Introduction
Hi All!! Hope you are doing good. As the OOB patch(es) related to Jan 2022 (B Types patches) got released yesterday, hence I created this blog which might help admins to deploy the patches successfully. Hope you will find it useful.
The KB article has been out regarding the issue mentioned about the Jan 2022 patch update. Also, we released the OOB patches on 17th Jan 2022 about the fix of these issues. Here are the details:
NOTE: All the OOB patches are not available through WSUS, hence, if any customer is using ConfigMgr (SCCM), please continue reading to how to get the detail to how to make these OOB patches available through ConfigMgr.
Issue 1:
//VPN /IPSec Issue: Certain IPSEC connections might fail (Windows Workstation)
- https://docs.microsoft.com/en-us/windows/release-health/status-windows-11-21h2#2773msgdesc
- https://docs.microsoft.com/en-us/windows/release-health/status-windows-10-21h2#2773msgdesc
- https://docs.microsoft.com/en-us/windows/release-health/status-windows-10-21h1#2773msgdesc
- https://docs.microsoft.com/en-us/windows/release-health/status-windows-10-20h2#2773msgdesc
- https://docs.microsoft.com/en-us/windows/release-health/status-windows-10-1909#2773msgdesc
- https://docs.microsoft.com/en-us/windows/release-health/status-windows-10-1809-and-windows-server-2019#2773msgdesc
- https://docs.microsoft.com/en-us/windows/release-health/status-windows-10-1607-and-windows-server-2016#2773msgdesc
- https://docs.microsoft.com/en-us/windows/release-health/status-windows-10-1507#2773msgdesc
- https://docs.microsoft.com/en-us/windows/release-health/status-windows-server-2022#2773msgdesc
OOB Patches:
| Affected OS | Resolving KB |
| Win 10 21H2 | https://support.microsoft.com/help/5010793 |
| Win10 21H1 | |
| Win 10 20H2 | |
| Win 10 1909 | https://support.microsoft.com/help/5010792 |
//Domain Controller rebooting issue (Windows Server)
https://docs.microsoft.com/en-us/windows/release-health/stat…
Windows 10, version 20H2 and Windows Server, version 20H2 | Microsoft Docs
OOB Patches:
//Hyper V issue (Windows Server)
- https://docs.microsoft.com/en-us/windows/release-health/stat…
- https://docs.microsoft.com/en-us/windows/release-health/stat…
OOB Patches:
| Affected OS | Resolving KB |
| Server 2012 | https://support.microsoft.com/help/5010797 |
| Server 2012 R2 | https://support.microsoft.com/help/5010794 |
How to get the patches if you are using ConfigMgr (SCCM)
In all the OOB patches KB article, in how to get this update section, you will see as:
As ConfigMgr (SCCM) using WSUS in the backend, and as all the patches are not available in WSUS, hence by default, you will not get these patches in ConfigMgr (SCCM). Here is the way how you will sync the patches in WSUS.
Note: I will just give the example of a single patch and rest all you/ your customer will do it in the same fashion.
E.g: DC reboot issue for Server 2012 R2 OOB patch (KB 5010794)
Step 1: On your WSUS server, open the WSUS console and choose ‘Import Updates.. option from the Action menu:
Step2: It will pop up a browser window (MS Update Catalog site) (make sure to open it in IE):
Step 3: Key in the OOB patch KB number (like KB5010794):
Step 4: Add the appropriate KB.
Step 5: Click on ‘View Basket’ option
Step 6: Choose the ‘Import’ option to get imported in WSUS:
Step 7: Make sure that its imported successfully and then close the window.
Step 8: Verify that the update is in WSUS console as:
Step 9: Verify that the update is imported in WSUS DB:
Step10: As the update is now imported in WSUS, hence, when you will sync ConfigMgr (SCCM), the update will be present in WSUS. To do so, open the ConfigMgr console and navigate to ‘Software Library | Software Updates | All Software updates| and the kick off the ‘Sync Software Updates’ action as:
Step 11: Wait for some time and then search for the KB article (OOB patch) which you have included in WSUS to get scanned and deployed through ConfigMgr as:
Step 12: As the updates are now available in ConfigMgr, it will follow the same steps how we scan and install the updates through ConfigMgr month after month.
Troubleshooting:
If your import of update in WSUS fail with an error like this:
Here are the steps which you need to take in order to resolve it:
You need to create a Registry key as:
Location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319
Use the command (In elevated prompt), to create the key:
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 /V SchUseStrongCrypto /T REG_DWORD /D 1
NOTE: After the command complete successfully, reboot the machine and then again try to download the update in WSUS.
Some FAQ:
Question 1:How will the OOB fix be deployed?
Answer: The OOB patch need to be pulled down from Windows Update or Microsoft Update Catalog. This package will be a superset of 1B (Jan 2022 patches); in other words, it will contain all of 1B (Jan 2022 patches) PLUS our additional fixes. So, regardless of whether you have 1B (Jan 2022 Patches) installed already or not, installing the new OOB package will resolve the issue.
For Servers
- Are the impacted servers domain controllers and Hyper-V only or other servers ?
Ans: As of now the only impacted server workloads are DCs (all server version) and Hyper-V (Windows Server 2012 and Windows Server 2012 R2). Also, not every customers are impacted, hence some install Jan 2022 updates, but still no issue in their environment. But as precautionary measure, customers are suggested to install the new patches on all the server (whether its DC or Hyper-V servers or not. If its showing applicable for those Server edition, you should install the patch.
- Is the VMs hosted by the Hyper-V may be effected with January KBs or not ?
Ans: Actually the issue is VMs in Hyper-V might fail to start, so its VM hosted on those Hyper-visor are impacted.
- IS the suggested solution will be applied only on Domain controllers and Hyper-V hosts or other servers ?
Ans: The OOB patches are for all affected OS, not application related( like only DC or Hyper-V servers). So it should be applied to all applicable servers.
- Is the best practice solution to ignore the old KBs (January KBs) and deploy the fix KBs only , Or to deploy the January and the fix KBs regarding the domain controllers and Hyper-V servers ?
Ans: This package will be a superset of 1B (Jan 2022 patches); in other words, it will contain all of 1B (Jan 2022 patches) PLUS our additional fixes. So, regardless of whether you have 1B (Jan 2022 Patches) installed already or not, installing the new OOB package will resolve the issue.
- Need a confirmation to deploy January KBs on other servers ( excluding the domain controllers and Hyper-V servers)
Ans: The OOB patches are for all affected OS, not application related( like only DC or Hyper-V servers). So it should be applied to all applicable servers.
For Clients
- What is the issues caused by installing January KBs on windows 10 machines ?
Ans: Issue is: Some VPN clients using IPSEC or Layer 2 Tunneling Protocol (L2TP) might have issues connecting
2. What are the windows 10 versions affected by January KBs ?:
Ans: Win 10 1909 CB, Win 10 20H2 CB, Win 10 21H1 CB and Win 10 21H2 CB.
3. Is the best practice solution to ignore the old KBs (January KBs) and deploy the fix KBs only , Or to deploy the January and the fix KBs regarding windows 10 (20H2) clients ?
Ans: This package will be a superset of 1B (Jan 2022 patches); in other words, it will contain all of 1B (Jan 2022 patches) PLUS our additional fixes. So, regardless of whether you have 1B (Jan 2022 Patches) installed already or not, installing the new OOB package will resolve the issue.
Summary
I hope that it will help you to deploy these OOB patches successfully using ConfigMgr and answer many of their queries.
