I need a solution
Hello, if we are deploying Endpoint encryption v11 using native policy and not Active directory GPO, is it still necessary to synchronize with active directory ?
Regards
Fawaz
0
Tag: windows
Microsoft Windows Security Updates April 2019 overview
Microsoft released security updates for supported versions of Windows and other company today on the April 9, 2019 Patch Tuesday.
Updates are provided in various ways: via Windows Update, as direct downloads, and through Enterprise updating systems.
Our monthly overview of Microsoft’s Patch Day offers detailed information on updates, additional information that is relevant, and links to supported articles.
It starts with an executive summary, and is followed by the statistics, the list of released updates, known issues, and direct download links.
You can check out last month’s Patch Day in case you have missed it. As always, it is recommended that systems are backed up before new patches are installed. Note that some users had troubles installing the last cumulative update for Windows 10 version 1809; you can check a possible fix for System Service Exception blue screens here.
Attention: Reports of Windows 7 and 8.1, and Server 2008 R2 / 2012 R2 machines freezing after update installation. Is apparently related to Sophos products, only solution right now is to uninstall the update.
Microsoft Windows Security Updates April 2019
Download the following Excel spreadsheet listing security updates and related information for updates that Microsoft released in April 2019. Click on the following link to download the spreadsheet to your local system: microsoft-windows-security-updates-april-2019.zip
Executive Summary
- Windows 10 version 1607 reached end of support for Enterprise and Education customers today.
- Windows 10 version 1709 reached end of support for Home, Pro and Pro for Workstations today.
- Microsoft released security updates for all client and server versions of Windows.
- Other Microsoft software with security updates: Microsoft Edge, Internet Explorer, Microsoft Exchange Server, Team Foundation Server, Azure DevOps Server, Windows Admin Center, Microsoft Office
- Microsoft fixed many long standing known issues.
- The Update Catalog lists 133 updates.
Operating System Distribution
- Windows 7: 29 vulnerabilities of which 6 are rated critical and 23 are rated important (links see W10 1809)
- CVE-2019-0791 | MS XML Remote Code Execution Vulnerability
- CVE-2019-0792 | MS XML Remote Code Execution Vulnerability
- CVE-2019-0793 | MS XML Remote Code Execution Vulnerability
- CVE-2019-0795 | MS XML Remote Code Execution Vulnerability
- CVE-2019-0845 | Windows IOleCvt Interface Remote Code Execution Vulnerability
- CVE-2019-0853 | GDI+ Remote Code Execution Vulnerability
- Windows 8.1: 31 vulnerabilities of which 7 are rated critical and 24 are rated important (links see W10 1809)
- CVE-2019-0790 | MS XML Remote Code Execution Vulnerability
- CVE-2019-0791 | MS XML Remote Code Execution Vulnerability
- CVE-2019-0792 | MS XML Remote Code Execution Vulnerability
- CVE-2019-0793 | MS XML Remote Code Execution Vulnerability
- CVE-2019-0795 | MS XML Remote Code Execution Vulnerability
- CVE-2019-0845 | Windows IOleCvt Interface Remote Code Execution Vulnerability
- CVE-2019-0853 | GDI+ Remote Code Execution Vulnerability
- Windows 10 version 1607: 33 vulnerabilities of which 7 are critical and 26 are important
- critical issues same as W10 1809 except for CVE-2019-0786 which is not listed.
- Windows 10 version 1703: 35 vulnerabilities of which 7 are critical and 28 are important
- critical issues same as W10 1809 except for CVE-2019-0786 which is not listed.
- Windows 10 version 1709: 37 vulnerabilities of which 8 are critical and 29 are important
- critical issues same as W10 1809
- Windows 10 version 1803: 37 vulnerabilities of which 8 are critical and 29 are important
- critical issues same as W10 1809
- Windows 10 version 1809: 36 vulnerabilities of which 8 are critical and 28 are important
- CVE-2019-0853 | GDI+ Remote Code Execution Vulnerability
- CVE-2019-0845 | Windows IOleCvt Interface Remote Code Execution Vulnerability
- CVE-2019-0795 | MS XML Remote Code Execution Vulnerability
- CVE-2019-0793 | MS XML Remote Code Execution Vulnerability
- CVE-2019-0792 | MS XML Remote Code Execution Vulnerability
- CVE-2019-0791 | MS XML Remote Code Execution Vulnerability
- CVE-2019-0790 | MS XML Remote Code Execution Vulnerability
- CVE-2019-0786 | SMB Server Elevation of Privilege Vulnerability
Windows Server products
- Windows Server 2008 R2: 29 vulnerabilities of which 6 are critical and 23 are important.
- same as Windows 7
- Windows Server 2012 R2: 31 vulnerabilities of which 7 are critical and 24 are important.
- critical issues same as W10 1809 except CVE-2019-0786 which is not listed.
- Windows Server 2016: 33 vulnerabilities of which 7 are critical and 26 are important
- critical issues same as W10 1809 except CVE-2019-0786 which is not listed.
- Windows Server 2019: 36 vulnerabilities of which 8 are critical and 28 are important.
- Critical issues same as W10 1809
Other Microsoft Products
- Internet Explorer 11: 5 vulnerability, 1 critical, 4 important
- Microsoft Edge: 9 vulnerabilities, 7 critical, 2 important
Windows Security Updates
Windows 7 Service Pack 1
Monthly rollups won’t include PciClearStaleCache.exe anymore starting with this update. Microsoft advises that administrators make sure that updates between April 20, 2018 and March 12, 2019 are installed prior to installing this update and future monthly rollup updates to make sure that the program is on the system.
The following symptoms may be experienced if the file is not available:
- Existing NIC definitions in control panel networks may be replaced with a new Ethernet Network Interface Card (NIC) but with default settings. Any custom settings on the previously NIC persist in the registry but were unused.
- Loss of static IP address settings.
- Network Flyout does not display certain Wi-Fi profile settings.
- Disabling of Wi-Fi network adapters.
KB4493472 — Monthly Rollup
- Provides protections against Spectre Variant 2 (CVE-2017-5715) and Meltdown (CVE-2017-5754) for VIA-based computers.
- Fixed an issue that caused the error “0x3B_c0000005_win32k!vSetPointer”.
- Fixed the netdom.exe error “The command failed to complete successfully” appears.
- Fixed the Custom URI Schemes issue.
- Fixed the WININET.DLL issue.
- Security updates
KB4493448 — Security only update
- Same as monthly rollup except for error “0x3B_c0000005_win32k!vSetPointer” and Custom URI Schemes.
Windows 8.1
KB4493446 — Monthly Rollup
- Provides protections against Spectre Variant 2 (CVE-2017-5715) and Meltdown (CVE-2017-5754) for VIA-based computers.
- Fixes an issue with MSXML6 that could cause programs to stop responding.
- Fixed an issue with the Group Policy Editor that caused it to stop responding when editing Group Policy Preferences for Internet Explorer 10 Internet settings.
- Fixed an issue with Custom URI schemes for Application Protocol Handlers.
- Fixed an authentication issue in Internet Explorer 11 and other apps that use WININET.DLL.
- Security updates for various components.
KB4493467 — Security-only Update
- Same as the Monthly rollup except the Custom URI schemes fix (not listed)
Windows 10 version 1607
- Fixed several known issues.
- Fixed an issue to meet GB18030 certificate requirements.
- Security updates.
Windows 10 version 1703
- Fixed several known issues
- Security Updates
Windows 10 version 1709
- Fixed several known issues
- Security Updates
Windows 10 version 1803
- Fixed several known issues
- Addresses a stop error that occurs when attempting to start the Secure Shell (SSH) client program from Windows Subsystem for Linux (WSL) with agent forwarding enabled using a command line switch (ssh –A) or a configuration setting.
- Security updates.
Windows 10 version 1809
- Fixed several known issues including EUDC blue screen, MXSML6 stop responding, Group Policy Editor stops responding, WININET.DLL
- Security updates
Other security updates
KB4493435 — Cumulative Security Update for Internet Explorer
KB4491443 — Remote code execution vulnerability in Windows Embedded POSReady 2009
KB4493448 — Security Only Quality Update for Windows Embedded Standard 7, Windows 7, and Windows Server 2008 R2
KB4493450 — Security Only Quality Update for Windows Embedded 8 Standard and Windows Server 2012
KB4493451 — Security Monthly Quality Rollup for Windows Embedded 8 Standard and Windows Server 2012
KB4493458 — Security Only Quality Update for Windows Server 2008
KB4493471 — Security Monthly Quality Rollup for Windows Server 2008
KB4493472 — Security Monthly Quality Rollup for Windows Embedded Standard 7, Windows 7, and Windows Server 2008 R2
KB4493478 — Security Update for Adobe Flash Player
KB4493563 — Remote code execution vulnerability in Windows Embedded POSReady 2009
KB4493730 — Security Update for Windows Server 2008
KB4493790 — Remote code execution vulnerability in Windows Embedded POSReady 2009
KB4493793 — Remote code execution vulnerability in Windows Embedded POSReady 2009
KB4493794 — Remote code execution vulnerability in Windows Embedded POSReady 2009
KB4493795 — Remote code execution vulnerability in Windows Embedded POSReady 2009
KB4493796 — Remote code execution vulnerability in Windows Embedded POSReady 2009
KB4493797 — Remote code execution vulnerability in Windows Embedded POSReady 2009
KB4493927 — Information disclosure vulnerability in Windows Embedded POSReady 2009
KB4494059 — Remote code execution vulnerability in Windows Embedded POSReady 2009
KB4494528 — You receive an Error 1309 message when you install an .msi file on Windows Embedded POSReady 2009
KB4495022 — Information disclosure vulnerability in Windows Embedded POSReady 2009
Known Issues
Windows 7 Service Pack 1
After installing this update, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. Workarounds available.
Windows 8.1
Authentication may fail for services that require unconstrained delegation after the Kerberos ticket expires. Workarounds available.
Windows 10 version 1607
For hosts managed by System Center Virtual Machine Manager (SCVMM), SCVMM cannot enumerate and manage logical switches deployed on the host after installing the update.
After installing KB4467684, the cluster service may fail to start with the error “2245 (NERR_PasswordTooShort)” if the group policy “Minimum Password Length” is configured with greater than 14 characters.
And the Windows 7 SP1 issue.
Windows 10 version 1607 and newer
After installing the Internet Explorer cumulative update, custom URI schemes for application protocol handlers may not work properly in Internet Explorer. Workaround available.
Windows 10 version 1803
Same as Windows 7 SP1
Windows 10 version 1809, Windows Server 2016
Same as Windows 7 SP1
Security advisories and updates
ADV190011 | April 2019 Adobe Flash Security Update
ADV990001 | Latest Servicing Stack Updates
Non-security related updates
KB4487990 — Update for POSReady 2009
KB890830 — Windows Malicious Software Removal Tool – April 2019
Microsoft Office Updates
You find a list of all released updates for Microsoft Office — security and non-security – here.
How to download and install the April 2019 security updates
Windows Updates get installed automatically on Home systems by default. You can block or delay the installation of updates on these systems.
It is not recommended to run a manual check for updates as it may lead to the installation of preview updates or feature updates, but you may do so in the following way:
- Open the Start Menu.
- Type Windows Update.
- Click on the “check for updates” button to run a manual check.
You may use third-party tools like the excellent Windows Update Manager or Windows Update Minitool to download updates.
Direct update downloads
Microsoft makes available all cumulative updates that it releases for Windows as direct downloads on the Microsoft Update Catalog website. Follow the links listed below to go there for the listed version of Windows.
Windows 7 SP1 and Windows Server 2008 R2 SP
- KB4493472 — 2019-04 Security Monthly Quality Rollup for Windows 7
- KB4493448 — 2019-04 Security Only Quality Update for Windows 7
Windows 8.1 and Windows Server 2012 R2
- KB4493446 — 2019-04 Security Monthly Quality Rollup for Windows 8.1
- KB4493467 — 2019-04 Security Only Quality Update for Windows 8.1
Windows 10 and Windows Server 2016 (version 1607)
- KB4493470 — 2019-04 Cumulative Update for Windows 10 Version 1607
Windows 10 (version 1703)
- KB4493474 — 2019-04 Cumulative Update for Windows 10 Version 1703
Windows 10 (version 1709)
- KB4493441 — 2019-04 Cumulative Update for Windows 10 Version 1709
Windows 10 (version 1803)
- KB4493464 — 2019-04 Cumulative Update for Windows 10 Version 1803
Windows 10 (version 1809)
- KB4493509 — 2019-04 Cumulative Update for Windows 10 Version 1809
Additional resources
- April 2019 Security Updates release notes
- List of software updates for Microsoft products
- List of the latest Windows Updates and Services Packs
- Security Updates Guide
- Microsoft Update Catalog site
- Our in-depth Windows update guide
- How to install optional updates on Windows 10
- Windows 10 Update History
- Windows 8.1 Update History
- Windows 7 Update History
Summary
Article Name
Microsoft Windows Security Updates April 2019 overview
Description
Microsoft released security updates for supported versions of Windows and other company today on the April 9, 2019 Patch Tuesday.
Author
Martin Brinkmann
Publisher
Ghacks Technology News
Logo
Related:
Adding a new Active Directory on SEE Managent Server
I need a solution
And I need to put on my SEE Management Server a new AD from a trusted domain. This other Active Directory is in another server, with another IP range. How can I do this?
Thanks, for any help.
0
Related:
Assign policy to Active Directory User
I need a solution
Hello
I would like asign Device Control policy to specyfic Active Directory users or groups. I would apply different Device Control policy depend of user loged to endpoint.
Is it possible in SEP Manager?
0
Related:
Image Preparation Utility: “Automatic Updates is currently turned on”
The purpose for this requirement is to make sure that Windows Updates do not creep into any of your app layers or published images. Windows Updates need to happen only in the OS layer. (Similarly, Office Updates need to happen only in the Office layer.) When you wish to update Windows, you need to re-enable the setting, do the updates, and then disable them again.
The installer specifically is looking at HKLMSoftwarePoliciesMicrosoftWindowsWindowsUpdateAU. It requires that the value for “NoAutoUpdate” is set to a 1. If you look in your registry and that value is not set, then you may think that you disabled windows updates, but you actually have not. That setting is the only one that will absolutely prevent any OS updates from taking place in Windows 10.
(For Windows 7, simply set the Windows Updates pull-down to Never.)
Related:
Citrix Profile Management: How to Synchronise Profile Efficiently
It is often assumed that installing and enabling Citrix Profile Management will enable user profile roaming wherein by installing Citrix Profile Management with default settings all that merely happens is creating a roaming profile.
A robust design and implementation of user profiles can maintain the integrity of user settings, eliminate issues requiring administrator intervention, and ensure high-performance user logon.
Here are some policies and notes which can be used to synchronise profile efficiently.
Folder redirection
This is a standard Microsoft feature that has been fully supported via Group Policy which is the key to any successful profile solution. Standard roaming profiles, Citrix Profile Management or a third party solution such as Flex Profiles or AppSense folder redirection needs to be enabled.
The following folders can be redirected
The only exceptions that should be made are for folders that you have no intention of persisting for the user.
For example, if you do not wish to allow users to keep Saved Games, you would not redirect the Saved Games folder. Rather add a policy to exclude the Saved Games folder from synchronisation or roaming.
By doing this, the Saved Games folder would only exist on the local VM and if the VM is non-persistent, it would be blown away at logoff/reboot. By default you can redirect the above folders using the built-in Group Policy engine in Windows, or you can also use Citrix ADM template GPO.
Note:
- Ensure you redirect AppData folder in particular because it will generate frequent calls to redirect folder repository during user session. Each data fetch makes the app appear slow
- Redirecting AppData can cause issues with some applications.
- Any redirection is on a file server on the same subnet as the Citrix servers.
- Do not redirect desktop if it is too large as it may cause black screen on logon.
Folder and File Exclusion/Inclusion
In Citrix Profile Management, there is a GPO that can be specifically configured to block folders and files from profile synchronization.
- AppDataLocalLow: the files under this folder are almost low importance, and this folder is excluded by default in Citrix Profile Management INI file.
- AppDataLocal: many apps writes their application data to AppDataLocal, such as temporary data, cache files and other junk that does not and should not persist, causing this folder bloat. Also some files under AppDataLocal, such as DAT file or INI files which contain all the user important personalization settings. If you exclude the whole folder AppDataLocal to reduce the profile size and synchronization speed, you may also lose some app settings when you roam between different clients. At this time, you should take a close look and figure out what exactly the application is writing and whether or not it really needs to persist, then include the necessary ones, exclude the unnecessary ones.
- AppDataRoaming: the files under this folder are generally treated to be copied back to user store. It is recommended to allow this folder to retain the application settings, and there are several folders under AppDataRoaming that are excluded by default in INI file. You can add those folders to be excluded from sync which you do not wish to include.
Except the AppData folder, other folders and files under the profile can also be excluded/included according to your requirement. With a help of a suitable configuration the app can be made to persist without synchronising or roaming the entire directory. This would ensure the profile is small. And there are some default exclusions defined in Citrix Profile Management INI file.
Profile Streaming
With Citrix streamed user profiles feature, files and folders contained in a profile are fetched from the user store to the local computer only when they are accessed by users after they have logged on. This can speed up the logon process. This can also reduce the total data downloaded because if a file is not actually used, then it is never fully copied down to the local profile directory. This feature can be enabled for only specific user groups hence when you have an application that can benefit from it, you should put those users into a group and only enable the feature for them. You can also use the policy Always Cache to set the lower limit on the size of files that are streamed. Any files this size or larger are cached as soon as possible after logon.
Active Write Back and Registry
Compared to Profile Streaming feature, Active Write back feature can decrease the logoff time, especially when you make many file or HKCU registry changes, this feature copy back the changes for almost every five minutes to central user store.
Win10/Win2k16 Start Menu
Citrix Profile Management starts to support Win10 since the version5.4, start menu is always a critical issue since that time, and we suggest below recommended configuration to give user good start menu user experience.
Exclude the two items below in the same time:
- !ctx_localappdata!Packages
- !ctx_localappdata!MicrosoftWindowsUsrClass.dat*
To retain tile persistence, add the TDL folder to mirror folder list. - !ctx_localappdata!TileDataLayer
IE 10/11 cookie support since Citrix Profile Management5.8
UPM 5.8 enhanced support for processing cookies when using Internet Explorer 10 and Internet Explorer 11 – You can use the “Process Internet cookie files on logoff” policy to delete the stale cookies to avoid the cookie folder bloat.
The following folders should be added to mirror folder list.
- AppDataLocalMicrosoftWindowsINetCookies
- AppDataLocalMicrosoftWindowsWebCache
- AppDataRoamingMicrosoftWindowsCookies
Related:
Need to update Client list to remove old licenses
I need a solution
So, we recently rolled out several new computers on our network, and now we’re getting an Over-Deployed warning. We’re currently synced with Active Directory so we’re unable to remove the clients from the Manager directly, and deleting the computers from the Active Directory is out of the question. I’ve already updated the time period to remove old clients from the network from 10 days to 3, but it appears that change hasn’t applied yet, as some of the clients that are almost a week old and off the network are still listed.
What I’d like to do is force the SEPM to poll the network and delete any clients that meet the new timing window, if that’s possible
0
Related:
Active directory import, then moving object causes double objects
I need a solution
Hi,
We want to start using the Active Directory import function to make sure all domain joined servers will have Symantec installed but are running into a problem.
The AD import function is working ok, we get a new group in the console containing all computer objects from the coresponding OU. But since we have multiple roles of servers in that OU that need different and sometimes overlapping exception policies we want to move the computer objects out of the created client group and into a client group that has the specific exception policy in place. But when we do that the it seems like a copy of the moved object is created in the correct client group but the from AD imported object stays in the client group corresponding to the OU.
For example. In AD we have an OU named Servers 2012 R2, in that OU we have multiple SQL servers and those SQL servers have different configurations so they need different exception policies in Symantec. So we move one of the SQL servers from the Servers 2012 R2 client group to the client group named SQL Servers 1 (for example). When we do that a computer object in the SQL Servers 1 is created, the object shows it is online and everything is working ok. But when we look at the Servers 2012 R2 client group the originally imported object is still there and the info says that it is offline.
This situation is causing confusion and is undesired.
Is this normal behaviour for Symantec?
Is there a way to import objects from AD and move those around to different client groups after initial import and not have double entries in the console?
Or are we doing things wrong and is it possible to have multiple exception policies placed on one client group in Symantec that handles specific computers in that client group but not all others and vice versa?
Kind regards,
Michiel
0
Related:
Building an MS-DFS environment containing NSS4AD volumes and making it available through Filr
In this ever changing and “Directory Agnostic” to shifting world, we’re sometimes asked to perform awkward tasks. This is one of them, but mixing 2 worlds to please the majority of your users isn’t a bad thing in my book, so here goes. When for various reasons the directory the users authenticate to shifted from …
The post Building an MS-DFS environment containing NSS4AD volumes and making it available through Filr appeared first on Cool Solutions. BSCHOOFS
Related:
Error 0x80070005 displayed when opening a PureMessage remote console
Issue
When you try to open a remote PureMessage console, an error is displayed:
Error retrieving data from the server. Ensure server / database is started and try again
System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
First seen in
PureMessage for Microsoft Exchange 3.1.4
PureMessage for Microsoft Exchange 4.0.4
Cause
The user who is trying to log on is not a member of the group ‘Sophos PureMessage Administrators’, which is a group created in Active Directory by PureMessage.
What To Do
To add the user to this group, go to the Windows ‘Active Directory Users and Computers’ window and open the Users folder. Follow the instructions in Windows documentation/Help for details of how to add the user to this group.