Topic: Domain login broken after - windows update KB5028166

[Jáder]

Correct me if I'm wrong, but I'm pretty sure the /quiet flag is depreciated for wusa in Win10 for security reasons.
https://learn.microsoft.com/en-us/answers/questions/636329/unable-to-use-wusa-to-uninstall-updates-in-quiet-m

Hum... that's eexplain why my batch is not working.
Can someone find out the DISM number for this update?

[Jáder]

I find out this info:

Code: [Select]

C:\Windows\system32>dism /online /get-packages /format:table |findstr -i  "package_for"|findstr -i "07/2023"
Package_for_DotNetRollup_481~31bf3856ad364e35~amd64~~10.0.9167.9                                    | Instalado   | Update          | 14/07/2023 07:56
Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.3208.1.10                                       | Instalado   | Security Update | 14/07/2023 07:56
Package_for_ServicingStack_3205~31bf3856ad364e35~amd64~~19041.3205.1.1                              | Instalado   | Update          | 12/07/2023 12:22
But cannot find a way to know for sure what`s the name (it`s one of those 3!) to remove using DISM!
How can I match a KB# to this name? Where the info is stored ?

[Jáder]

I think I found a way!
Search google for KB5028166 point me to https://support.microsoft.com/en-us/topic/july-11-2023-kb5028166-os-builds-19044-3208-and-19045-3208-eab49ea6-3133-41c8-845f-a14a329c6c20
where I can see the the expression 19044-3208 and 19045-3208, so I searched for 3208:

Code: [Select]

C:\Windows\system32>dism /online /get-packages /format:table |findstr -i  "package_for"|findstr -i "3208"
Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.3208.1.10                                       | Instalado   | Security Update | 14/07/2023 07:56
So the name used as parameter to DISM should be Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.3208.1.10

And because I have nothing to loose (WUSA is not working anyway!) I`ll update my batch with this info!

[Jean-Philippe Pialasse]

make sur your powershell script is read execute only for users.

[bunkobugsy]

WSUS is a mess, but samba patch works fine.

[dvdsmith]

hide-windowupdate -KBArticle KB5028166"

One quirk I found messing around with your script. If KB5028166 is not currently installed and updates have been pause, the above may fail.

The following from powershell will tell you the day/time it is paused until

Code: [Select]

Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings'| Select-Object PauseUpdatesExpiryTime
This registry entry does not exist if updates are not paused. In my case removing it immediately allowed the Get command to work.

Code: [Select]

Remove-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" -Name "PauseUpdatesExpiryTime"
Get-WindowsUpdate


[jayraym]

Again, sorry I'm new here: how does that work for the patch to be available? It seems our friend bunkobugsy published it 9 days ago, are we waiting for some kind of approval?

[ReetP]

Again, sorry I'm new here: how does that work for the patch to be available? It seems our friend bunkobugsy published it 9 days ago, are we waiting for some kind of approval?

Hi.

So officially we do not maintain these packages. You will have to wait for an upstream fix that will percolate down like this:

samba -> Wherever in the RH eco systems -> RHEL -> CentOS -> Koozali SME

In the meantime you can revert the M$ patches as above as a workaround.

bunkobugsy has done a test build with the samba patch and the RHEL packages to see if it works which apparently it does.

However, we are not going to officially build that here. There are just way too many security risks involved for us to have the resources to fully test any patch. Remember, it gets releases to a lot of people.....

You can of course do the same as bunkobugsy did and have a go at patching yourself if you are interested in how it works.

He has got his built packages that he is testing but I need to check whether he is happy for anyone else to use them at the minute - he uses them at his own risk but he might not be happy for anyone else to take that chance - the risk is lots of people will try them for 'testing' and then just forget them and then get hacked.

[jayraym]

Noted, thank you!

[Jean-Philippe Pialasse]

even if the patch works and has no side effect maintaining ourself samba in place of upstream means checking in real time all security issues related with samba.
which we do not have the ressources for and would compromise security of members of the community in the long run and reduce our capacity to maintain the rest of the distro.


RH is slow in releasing something currently, but best workaround has been explained. RH recently annonced a 4 years extend support instead of 2 for Rhel7 and maintenance update is on up to june 2024.  So I do not think they will leave this as is.

[bunkobugsy]

RH bug https://bugzilla.redhat.com/show_bug.cgi?id=2222250 just changed status:
Fixed In Version:   samba-4.10.16-25.el7_9
Status:   ON_QA

meaning they built a new version and it's in testing so it shouldn't take long to reach our upstream repos (if RH decides to release)

[nicolatiana]

Obviously every further update can reproduce the problem.
The subsequent kb5028244 update contains some update involving again netlogon so if you install it you get back the problem.
So the definitve solution waiting samba patch is disabling automatic updates via GPEDIT.MSC (non through WU panel where you can suspend for 5 weeks).


W10:

Open Start.
Search for gpedit.msc and click the top result to launch the Local Group Policy Editor.
Navigate to the following path: Computer Configuration > Administrative Templates > Windows Components > Windows Update
Double-click the "Configure Automatic Updates" policy on the right side.
Configure Automatic Updates policy
Check the Disabled option to turn off automatic Windows 10 updates permanently.
Group Policy disable Windows Update
Click the Apply button.
Click the OK button.


W11, the same but replace:
Computer Configuration > Administrative Templates > Windows Components > Windows Update
with:
Computer Configuration > Administrative Templates > Windows Components > Windows Update > Manage end user experience.


To be adapted to various languages

[Jáder]

Obviously every further update can reproduce the problem.
The subsequent kb5028244 update contains some update involving again netlogon so if you install it you get back the problem.
So the definitve solution waiting samba patch is disabling automatic updates via GPEDIT.MSC (non through WU panel where you can suspend for 5 weeks).


W10:

Open Start.
Search for gpedit.msc and click the top result to launch the Local Group Policy Editor.
Navigate to the following path: Computer Configuration > Administrative Templates > Windows Components > Windows Update
Double-click the "Configure Automatic Updates" policy on the right side.
Configure Automatic Updates policy
Check the Disabled option to turn off automatic Windows 10 updates permanently.
Group Policy disable Windows Update
Click the Apply button.
Click the OK button.


W11, the same but replace:
Computer Configuration > Administrative Templates > Windows Components > Windows Update
with:
Computer Configuration > Administrative Templates > Windows Components > Windows Update > Manage end user experience.


To be adapted to various languages

On https://www.minitool.com/backup-tips/disable-windows-11-automatic-updates.html they say:

#6 How to Turn off Windows 11 Automatic Updates with Command?
Let’s directly go to the steps!

Search “cmd” in Windows Search and open it as Administrator.
To disable Windows Update service (wuauserv) in Windows 11, type sc config wuauserv start= disabled and press Enter.
To enable Windows update service (wuauserv) in Windows 11, type sc config wuauserv start= auto and press Enter.


I'll test themlater on Win10 and Win11. It's easy to put that command in a package manager , and later even remove it!

[groyk]

I im thinking.

Is it possible to shutdown domainserver and map networkdrives manually until patch is coming.

I tant find where to disable other than in the server configuration procedure.

I believe if i shut down domain login i can still access email ibays ect. Correct.

[dvdsmith]

I im thinking.

Is it possible to shutdown domainserver and map networkdrives manually until patch is coming.

I tant find where to disable other than in the server configuration procedure.

I believe if i shut down domain login i can still access email ibays ect. Correct.

To my knowledge you can map network drives without having to changing anything to the domain server.

That said, I'd recommend against turning off the domain. I haven't tested lately but I fear you might have to rejoin the workstations to the domain when you turn it on later. Also, a fix is in the works. Just a matter of it working through the pipeline and eventually as a samba update via "yum update". Could be days, or weeks, or whatever. I can say a patch is already out for newer samba versions (4.18 and 4.17). We just have to be patient and wait.

https://bugzilla.redhat.com/show_bug.cgi?id=2222250