging to try the advanced features. From there follow the prompts best suiting your needs to complete the transaction. If you already have a paid Adobe Acrobat subscription, you can sign into your existing account to use the advanced features at no additional cost.

Can general users opt out of using Adobe Acrobat PDF capabilities in Microsoft Edge?

General users will be unable to revert to using the legacy PDF engine in Microsoft Edge after the Adobe Acrobat PDF engine launches.

How will this affect commercial organizations?

 When rollout begins in March 2023, there will be no changes to managed Windows devices in organizations unless you choose to opt in. Users on unmanaged Windows devices will see an unobtrusive Adobe brand mark in the bottom corner of their PDF view. These users will also see an option to try the advanced features, such as converting PDFs, combining files, editing text and images. If an organization chooses to opt in, users on managed devices will see the same changes. The built-in Microsoft Edge PDF solution with the Adobe Acrobat PDF engine will have full feature parity with the legacy Microsoft Edge PDF solution. No functionality will be lost.

August 08/2022 Patch KB5012170 Update for Secure Boot DBX problem 0x800f0922

Problem: You can't install August 2022 Update KB5012170 on some systems under certain condition where Secure Boot is enbled and not latest BIOS/UEFI Firmware . You will receive an Error 0x800f0922

Error: Package KB5015730 failed to be changed to the Installed state. Status: 0x800f0922.

The patch does a revert

System which is not affected

The updates fixes some secure boot problems as example:

CVE-2022-34301 | Eurosoft Boot Loader Bypass

CVE-2022-34302 | New Horizon Data Systems Inc Boot Loader Bypass

CVE-2022-34303 | Crypto Pro Boot Loader Bypass

Microsoft main link:

KB5012170: Security update for Secure Boot DBX: August 9, 2022 (microsoft.com)

https://support.microsoft.com/en-us/topic/kb5012170-security-update-for-secure-boot-dbx-august-9-2022-72ff5eed-25b4-47c7-be28-c42bd211bb15

What does the KB describe:

Describes the problem that certain firmware/Bios and GPO Settings should not patch KB5012170. The KB is very hard to dunerstand. We try to help a little. Please keep in mind that you can't update firmware without checking compatiblity on Laptops for docking station and maybe other things. In enterprise you can't can't just update laptop firmware over night and hope all is fine like microsoft thinks they can do with their M365/Azure solution and Autopolit clients. ;-)

So what does that mean if you don't have a post doc in IT?

Check if yout are affected with and have PCR7 active

You can find out the status of your UEFI / PCR7 / Bitlocker Setup with MSINFO32.exe (Elevated) or/and by running a DOS or PS command.

Some sample dumps and how to find out:

Affected product which has PCR7 mode shown:

Dell computer Precision 5530, Windows 10 21H2

msinfo32.exe commandline

shows:

Sicherer Startzustand    Ein    

PCR7-Konfiguration    Gebunden

DOS: manage-bde -protectors -get c:

Shows:

Automate checking client for PCR7:

You may use a) Your software Deployment b) PSEXEC from systernals c) Do not use GPO to deploy software if you are not 100% fireproof with scripting

With psexec:

PsExec - Windows Sysinternals | Microsoft Docs

Auotmate the msinfo32.exe with psexec

psexec -s \\computer001 C:\windows\system32\msinfo32.exe /nfo c:\edv\00_report\computer.txt /report c:\edv\00_report\computer_re.txt

Description of Microsoft System Information (Msinfo32.exe) Tool

Other samples not affected:

An HP Elitedesk 800 G3 (Older) with a NON UEFI BIOS

Binding not possible becauee older machine and NOT UEFI BIOS (Legacy used) because of better Deployment OS reasons.

DOS: manage-bde -protectors -get c:

PS:

Msinfo32.exe

Some newer Home system from HP Elitedesk with UEFI no Bitlocker GO or Bitlocker active (Out of the box enduser system)

BINDING POSSIBLE

manage-bde -protectors -get c:

Below you see under PCR7 that you did NOT run msinfo32 under "Administrative/Elevated" it says "Elevation required to view".

Here is msinfo32.exe with run as admin, PCR7 would be possible but is not activated

You can see in this specfic machine where PCR7 "Binding Possible" is shown there is not Bitlocker. That's why withou the Fimrware Update which was offered by HP this was the patch has installed.

Solution

1. Check that you have the latest Bios/Firmware
2. Check if you have PCR7 enabled like mentioned above

If not possible > as example because your docking station is not comaptible with latest firmware

Some further links and infos regarding the path:

ADV200011 - Security Update Guide - Microsoft - Microsoft Guidance for Addressing Security Feature Bypass in GRUB

Troubleshoot the TPM (Windows) - Windows security | Microsoft Docs

R730xd, BitLocker, Secure Boot, PCR7 issue - Dell Community

Event ID 7053,12072,12052,12042,12012,13042 on WSUS Server

ERROR:

Unable to open WSUS MMC or connect with Script/PS/Tools to the WSUS database. On Clients or Server your see an error when this happens because, the WSUS APP Pool on IIS is down.

What is the problem?

If this happens you will after a reboot of the server loose most of the APPROVAL or DENY on your WSUS backwards for years.

Solution:

Mostly 90% related to RAM memory the WSUS has and the Application POOL WSUS itself or you run out of space on your WSUS content drive.

Prelude:

In the past months, all long-time, running WSUS Server no matter on which OS they run seem to crash more often they did before. We first long time watched and thought this was related sporadic too:

• Multi usage of MMC Console (Several users checking WSUS)
• Space on D: drive (With all the Feature Update you are up to 1 Terra soon)
• Script, which we had running to maintain WSUS or best Clean up WSUS automatic after it, crashed again (Deny 12'000 Patches…)
• We also assumed it is caused by a mix of WID (Windows Intern DB/Different Version of SQL Express or STD > we updated some mixed used WSUS + EPO 5.10 to sql 2017)
• As always maybe AV Solutions, which pinpoint. But we use Mcafee ENS Endpoint with many Exceptions and it never blocked SQL or WID when configured right and not by beginners

None of that seemed the source of the problem.

It looks like the crashed are more often to memory handling of IIS Application Pools and total memory the HOST (VM) has.

Here are the errors we did see:

Solution:

1. Give the HOST on ESX/Hypervisor more memory. You could trace for hours to find out how much or you be smart and give it 16-20 GB RAM. It depends on history of WSUS (Like running for 5 years, amount of clients or patches, how you clean up the WSUS with Tools or scripts via SQL query).
2. Open IIS, Application Pools, WSUSPOOL, Advanced Settings, Change the "Private Memory Limit KB" to something under your ESX Memory you gave. (In our example the IIS APP process runs around 14GB RAM and we gave the Server 18GB)
3. Reboot and all works again

You can now see how much Memory the IIS APP poll is consuming on a larger WSUS with a lot of history over years (Lot of WID/SQL data…)

Event ID 7053,12072,12052,12042,12012,13042 on WSUS Server

ERROR:

Unable to open WSUS MMC or connect with Script/PS/Tools to the WSUS database. On Clients or Server your see an error when this happens because the WSUS APP Pool on IIS is down.

Whats the problem?

If this happens you will after a reboot of the server loose most of the APPROVAL or DENY on your WSUS backwards for years.

Solution:

Mostly 90% related to RAM memory the WSUS has and the Application POOL WSUS itself or you run out of space on your WSUS content drive.

Prelude:

In the past months all long time running WSUS Server no matter on which OS they run seem to crash more often then they did before. We first long time watched and thought this was related sporadic too:

• Multi usage of MMC Console (Several users checking WSUS)
• Space on D: drive (With all the Feature Update you are up to 1 Terra soon)
• Script which we had running to maintain WSUS or best Clean up WSUS automatic after it crashed again (Deny 12'000 Patches…)
• We also assumed it is caused by a mix of WID (Windows Intern DB/Different Version of SQL Express or STD > we updated some mixed used WSUS + EPO 5.10 to sql 2017)
• As always maybe AV Solutions which pinpoint. But we use Mcafee ENS Endpoint with many Exceptions and it never blocked SQL or WID when configured right and not by beginners

All of that seemed not the source of the problem.

It looks like the crashed are more often to memory handling of IIS Application Pools and total memory the HOST (VM) has.

Here are the errors we did see:

Solution:

1. Give the HOST on ESX/Hypervisor more memory. You could trace for hours to find out how much or you be smart and give it 16-20 GB RAM. It depends on history of WSUS (Like running for 5 years, amount of clients or patches, how you clean up the WSUS with Tools or scripts via SQL query).
2. Open IIS, Application Pools, WSUSPOOL, Advanced Settings, Change the "Private Memory Limit KB" to something under your ESX Memory you gave. (In our example the IIS APP process runs around 14GB RAM and we gave the Server 18GB)
3. Reboot and all works again

Y

You can now see how much Memory the IIS APP poll is consuming on a larger WSUS with a lot of history over years (Lot of WID/SQL data…)

WSUS, W10/11 how to install a WSUS Update (KB patch) Manual with DISM from WSUScontent source Directory

This blog entry is about two things.

1. How to install a Windows Update from WSUS Source content folder manual by hand with DISM
2. Mcafee ENS 10.X, IPS Exploit Rule 6133 may block tiworker.exe with some updates (Mitre T1562)

Here is how to get the info which file is for what KB from WSUS-Server:

Search the file in your WSUSCONTENT folder

UN-7ZIP the cab file

For most Monthly patch day packages you also often need SSU (Servicing Stack Update). In most patches this is included. So you have several CAB files as seen above. Install the SSU first.

Servicing Stack Updates (SSU): Frequently Asked Questions (microsoft.com)

Install 1 the SSU.

dism /Online /Add-Package /PackagePath:"c:\drivers\SSU-19041.1220-x64.cab.cab"

Install 2 patch itself:

dism /Online /Add-Package /PackagePath:"c:\drivers\Windows10.0-KB5005565-x64.cab"

Keep an EYE on complex Antivirus with IPS Modules that do more than pattern scanning.

We have seen some Exploit IPS rules from Mcafee ENS 10.X which are ON by default but should be on to protect from Ransomware. It is good to keep an eye on those rules. Please carefully read the FULL alert in your ENS. Most of the times it says "WOULD BLOCK" if the EPO Admin did activate some rules in monitor mode (To Test new rules).

Exploit Rule 6133, change EPO side in ENS Policy

Unable to import KB Notfall/Interim/Post Microsoft Patchday patch into WSUS-Server running under Microsoft Server 2012 R2.

Problem: You are unable to import Patches from Windows Update Catalog on 2012 R2 WSUS

Problem: You don't see the import direct into WSUS button /Direct in WSUS-importieren auf 2019 nicht sichtbar (EDGE/IE mix)

Most people discover while in a hurry to deploy following 14.11.2021 emergency patches post 11/2021 November updates which takes apart their Azure, Load Balancer, ADFS, WAF-IIS etc.

Windows Server 2019: KB5008602 — DOWNLOAD

Windows Server 2016: KB5008601 — DOWNLOAD

Windows Server 2012 R2: KB5008603 — DOWNLOAD

Windows Server 2012: KB5008604 — DOWNLOAD

Windows Server 2008 R2 SP1: KB5008605 — DOWNLOAD

Windows Server 2008 SP2: KB5008606 — DOWNLOAD

https://docs.microsoft.com/en-us/windows/release-health/status-windows-10-1607-and-windows-server-2016#2748msgdesc

Microsoft has released out-of-band updates to address authentication failures related to Kerberos delegation scenarios impacting Domain Controllers (DC) running supported versions of Windows Server. On impacted systems, end-users cannot sign into services or applications using Single Sign-On (SSO) in Active Directory on-premises or hybrid Azure Active Directory environments.

On the WSUS-Server if you try to Import a patch from WSUS-catalog it fails:

ERROR/FEHLER you See:

"Es konnten nicht alle Updates importiert werden. Wenn Sie den Vorgang abgebrochen haben, starten Sie den Import der Updates erneut. Ist ein Fehler aufgetreten, klicken Sie in der Statusspalte neben dem jeweiligen Update auf Fehler, um die Lösung für das Problem anzuzeigen."

Here is the process to Import a KB File into your WSUS.

*********** STEP NEEDED if you run WSUS on ONLY Server 2019 ************** FROM HERE

If you are UNABLE to see the ADD/Hinzufügen on Server 2019 then do following. Start iexplore.exe manual from start menu.

Open the site:

https://catalog.update.microsoft.com/

Install the Plugin (Only appears on IE Internet Explorer 11 not EDGE) on Server 2019

You can check the add-on here also in IE addons:

Open Import from Windows Catalog

The site will open in EDGE > Copy the full URL and open iexplore.exe (IE11) again, past the full URL there

Now in IE you see the import button:

Still you can ONLY import the 2019 patches on WSUS running on Server 2019 ;-) Very nice. We need to rollout full SCCM now for every SBS/KMU?

*********** STEP NEEDED if you run WSUS on Server 2019 ************** TO HERE / END STEP 2019 ONLY

Error:

Importergebnisse

Solution:

Add following Registry Key and reboot the Server

Cmd line 1 line:

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 /V SchUseStrongCrypto /T REG_DWORD /D 1

Single registry values:

VALUE name: SchUseStrongCrypto

Value Data: 1

Type: DWORD (32-bit) Value

Reboot

Retry

OK

Hello,

This is a collection of some technical things we used to recover a SRV 2016 with blue screens. We assume the first crash was related to a too early SRV 2016 VL Release ISO and ESX 6.5 (From 2018) and a combination of a Windows Defender Update.

This may help you to recover a server 2016 in general. It's so rare with 2012R2/2016 that this may help because it's not daily and people tend to go back A Snapshot or restore from Veeam these days. Still we have seen this happen.

SRV 2016, Windows Patch, BSOD, STOP CODE, 0xc000021a or CRITICAL SERVICE FAILED, ROLLBACK, Blue screen how to

Windows Patch, BSOD, STOP CODE, 0xc000021a, ROLLBACK, Blue screen how to (Notice the PAGE FILE Partition where memory DUMP was done)

BSOD, Bluescreen on Server 2016

STOP CODE, 0xc000021a

STOP CODE, CRTITICAL SERVICE FAILED

Server 2016 problems patches 02/2021: KB4601318 fails to update, fails at 24% Windows Server 2016 - Microsoft Q&A

Customer did run following VMware setup for the cluster (Because they wanted to test the newer release for some days)

VMware ESX Versions:

6.5 Version 9298722

6.5 Version 13635690

Build numbers and versions of VMware ESXi/ESX (2143832)

Rollback of Updates that caused the Bluescreen if you installed Windows Update before.

• Choose blue recovery console
• Choose troubleshoot
• Choose cmd.exe
• Change KEYBOARD layout so you type the Local Admin password correct
• Logon with Local Admin password

Rollback the last updates with: dism /image:D:\ /cleanup-image /revertpendingactions (D: is the drive where your Windows Server install is thus where c:\porgram files and c:\windows are (Search that Partition from C: to Z:))

Enter password (Hopefully)

Change KEYBOARD layout so you type the Local Admin password correct

Logon with Local Admin password

Search the windows Partition

Check with:

Sfc /scannow

Run: checkdisk if you think there is damage to file system or disk:

Chkdsk G: /f /r /x

Check the pending operations he should do or has done during the crash:

Remove C:\windows\winsxs\pending.xml.

Cd g:\windows\winsxs\

Rename pending.xml pending.old

Rollback the last updates with:

dism /image:D:\ /cleanup-image /revertpendingactions

D: is the drive where your Windows Server install is thus where c:\porgram files and c:\windows are (Search that Partition from C: to Z:)

Error: 0x800f082f

BAD: (Looks more worse now….)

GOOD: (Looks good until you try to reinstall the same patch in 1 week again…)

Weputil.exe reboot

OR

Type: EXIT

OR NOT

If you have "CRITICAL SERVICE FAILED" this could be related to a UNSIGNED DRIVER or something is wrong with Certificates (CODE SIGNING). Maybe ask

Firewall TEAM if they block CERTIFICATE REVOCATION and if they don't know what you talk about check yourself. Read more on blog.

Try these BOOT Option with F8

If the Server comes UP with "Disbale Driver Signature Enforcement" and you don't need that (Because it's not a high secure server you could disable it permanent). We do not recommend this on an Exchange Server as example or anything security related.

If it comes up run:

Sfc /scannow

Manually disable certificate signature validation:

open CMD.exe as an Administrator

bcdedit -set loadoptions DDISABLE_INTEGRITY_CHECKS

Re-enable the certificate validation

open CMD.exe as an Administrator

bcdedit -set loadoptions DENABLE_INTEGRITY_CHECKS

FAQ: How to remove Remove failed packages in Windows PE

Looking why the Server crashed with NIRSOFT tool Bluescreenview

Microsoft recommends the PAGE FILE Partition to be RAM + SOME XXXMB. This is what happens IF the Server ever has a blue screen so don't do it that way.

I am unsure if the Server would have picked the Partition if no more space was there (Like they recommend). Never like that Rekommandation.

Die Größe der Auslagerungsdatei sollte die Größe des physikalischen RAMs im System überschreiten (SharePoint Server) - SharePoint Server | Microsoft Docs

Ursache: Eine bewährte Methode für Windows ist es, die Größe der Auslagerungsdatei auf einen Wert größer als oder gleich der Gesamtmenge des verfügbaren physischen Speichers festzulegen. Für die automatische Wiederherstellung von Heapspeicher funktioniert die Speicherbereinigung in der Regel effektiver, wenn die Größe des verwalteten Heapspeichers sich der Auslagerungsgröße nähert. Unterschreitet die Größe der Auslagerungsdatei die RAM-Größe, werden neue Zuordnungen von verwaltetem Speicher erteilt, wodurch die Speicherbereinigung aufwändiger wird und die CPU-Beanspruchung steigt.

Windows Update Server filling since a few months over the 350GB max. Value you know from WSUS-Server which runs over years

• You checked the internal WSUS GUI Command to clean (That does not free space often…)
• You cleaned the WSUS maybe even if free or commercial scripts like Adamj Clean-WSUS
• Still you don't get under 350GB for the WSUS content drive
• You are at a point where the SQL Cleanup stales, Your SQL Management Studio crash
• You would have to use sqlcmd.exe to clean the WSUS because no space left

Source:

The Source is mostly ESD Windows Distribution Files (*.ESD) or updating from Windows 10 to other W10 versions. These exploded that last few months. Maybe you did one update like a 1903 to 1909 and now you have the full range coming in. This is around 120 to 160GB on Data.

This add. to the 350GB you normally have with running a certain range of products from like 2010-2016 office and W7/W10.

Quick and Dirty Workaround:

When you can't approve new updates and they are urgent and you can't expand the Disk temporary because it's a VM or the storage team refuses to do so (Because they like to save money for the customer [Who understands why?])

1. Make sure nobody in your SBS or Enterprise does need those updates
2. Just delete them from the \WSUSCONTENT\ drive recursive with del *.esd /s
3. Find the person who turned the category on without thinking in advance ;-)
4. Cancel the Download in the WSUS-GUI and also DENY them if there still NON APPROVED

Check other WSUS category from us:

http://www.butsch.ch/category/WSUS.aspx

Afterwards choose "cancel download" and "DENY" them.

Unable to deploy W10 > W10 19XX (Feature Updates) to Windows 10 Clients via WSUS on Server 2012 R2.

That is a patch you need to Update your W10 client from W10 19XX to 19XX/20XX via WSUS.

This should have been fixed by Update KB 2919355 and Windows8.1-KB3095113-v2-x64. However on some WSUS Server 2012 R2 we could not install the patch (Depending on the order you installed Patches and installed the WSUS role timely). The patch does open the handling of ESD files in the Web server IIS (So the IIS know what to do with the Extension and how to Deliver it). You can manually add that entry in IIS.

Here is how to solve manual

Right side "ADD"

File name extension:

.esd (With the dot infront)

MIME type:

application/octet-stream

OK

Close and maybe restart IIS or best WSUS Server.

After reboot of the WSUS you that the clients download the update.

You can read here further info:

https://support.microsoft.com/de-de/help/3095113/update-to-enable-wsus-support-for-windows-10-feature-upgrades

This pre-needs KB 2919355

Server 2016 running WSUS-Server if you click on a Report you the error with the Report Viewer as before.

If you did not install the WSUS in an SQL and used the WID (Windows Internal Database) or have a different Version

Of or many SQL Versionen mixed on that machine.

ERROR:

ENG: The Microsoft Report Viewer 2012 Redistributable is required for this feature

DEU: Für dieses Feature ist Microsoft Report Viewer 2012 Redistributable erforderlich

1. Install Microsoft System CLR Types (If needed)

Microsoft System CLR Types for Microsoft® SQL Server® 2012

32BIT

http://go.microsoft.com/fwlink/?LinkID=239643&clcid=0x409

64BIT

http://go.microsoft.com/fwlink/?LinkID=239644&clcid=0x409

1. Download and install MICROSOFT® REPORT VIEWER 2012 RUNTIME

https://www.microsoft.com/en-us/download/details.aspx?id=35747

These are the two files you need to install:

Close and reopen the WSUS console and it works now