Friday , December 2 2022

Microsoft is pushing, then tearing, rogue security patch KB 4523786, supposedly for autopilot

Let us put this into perspective.

Microsoft warned us at the beginning of the Win10 rush more than four years ago that patches would not be distributed individually. With the exception of security updates for emergencies, patches are released as part of cumulative updates. Over the years, this promise has evolved into a common pace of two cumulative updates per month: the first on Patch Tuesday and a second cumulative “optional, non-security” update sometime later in the month.

It’s one of the ways that Windows as a Service is a service, I don’t know.

We were faced with an unholy cluster of Windows security patches last month when Microsoft released, then republished, and finally pushed A fix for Internet Explorer’s Zero Day Vulnerability, known as CVE-2019-1367. Of course, no one has seen widespread exploits due to this vulnerability, but the bugs – three different sets that match the three botched out-of-band patches – were breathtaking.

We seem to be heading in a similar direction this month.

Yesterday Microsoft released a strange patch for Win10 version 1903, which is said to be a “cumulative update for autopilot in Windows 10 version 1903: October 22, 2019”. Whether it is a security patch or a non-security patch is controversial. But there are all sorts of problems:

  • It is a standalone patch. KB 4523786. It is not part of a cumulative Windows update, security, or non-security.
  • It is said to be a cumulative update for autopilot, but I am hanged if I find a previous cumulative update for autopilot. Undoubtedly the first of its lineage, although poster Pejole2165 in Tenforums found traces of previous updates.
  • It is for autopilot (Here is a description;; Don’t worry, I had to look it up too. This is a self-service, non-touch Windows delivery platform that was introduced with Windows 10 version 1703. In other words, autopilot runs (apparently?) Only on Win10 1903 domain-connected computers. However, the patch was installed on computers on which autopilot has never been seen.
  • The patch was also further developed Win10 1903 home machines – that can never be part of a domain.

Susan Bradley rang her alarm yesterday afternoon Patch Lady column on AskWoody::

On a standalone PC I’ve never seen a Windows autopilot on KB4523786 when I click Check for updates. And I’ve never installed an autopilot here. (Prove NEVER click on Check for Updates again). Thank you Michael M for reporting this. I’m pretty sure this is a mistake in recognition. Stay relaxed and don’t install it.

Which resulted in this answer from a very knowledgeable but anonymous poster:

This patch applies to the underlying TPM chip in computers with dedicated TPM chips and not to the actual Windows autopilot.

That clears up part of the riddle: This way out patch was intended for Win10 1903 machines with TPM chips (Chris Hoffman has one Excellent overview from TPM to How-To Geek). Most PCs that have been shipped in the last decade have TPM chips.

However, there is no official documentation. It is therefore quite possible that even machines without TPM chips have received the update. (Martin Brinkmann at Ghacks has details how to tell if you have a TPM chip.)

So if you are running Win10 version 1903 (Home or Pro) on a relatively new PC and clicked “Check for updates” in Redmond late yesterday afternoon or evening, you have probably been lucky with KB 4523786.

Of course, the KB 4523786 Knowledge Base article declines all responsibility:

This update is available through Windows Update. When an organization registers or configures a device for Windows Autopilot deployment, the device setup automatically updates Windows Autopilot to the latest version.

Note The Windows Autopilot update will not install on Windows 10 Pro or a later version if the device is not registered or configured for Windows Autopilot deployment. The Windows Autopilot update is never offered to Windows 10 Home.

Not only is this imprecise, it’s silly too.

As I can best judge, there was no official announcement early Friday morning, but it looks like Microsoft has torn the patch off. I see many reports of people uninstalling the patch, clicking Check for updates and not getting a replacement. I also don’t see KB 4523786 being offered on one of my test devices early Friday morning.

Another anonymous poster approved:

Yes, they actually did (tear the patch). No one who uninstalled it was offered it again. Errors can happen, but why don’t they communicate this, at least not on Twitter? It makes people angry, doesn’t it?

Tell me again how Windows patches get better?

About Nikola Dodson

She is a Chicago blogger and tech enthusiast.

Check Also

Microsoft enforces Bing for Chrome users in the enterprise

Microsoft tacitly announced last week that it would change the default Chrome to Bing search …

Leave a Reply

Your email address will not be published.