Virtual Administrator’s March 2021 Patch Recommendations
This month Microsoft released patches for 89 vulnerabilities with 14 rated “Critical” and 75 “Important” in severity.
UPDATE 3-26-2021:
We are releasing the March Windows 10 Cumulative Updates on Friday March 26th at 5 PM ET.
Microsoft released 2 Out-of-band (OOB) patches for Windows 10 last week on March 15th and 18th.
The first patch released on March 15th addressed the BSOD APC_INDEX_MISMATCH error.
Since that time Microsoft reported another issue where printing produces “unexpected results” and release a second OOB update on March 18th.
Most end users will be fine with the initial Cumulative Update and do not need either OOB update.
However, if your users do see printing issues then install the appropriate OOB depending on problem. Some user may need both OOBs if they have both problems.
You should only install the OOB update if the endpoint is exhibiting one of the behaviors above.
These OOBs need to be installed manually. We have agent procedures to install each OOB patches and on ClubMSP. On-prem partners look in Shared> VA Scripts> Patch Deployment> 2021 March OOBs. OOB1 is for the March 15th patch. OOB2 is for the March 18th patch. The script will detect the Window 10 version and install the appropriate KB.
Download the scripts here:
- OOB Update #1: https://clubmsp.com/msp/scripts/march-oob1-win10-patch/
- OOB Update #2: https://clubmsp.com/msp/scripts/march-oob2-win10-patch/
Windows Servers acting as print servers may be affected and need to be updated manually
- OOB1 issue has been reported in versions 1803, 1809, 1909, 2004, 20H2
- OOB2 issue has been reported in versions 1511, 1607, 1803, 1809, 1909, 2004, 20H2
Example: Windows 10 version 20H2
March 9, 2021—KB5000809 (OS Build 17134.2087)
Symptom: After installing this update, you might receive an APC_INDEX_MISMATCH error with a blue screen when attempting to print to certain printers in some apps.
Workaround: This issue is resolved in KB5001567.
Symptom: After installing updates released March 9, 2021 or March 15, 2021, you might get unexpected results when printing from some apps. Issues might include:
- Elements of the document might print as solid black/color boxes or might be missing, including barcodes, QR codes, and graphics elements, such as logos.
- Table lines might be missing. Other alignment or formatting issues might also be present.
- Printing from some apps or to some printers might result in a blank page or label.
Workaround: This issue is resolved in KB5001649.
March 15, 2021—KB5001567 (OS Builds 19041.868 and 19042.868) Out-of-band
March 18, 2021—KB5001649 (OS Builds 19041.870 and 19042.870) Out-of-band
UPDATE 3-22-2021:
We are delaying the release of the March Windows 10 Cumulative Updates for another week and will provide more detailed guidance at the end of this week.
Microsoft continues to wrestle with problems with this months Windows 10 Cumulative Patch. They have released 2 Out-of-band (OOB) patches this past week. This first, on Monday, addressed the BSOD APC_INDEX_MISMATCH error. Since then they reported another issue where printing produces “unexpected results” and release a second OOB on Thursday. It’s unclear but these patches don’t appear to be cumulative updates so you can’t only install the last OOB.
We have agent procedures to manually install both OOB patches and on ClubMSP. Look in Shared> VA Scripts> Patch Deployment> 2021 March OOBs
You can find the procedures available for download here.
To bypass the initial delayed KB you can use the Patch Management> Machine Updates> Patch Update page in Kaseya to push them out.
Our understanding is that if you encounter the BSOD APC_INDEX_MISMATCH error then it is best to install the KB5001567 patch. If this causes follow-up printing errors then you can install the KB5001649 patch to mitigate those errors.
Patch Update
http://help.kaseya.com/WebHelp/EN/KPATCH/9050000/index.asp#346.htm
Example: Windows 10 version 20H2
March 9, 2021—KB5000809 (OS Build 17134.2087)
Symptom: After installing this update, you might receive an APC_INDEX_MISMATCH error with a blue screen when attempting to print to certain printers in some apps.
Workaround: This issue is resolved in KB5001567.
Symptom: After installing updates released March 9, 2021 or March 15, 2021, you might get unexpected results when printing from some apps. Issues might include:
- Elements of the document might print as solid black/color boxes or might be missing, including barcodes, QR codes, and graphics elements, such as logos.
- Table lines might be missing. Other alignment or formatting issues might also be present.
- Printing from some apps or to some printers might result in a blank page or label.
Workaround: This issue is resolved in KB5001649.
March 15, 2021—KB5001567 (OS Builds 19041.868 and 19042.868) Out-of-band
March 18, 2021—KB5001649 (OS Builds 19041.870 and 19042.870) Out-of-band
Delayed Release of Windows 10 Cumulative Updates (see below). All other patches have been approved in our patch policy.
More patches and more problems this month. On March 2nd Microsoft released out-of-band security update for Exchange Servers. We released them in all patch policies the next morning. A new Zero-Day corrects a bug in Internet Explorer (IE) and Edge (EdgeHTML-based). Both are being exploited. 5 CVEs are listed as DNS Server Remote Code Execution Vulnerabilities. There is a Hyper-V Remote Code Execution Vulnerability affecting only those using the Plan-9 file system. New SSUs for Windows 10.
Heads Up! Delayed Release of Windows 10 Cumulative Updates
These updates are causing BSOD in some machine when the user tries to print. Removing the update is the only workaround at this time. It’s unclear exactly which machines are affected but Kyocera, Ricoh, Zebra and Dymo printer brands have been implicated. A similar problem occurred last June and Microsoft release a fix the follow week. We will monitor developments and update this post next Friday.
- KB5000802: Windows 10 2004/20H2 & Windows Server 2004/20H2
- KB5000808: Windows 10 1909 & Windows Server 1909
- KB5000822: Windows 10 1809 & Windows Server 2019
- KB5000809: Windows 10 1803 & Windows Server 1803
FYI – HAFNIUM targeting Exchange Servers with 0-day exploits
https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
“This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443. This can be protected against by restricting untrusted connections, or by setting up a VPN to separate the Exchange server from external access. Using this mitigation will only protect against the initial portion of the attack. Other portions of the chain can be triggered if an attacker already has access or can convince an administrator to open a malicious file.
We recommend prioritizing installing updates on Exchange Servers that are externally facing.”
Disclosed: CVE-2021-26411,CVE-2021-27077
Exploited: CVE-2021-26411,CVE-2021-26855,CVE-2021-26857,CVE-2021-26858,CVE-2021-27065
Security Update Guide
https://portal.msrc.microsoft.com/en-us/security-guidance
Morphus Labs patch dashboard here: https://patchtuesdaydashboard.com
We will no longer listing “affected software” in this post. Previously Microsoft listed affected “software”. This month the list includes “products, features and roles” which makes the list too long. If you look at the month’s Release Notes on the Security Update Guide page you can view this list.
Microsoft Security Advisories
ADV990001 | Latest Servicing Stack Updates (Published:11/13/2018 | Last Updated:03/11/2021)
https://msrc.microsoft.com/update-guide/en-us/vulnerability/ADV990001
Reason for Revision: A Servicing Stack Update has been released for some versions of Windows.
ADV200011 | Microsoft Guidance for Addressing Security Feature Bypass in GRUB (Published: 07/29/2020 | Last Updated:03/04/2021)
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200011
Reason for Revision: A new set of similar vulnerabilities has been discovered, documented under: CVE-2020-14372, CVE-2020-25632, CVE-2020-25647, CVE-2020-27749, CVE-2020-27779, CVE-2021-3418, CVE-2021-20225, CVE-2021-20233.
Please note that the currently available mitigation option does NOT address this new set of vulnerabilites. A new mitigation option will become available soon. When this option does become available, customers will be notified via revision to this advisory. We recommend that you register for the security notifications mailer to be alerted of content changes to this advisory. See Microsoft Technical Security Notifications.
Known Issues
The Windows 10 printing problem is the only known issue with this month’s patches.
Microsoft continues to list unresolved older problems under the Known Issues for new patches. So if you have not yet experienced one of these issues it is unlikely it will occur now.
Windows 10 version 20H2/2004/1909/1809/1803
Symptom: After installing this update, you might receive an APC_INDEX_MISMATCH error with a blue screen when attempting to print to certain printers in some apps.
Status: We are presently investigating and will provide an update when more information is available.
The current workaround is to uninstall – View Update History> Uninstall updates
You can also uninstall the updates with the Command Prompt by entering the following command:
wusa /uninstall /kb:50008??
(Close all applications first. Replace the KB ID to match the cumulative update installed)
Good resource for known issues with Windows 10 patches. Click on the version in the left column for the status of known issues.
Windows 10 release information
https://docs.microsoft.com/en-us/windows/release-information/
Monthly Rollup/Security Only/Windows 10/Server 2016,2019 KBs
Links are https://support.microsoft.com/en-us/help/####### with the KB number only.
Security and Quality Rollup
- KB5000841 – Windows 7, Windows Server 2008 R2 (ESU)
- KB5000848 – Windows 8.1, Windows Server 2012 R2
- KB5000847 – Windows Server 2012
- KB5000844 – Windows Server 2008 (ESU)
Security Only Update
- KB5000851 – Windows 7, Windows Server 2008 R2 (ESU)
- KB5000853 – Windows 8.1, Windows Server 2012 R2
- KB5000840 – Windows Server 2012
- KB5000856 – Windows Server 2008 (ESU)
Cumulative Update for Windows 10
- KB5000807 – Original release version 1507 (OS Build 10240)
- None – Version 1511 (OS Build 10586)
- KB5000803 – Version 1607 “Anniversary Update” (OS Build 14393)
- KB5000812 – Version 1703 “Creators Update” (OS Build 15063)
- None – Version 1709 “Fall Creators Update” (OS Build 16299)
- KB5000809 – Version 1803 “Spring Creators Update” (OS Build 17134)
- KB5000822 – Version 1809 “October 2018 Update” (OS Build 17763)
- None – Version 1903 “May 2019 Update” (OS Build 18362)
- KB5000808 – Version 1909 “November 2019 Update” (OS Build 18363)
- KB5000802 – Version 2004 “May 2020 Update” (OS Build 19041)
- KB5000802 – Version 20H2 “October 2020 Update” (OS Build 19042)
Note: Server 2016 uses the same KB as Windows 10 Version 1607. Server 2019 uses the same KB as Windows 10 Version 1809.
- KB5000800 – Cumulative security update for Internet Explorer
- KB4577586 – Update for Removal of Adobe Flash Player
March 2021 updates for Microsoft Office
Notable CVEs
CVE-2021-26411 | Internet Explorer Memory Corruption Vulnerability (Cumulative Update/Monthly Rollup and KB5000800)
https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-26411
CVE-2021-26855 | Microsoft Exchange Server Remote Code Execution Vulnerability (KB5000871/KB5000978)
All associated: CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, and CVE-2021-27078
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855
CVE-2021-26867 | Windows Hyper-V Remote Code Execution Vulnerability (Cumulative Update – KB5000802/KB5000808)
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26867
CVE-2021-26897 | Windows DNS Server Remote Code Execution Vulnerability (Cumulative Update/Monthly Rollup)
All associated: CVE-2021-26877, CVE-2021-26893, CVE-2021-26894, CVE-2021-26895 and CVE-2021-26897
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26897
