.Net Rollup July 2020 on Server 2019 Not detected by Defender ATP

Iron Contributor

Anyone else having issues with the latest (July 2020) .Net Security Updates not being detected by ATP? All of my server 2019 servers are now reporting they are missing .Net security patches all the way back to December 2018 after installing the latest July patch. They all report the patch installed successfully in the OS and in Azure Update Management Console, and attempted repairs say the OS is healthy. Just want to make sure its not just me before I go nuts.

 

Thanks!

7 Replies

@Andrew_Allston I see the same on W10 1903 / 1909 Machines post the July update. I have even removed .net / rebooted waited 24h and the machine is still showing that the Kb's are missing. When you re-activate .net it will do a full cumulative July update but no change in ATP - we will escalate this via a premier call today.

 

The issue also elevated the individual exposure scores of affected machines to 70+.

 

1909 KB missing.jpg

@jamrobot I dug into this a bit more since my post. The actual problem that I see seems to be from the Preview Update Rollup for .NET. KB45567327, which includes KB4562902 (.Net 4.7.2) and KB4562903 (.Net 4.8). I have servers that run 4.7.2 and 4.8, both experience the issue when these are installed. I have confirmed that if I uninstall KB4562902 or KB4562903 and manually install the last GA update rollup KB4566516 (Which includes KB4565625 for 4.7.2 and KB4565632 for 4.8 the issue in ATP goes away. I have blocked the .Net July Preview rollup from installing, I really hope they fix this before it goes out as GA next month. This issue also seems to break Windows Security from launching its GUI, all defender policies seem to work in this state, but it is disconcerting.  I would be interested in seeing what they say in regards to your ticket about this issue.

@jamrobot  And I just noticed, like you said, its affecting my Windows 10 Clients now. Also, looking at my Update history it looks like this is the first month a Preview Patch was ever installed by WUFB. I received both the July 2020 Preview Updates for both Windows and .Net. I need to review my settings but I don't think there have been any changes that would impact this.

Looks like they fixed the detection issue, but still would love to know why Microsoft is pushing Preview patches like this now, with no notice. 

@Andrew_Allston   What patching mechanism are you using?  So first off back in May they announced that due to the pandemic they were pausing preview updates.  Now that thing have settled down they are no longer pausing them.  As long as you do not "check for updates" these won't be installed.  If you are using a third party patching tool I would look to see what rules you are doing.    Bottom line now that these preview updates are back in the mix, you need to be more aware of your patching rules.

@SusanBradleyGeek Hi! I use Azure Automation for my servers updates and WUFB (Intune) for my Windows 10 Clients. Both sets of devices installed this round of preview patches, and going back the whole history available to me, none of these devices installed preview patches automatically in the past. And in an interesting turn of events, ATP now detects the patches correctly but the servers that I manually uninstalled the patches from started to report incorrectly that ASR and other security measures were disabled. After reinstalling the patches ATP reports everything correctly again.

@Andrew_Allston   https://techcommunity.microsoft.com/t5/windows-it-pro-blog/resuming-optional-windows-10-and-windows-...  They recently turned them back on.  (and I said they paused in May - it was actually March) so if your patching processes came online during that time, it's probably why you didn't get them before.