June 2021 optional cumulative update: KB5003690/build 19042(3).1081 #KBAlert


 

Hi all,

IMPORTANT REMINDER: regular cumulative update (KB alert) announcements for Version 20H2 (October 2020 Update/build 19042) will end on July 13, 2021; a final 20H2 KB alert will be sent next May when it leaves consumer support.

 

June 2021 optional cumulative update is now available:

June 21, 2021—KB5003690 (OS Builds 19041.1081, 19042.1081, and 19043.1081) Preview (microsoft.com)

 

Changelog:

Updates an issue in a small subset of users that have lower than expected performance in games after installing KB5000842 or later.  

Updates an issue that causes the Japanese Input Method Editor (IME) to suddenly stop working while you are typing. 

Updates an issue in which signing in using a PIN fails. The error message is "Something happened and your PIN isn’t available. Click to set up your PIN again."

Updates an issue that, in certain cases, takes you out of the exclusive virtual reality (VR) app and back to Windows Mixed Reality Home when you press the Windows button on the controller.

Updates an issue that causes blurry text on the news and interests button on the Windows taskbar for some screen resolutions.

Updates an issue with Search box graphics on the Windows taskbar that occurs if you right-click the taskbar and turn off News and interests. This graphics issue is especially visible when using dark mode.

Updates an issue that might prevent you from using your fingerprint to sign in after startup or waking up your device from sleep.

Updates an issue that might cause a high-pitched noise or squeak in certain apps when you play 5.1 Dolby Digital audio using certain audio devices and Windows settings.

 

Details:

 

Version 20H2 (build 19042.1081):

Addresses an issue that causes communication between apps to stop working after you enable the “AppMgmt_COM_SearchForCLSID” policy.

Addresses a performance issue in the MultiByteToWideChar() function that occurs when it is used in a non-English locale.

Addresses an issue that prevents sorting from working properly when using multiple versions of National Language Support (NLS) sorting.

Addresses an issue in a small subset of users that have lower than expected performance in games after installing KB5000842 or later.

Addresses an issue that causes the Japanese Input Method Editor (IME) to suddenly stop working while you are typing.

Addresses an issue that causes WMIMigrationPlugin.dll to return an error when you attempt to migrate in offline mode.

Addresses an issue with the Set-RuleOption PowerShell command that fails to provide the option for the Windows Defender Application Control (WDAC) policy to treat files signed with an expired certificate as unsigned.

Addresses an issue that causes Windows to stop working when it uses AppLocker to validate a file that has multiple signatures. The error is 0x3B.

Addresses an issue that might cause BitLocker to go into recovery mode after updating the Trusted Platform Module (TPM) firmware. This occurs when the "Interactive logon: Machine account lockout Threshold" policy is set and there were incorrect password attempts.

Addresses an issue that causes Windows to generate many AppLocker or SmartLocker success events.

Addresses an issue with authenticating for a domain controller when Credential Guard and Remote Credential Guard are enabled.

Addresses an issue that prevents certain screen reader apps from running when Hypervisor-protected code integrity (HVCI) is enabled.

Addresses an issue in which signing in using a PIN fails. The error message is "Something happened and your PIN isn’t available. Click to set up your PIN again."

Adds Windows support for System Management Mode protections (firmware protection version 2.0) for certain processors that support Secure Launch.

Addresses an issue that, in certain cases, takes you out of the exclusive virtual reality (VR) app and back to Windows Mixed Reality Home when you press the Windows button on the controller. With this update, when you press the Windows button, the Windows Start menu appears. When you close the Start menu, you will go back to the exclusive VR app.

Improves the accuracy and efficiency of sensitive data analysis in the Microsoft 365 Endpoint data loss prevention (DLP) Classification Engine.

Addresses an issue with the Internet Key Exchange (IKE) VPN service on remote access server (RAS) servers. Periodically, users cannot connect a VPN to the server over the IKE protocol. This issue might start several hours or days after restarting the server or restarting the IKEEXT service. Some users can connect while many others cannot connect because the service is in DoS Protection mode, which limits incoming connection attempts.

Addresses an issue that causes Wi-Fi connections to fail because of an invalid Message Integrity Check (MIC) on a four-way handshake if Management Frame Protection (MFP) is enabled.

Addresses an issue that might cause a VPN to fail after renewing a user auto-enrolled certificate. The error message is "There are no more files".

Addresses an issue with the Tunnel Extensible Authentication protocol (TEAP) that replaces the outer identity with “anonymous” even though identity privacy is not selected or is disabled.

Addresses an issue that causes Remote Desktop sessions to stop responding while the User Datagram Protocol (UDP) is enabled.

Adds support for the USB Test and Measurement Class.

Addresses an issue in Adamsync.exe that affects the syncing of large Active Directory subtrees.

Addresses an error that occurs when the Lightweight Directory Access Protocol (LDAP) bind cache is full, and the LDAP client library receives a referral.

Addresses a redirector stop error that is caused by a race condition that occurs when the system deletes binding objects when connections close.

Addresses an issue that prevents users from setting or querying disk quotas on the C drive.

Addresses an issue that causes 16-bit apps that run on NT Virtual DOS Machine (NTVDM) to stop working when you open them.

Addresses an issue that causes fontdrvhost.exe to stop working when Compact Font Format version 2 (CFF2) fonts are installed.

Addresses an issue that might prevent End User Defined Characters (EUDC) from printing correctly because of font fallback settings.

Addresses an issue that causes blurry text on the news and interests button on the Windows taskbar for some display configurations.

Addresses an issue with Search box graphics on the Windows taskbar that occurs if you use the taskbar’s context menu to turn off News and interests. This graphics issue is especially visible when using dark mode.

Addresses an issue that might cause signing in with your fingerprint to fail after the system starts up or resumes from sleep.

Addresses an issue that might cause a high-pitched noise or squeak in certain apps when you play 5.1 Dolby Digital audio using certain audio devices and Windows settings.

 

Version 21H1 (build 19043.1081): same as 20H2.

 

Cheers,

Joseph


enes sarıbaş
 

Hi Joseph,

Could you explain what this change is, and what processors support it?

■ Adds Windows support for System Management Mode protections (firmware protection version 2.0) for certain processors that support Secure Launch.

On 6/21/2021 8:30 PM, Joseph Lee wrote:

Hi all,

IMPORTANT REMINDER: regular cumulative update (KB alert) announcements for Version 20H2 (October 2020 Update/build 19042) will end on July 13, 2021; a final 20H2 KB alert will be sent next May when it leaves consumer support.

 

June 2021 optional cumulative update is now available:

June 21, 2021—KB5003690 (OS Builds 19041.1081, 19042.1081, and 19043.1081) Preview (microsoft.com)

 

Changelog:

Updates an issue in a small subset of users that have lower than expected performance in games after installing KB5000842 or later.  

Updates an issue that causes the Japanese Input Method Editor (IME) to suddenly stop working while you are typing. 

Updates an issue in which signing in using a PIN fails. The error message is "Something happened and your PIN isn’t available. Click to set up your PIN again."

Updates an issue that, in certain cases, takes you out of the exclusive virtual reality (VR) app and back to Windows Mixed Reality Home when you press the Windows button on the controller.

Updates an issue that causes blurry text on the news and interests button on the Windows taskbar for some screen resolutions.

Updates an issue with Search box graphics on the Windows taskbar that occurs if you right-click the taskbar and turn off News and interests. This graphics issue is especially visible when using dark mode.

Updates an issue that might prevent you from using your fingerprint to sign in after startup or waking up your device from sleep.

Updates an issue that might cause a high-pitched noise or squeak in certain apps when you play 5.1 Dolby Digital audio using certain audio devices and Windows settings.

 

Details:

 

Version 20H2 (build 19042.1081):

Addresses an issue that causes communication between apps to stop working after you enable the “AppMgmt_COM_SearchForCLSID” policy.

Addresses a performance issue in the MultiByteToWideChar() function that occurs when it is used in a non-English locale.

Addresses an issue that prevents sorting from working properly when using multiple versions of National Language Support (NLS) sorting.

Addresses an issue in a small subset of users that have lower than expected performance in games after installing KB5000842 or later.

Addresses an issue that causes the Japanese Input Method Editor (IME) to suddenly stop working while you are typing.

Addresses an issue that causes WMIMigrationPlugin.dll to return an error when you attempt to migrate in offline mode.

Addresses an issue with the Set-RuleOption PowerShell command that fails to provide the option for the Windows Defender Application Control (WDAC) policy to treat files signed with an expired certificate as unsigned.

Addresses an issue that causes Windows to stop working when it uses AppLocker to validate a file that has multiple signatures. The error is 0x3B.

Addresses an issue that might cause BitLocker to go into recovery mode after updating the Trusted Platform Module (TPM) firmware. This occurs when the "Interactive logon: Machine account lockout Threshold" policy is set and there were incorrect password attempts.

Addresses an issue that causes Windows to generate many AppLocker or SmartLocker success events.

Addresses an issue with authenticating for a domain controller when Credential Guard and Remote Credential Guard are enabled.

Addresses an issue that prevents certain screen reader apps from running when Hypervisor-protected code integrity (HVCI) is enabled.

Addresses an issue in which signing in using a PIN fails. The error message is "Something happened and your PIN isn’t available. Click to set up your PIN again."

Adds Windows support for System Management Mode protections (firmware protection version 2.0) for certain processors that support Secure Launch.

Addresses an issue that, in certain cases, takes you out of the exclusive virtual reality (VR) app and back to Windows Mixed Reality Home when you press the Windows button on the controller. With this update, when you press the Windows button, the Windows Start menu appears. When you close the Start menu, you will go back to the exclusive VR app.

Improves the accuracy and efficiency of sensitive data analysis in the Microsoft 365 Endpoint data loss prevention (DLP) Classification Engine.

Addresses an issue with the Internet Key Exchange (IKE) VPN service on remote access server (RAS) servers. Periodically, users cannot connect a VPN to the server over the IKE protocol. This issue might start several hours or days after restarting the server or restarting the IKEEXT service. Some users can connect while many others cannot connect because the service is in DoS Protection mode, which limits incoming connection attempts.

Addresses an issue that causes Wi-Fi connections to fail because of an invalid Message Integrity Check (MIC) on a four-way handshake if Management Frame Protection (MFP) is enabled.

Addresses an issue that might cause a VPN to fail after renewing a user auto-enrolled certificate. The error message is "There are no more files".

Addresses an issue with the Tunnel Extensible Authentication protocol (TEAP) that replaces the outer identity with “anonymous” even though identity privacy is not selected or is disabled.

Addresses an issue that causes Remote Desktop sessions to stop responding while the User Datagram Protocol (UDP) is enabled.

Adds support for the USB Test and Measurement Class.

Addresses an issue in Adamsync.exe that affects the syncing of large Active Directory subtrees.

Addresses an error that occurs when the Lightweight Directory Access Protocol (LDAP) bind cache is full, and the LDAP client library receives a referral.

Addresses a redirector stop error that is caused by a race condition that occurs when the system deletes binding objects when connections close.

Addresses an issue that prevents users from setting or querying disk quotas on the C drive.

Addresses an issue that causes 16-bit apps that run on NT Virtual DOS Machine (NTVDM) to stop working when you open them.

Addresses an issue that causes fontdrvhost.exe to stop working when Compact Font Format version 2 (CFF2) fonts are installed.

Addresses an issue that might prevent End User Defined Characters (EUDC) from printing correctly because of font fallback settings.

Addresses an issue that causes blurry text on the news and interests button on the Windows taskbar for some display configurations.

Addresses an issue with Search box graphics on the Windows taskbar that occurs if you use the taskbar’s context menu to turn off News and interests. This graphics issue is especially visible when using dark mode.

Addresses an issue that might cause signing in with your fingerprint to fail after the system starts up or resumes from sleep.

Addresses an issue that might cause a high-pitched noise or squeak in certain apps when you play 5.1 Dolby Digital audio using certain audio devices and Windows settings.

 

Version 21H1 (build 19043.1081): same as 20H2.

 

Cheers,

Joseph


 

Hi,

A brief search says:

  • Requires more recent Intel or Qualcomm processors (the latter is applicable for Windows 10 on ARM), and it is possible to test this with AMD processors.
  • The hardware and firmware must support virtualization and a discrete Trusted Platform Module (TPM) must be present.

 

Based on the following document:

Force firmware code to be measured and attested by Secure Launch on Windows 10 | Microsoft Security Blog

 

If I understand this correctly, SMM (System Management Mode) protection is intended to isolate critical firmware-facing code from the rest of the operating system through means of virtualization. It assumes that the processor hardware can distinguish between code coming from the regular operating system, a hypervisor such as Hyper-V, and a piece of code that verifies security of platform specific code that is more privileged (less restricted) than the operating system. It is a bit hard to describe how things interact at the high level, but the general idea is (please hold on, we’ll get geeky here):

Think of an operating system and apps as “tenants” inside a building managed by someone (operating system). When apps run (including screen reader executables), they (the tenants) will think they have all hardware resources at their disposal. In reality, they don’t- they can conduct business from the “building floor” i.e. memory addresses they are assigned to. As long as the “tenant” (app) doesn’t violate the terms of its “contract” (API’s) with the building manager (operating system), they can conduct their business.

But it was soon discovered that a “smart tenant” can fool the building manager to giving them a specific advantage over other tenants. Advantages can include viewing records of other businesses without their approval (memory access), or perhaps “clogging” another businesses’ printers with junk (memory write) simply by impersonating itself as the building manager. After other businesses complain about the badly behaving tenant, the building manager hires an “auditor” – really, two auditors, one to advise the manager on resource usage of tenants and to which the manager seeds certain duties (hypervisor), and the second auditor to enforce the work of the first auditor to ensure no tenant can interfere with the work done by the first auditor and the building manager unless approved (virtualization).

It turns out that these two auditors were not enough – there are certain things the building manager can offer that no-one can refuse, and that has to do with changing the “overall interior decorations” (firmware settings) of the building. There was one problem: any tenant (app) can forcefully claim to be the building manager and do whatever it desires by walking through unlikely passageways (privilege escalation). So the building manager and the first two auditors hire a third auditor, someone who will be part of the auditing team to make sure interior decorations were indeed made by the building manager (SMM protection). In short, the overall idea of SMM protection is to make sure security is not compromised when critical parts of firmware are accessed and modified by leveraging virtualization hardware, the hypervisor, and support from the operating system.

Supposing that a piece of code will need to read critical parts of device firmware using system management mode (SMM), something only the operating system can do. Before SMM protection, it went something like this:

  1. Somehow the operating system is alerted that it needs to read specific part of device firmware (UEFI settings, for instance).
  2. The operating system instructs the processor to enter system management mode, which is even less restricted than the environment the operating system lives in.
  3. The operating system code reads the desired part of the device firmware.
  4. System management mode is turned off, and the operating system returns to business as usual.

 

A slight improvement is made when a hypervisor is active:

  1. The operating system tries to read critical parts of device firmware.
  2. The operating system will first ask the hypervisor (supervisor of the supervisor (operating system), sometimes called “virtual machine monitor) for permission to proceed.
  3. The hypervisor will grant permission to the operating system after checking that it is indeed the operating system that is requesting firmware access.
  4. System management mode is entered, the operating system, together with parts of the hypervisor, reads the firmware part the operating system is interested in.
  5. System management mode is turned off, and the hypervisor returns control to the operating system, which resumes its operation.

 

With SMM protection active: in addition to looking at where the firmware access request is coming from, the hypervisor will also ask hardware and firmware about letting the operating system access firmware parts. This leverages virtualization-based security (VBS), which is parts of Hyper-V and hardware virtualization feature used to better isolate parts of the operating system code and user applications from one another. In the past, apps and operating system code were isolated by use of memory addresses and privilege levels, but with VBS, the CPU plays a part in enforcing isolation by presenting a “virtualized” (sort of a synthetic or a “fake”) view of the computer’s resources. Because SMM protection involves firmware, it is enforced when Windows boots.

 

Hope this helps.

Cheers,

Joseph

 

 

 

 

From: win10@win10.groups.io <win10@win10.groups.io> On Behalf Of enes saribas
Sent: Monday, June 21, 2021 8:29 PM
To: win10@win10.groups.io
Subject: Re: [win10] June 2021 optional cumulative update: KB5003690/build 19042(3).1081 #KBAlert

 

Hi Joseph,

Could you explain what this change is, and what processors support it?

Adds Windows support for System Management Mode protections (firmware protection version 2.0) for certain processors that support Secure Launch.

On 6/21/2021 8:30 PM, Joseph Lee wrote:

Hi all,

IMPORTANT REMINDER: regular cumulative update (KB alert) announcements for Version 20H2 (October 2020 Update/build 19042) will end on July 13, 2021; a final 20H2 KB alert will be sent next May when it leaves consumer support.

 

June 2021 optional cumulative update is now available:

June 21, 2021—KB5003690 (OS Builds 19041.1081, 19042.1081, and 19043.1081) Preview (microsoft.com)

 

Changelog:

Updates an issue in a small subset of users that have lower than expected performance in games after installing KB5000842 or later.  

Updates an issue that causes the Japanese Input Method Editor (IME) to suddenly stop working while you are typing. 

Updates an issue in which signing in using a PIN fails. The error message is "Something happened and your PIN isn’t available. Click to set up your PIN again."

Updates an issue that, in certain cases, takes you out of the exclusive virtual reality (VR) app and back to Windows Mixed Reality Home when you press the Windows button on the controller.

Updates an issue that causes blurry text on the news and interests button on the Windows taskbar for some screen resolutions.

Updates an issue with Search box graphics on the Windows taskbar that occurs if you right-click the taskbar and turn off News and interests. This graphics issue is especially visible when using dark mode.

Updates an issue that might prevent you from using your fingerprint to sign in after startup or waking up your device from sleep.

Updates an issue that might cause a high-pitched noise or squeak in certain apps when you play 5.1 Dolby Digital audio using certain audio devices and Windows settings.

 

Details:

 

Version 20H2 (build 19042.1081):

Addresses an issue that causes communication between apps to stop working after you enable the “AppMgmt_COM_SearchForCLSID” policy.

Addresses a performance issue in the MultiByteToWideChar() function that occurs when it is used in a non-English locale.

Addresses an issue that prevents sorting from working properly when using multiple versions of National Language Support (NLS) sorting.

Addresses an issue in a small subset of users that have lower than expected performance in games after installing KB5000842 or later.

Addresses an issue that causes the Japanese Input Method Editor (IME) to suddenly stop working while you are typing.

Addresses an issue that causes WMIMigrationPlugin.dll to return an error when you attempt to migrate in offline mode.

Addresses an issue with the Set-RuleOption PowerShell command that fails to provide the option for the Windows Defender Application Control (WDAC) policy to treat files signed with an expired certificate as unsigned.

Addresses an issue that causes Windows to stop working when it uses AppLocker to validate a file that has multiple signatures. The error is 0x3B.

Addresses an issue that might cause BitLocker to go into recovery mode after updating the Trusted Platform Module (TPM) firmware. This occurs when the "Interactive logon: Machine account lockout Threshold" policy is set and there were incorrect password attempts.

Addresses an issue that causes Windows to generate many AppLocker or SmartLocker success events.

Addresses an issue with authenticating for a domain controller when Credential Guard and Remote Credential Guard are enabled.

Addresses an issue that prevents certain screen reader apps from running when Hypervisor-protected code integrity (HVCI) is enabled.

Addresses an issue in which signing in using a PIN fails. The error message is "Something happened and your PIN isn’t available. Click to set up your PIN again."

Adds Windows support for System Management Mode protections (firmware protection version 2.0) for certain processors that support Secure Launch.

Addresses an issue that, in certain cases, takes you out of the exclusive virtual reality (VR) app and back to Windows Mixed Reality Home when you press the Windows button on the controller. With this update, when you press the Windows button, the Windows Start menu appears. When you close the Start menu, you will go back to the exclusive VR app.

Improves the accuracy and efficiency of sensitive data analysis in the Microsoft 365 Endpoint data loss prevention (DLP) Classification Engine.

Addresses an issue with the Internet Key Exchange (IKE) VPN service on remote access server (RAS) servers. Periodically, users cannot connect a VPN to the server over the IKE protocol. This issue might start several hours or days after restarting the server or restarting the IKEEXT service. Some users can connect while many others cannot connect because the service is in DoS Protection mode, which limits incoming connection attempts.

Addresses an issue that causes Wi-Fi connections to fail because of an invalid Message Integrity Check (MIC) on a four-way handshake if Management Frame Protection (MFP) is enabled.

Addresses an issue that might cause a VPN to fail after renewing a user auto-enrolled certificate. The error message is "There are no more files".

Addresses an issue with the Tunnel Extensible Authentication protocol (TEAP) that replaces the outer identity with “anonymous” even though identity privacy is not selected or is disabled.

Addresses an issue that causes Remote Desktop sessions to stop responding while the User Datagram Protocol (UDP) is enabled.

Adds support for the USB Test and Measurement Class.

Addresses an issue in Adamsync.exe that affects the syncing of large Active Directory subtrees.

Addresses an error that occurs when the Lightweight Directory Access Protocol (LDAP) bind cache is full, and the LDAP client library receives a referral.

Addresses a redirector stop error that is caused by a race condition that occurs when the system deletes binding objects when connections close.

Addresses an issue that prevents users from setting or querying disk quotas on the C drive.

Addresses an issue that causes 16-bit apps that run on NT Virtual DOS Machine (NTVDM) to stop working when you open them.

Addresses an issue that causes fontdrvhost.exe to stop working when Compact Font Format version 2 (CFF2) fonts are installed.

Addresses an issue that might prevent End User Defined Characters (EUDC) from printing correctly because of font fallback settings.

Addresses an issue that causes blurry text on the news and interests button on the Windows taskbar for some display configurations.

Addresses an issue with Search box graphics on the Windows taskbar that occurs if you use the taskbar’s context menu to turn off News and interests. This graphics issue is especially visible when using dark mode.

Addresses an issue that might cause signing in with your fingerprint to fail after the system starts up or resumes from sleep.

Addresses an issue that might cause a high-pitched noise or squeak in certain apps when you play 5.1 Dolby Digital audio using certain audio devices and Windows settings.

 

Version 21H1 (build 19043.1081): same as 20H2.

 

Cheers,

Joseph


enes sarıbaş
 

Hi Joseph,

The blog article and your description was clear to me.  So do you know what the 2.0 revision mentioned in changelog is, and which AMD processor you need. I have a Ryzen 4800H, and a TPM 2.0 chip.  I also noticed this AMD processor comes with a PST.

On 6/21/2021 11:32 PM, Joseph Lee wrote:

Hi,

A brief search says:

  • Requires more recent Intel or Qualcomm processors (the latter is applicable for Windows 10 on ARM), and it is possible to test this with AMD processors.
  • The hardware and firmware must support virtualization and a discrete Trusted Platform Module (TPM) must be present.

 

Based on the following document:

Force firmware code to be measured and attested by Secure Launch on Windows 10 | Microsoft Security Blog

 

If I understand this correctly, SMM (System Management Mode) protection is intended to isolate critical firmware-facing code from the rest of the operating system through means of virtualization. It assumes that the processor hardware can distinguish between code coming from the regular operating system, a hypervisor such as Hyper-V, and a piece of code that verifies security of platform specific code that is more privileged (less restricted) than the operating system. It is a bit hard to describe how things interact at the high level, but the general idea is (please hold on, we’ll get geeky here):

Think of an operating system and apps as “tenants” inside a building managed by someone (operating system). When apps run (including screen reader executables), they (the tenants) will think they have all hardware resources at their disposal. In reality, they don’t- they can conduct business from the “building floor” i.e. memory addresses they are assigned to. As long as the “tenant” (app) doesn’t violate the terms of its “contract” (API’s) with the building manager (operating system), they can conduct their business.

But it was soon discovered that a “smart tenant” can fool the building manager to giving them a specific advantage over other tenants. Advantages can include viewing records of other businesses without their approval (memory access), or perhaps “clogging” another businesses’ printers with junk (memory write) simply by impersonating itself as the building manager. After other businesses complain about the badly behaving tenant, the building manager hires an “auditor” – really, two auditors, one to advise the manager on resource usage of tenants and to which the manager seeds certain duties (hypervisor), and the second auditor to enforce the work of the first auditor to ensure no tenant can interfere with the work done by the first auditor and the building manager unless approved (virtualization).

It turns out that these two auditors were not enough – there are certain things the building manager can offer that no-one can refuse, and that has to do with changing the “overall interior decorations” (firmware settings) of the building. There was one problem: any tenant (app) can forcefully claim to be the building manager and do whatever it desires by walking through unlikely passageways (privilege escalation). So the building manager and the first two auditors hire a third auditor, someone who will be part of the auditing team to make sure interior decorations were indeed made by the building manager (SMM protection). In short, the overall idea of SMM protection is to make sure security is not compromised when critical parts of firmware are accessed and modified by leveraging virtualization hardware, the hypervisor, and support from the operating system.

Supposing that a piece of code will need to read critical parts of device firmware using system management mode (SMM), something only the operating system can do. Before SMM protection, it went something like this:

  1. Somehow the operating system is alerted that it needs to read specific part of device firmware (UEFI settings, for instance).
  2. The operating system instructs the processor to enter system management mode, which is even less restricted than the environment the operating system lives in.
  3. The operating system code reads the desired part of the device firmware.
  4. System management mode is turned off, and the operating system returns to business as usual.

 

A slight improvement is made when a hypervisor is active:

  1. The operating system tries to read critical parts of device firmware.
  2. The operating system will first ask the hypervisor (supervisor of the supervisor (operating system), sometimes called “virtual machine monitor) for permission to proceed.
  3. The hypervisor will grant permission to the operating system after checking that it is indeed the operating system that is requesting firmware access.
  4. System management mode is entered, the operating system, together with parts of the hypervisor, reads the firmware part the operating system is interested in.
  5. System management mode is turned off, and the hypervisor returns control to the operating system, which resumes its operation.

 

With SMM protection active: in addition to looking at where the firmware access request is coming from, the hypervisor will also ask hardware and firmware about letting the operating system access firmware parts. This leverages virtualization-based security (VBS), which is parts of Hyper-V and hardware virtualization feature used to better isolate parts of the operating system code and user applications from one another. In the past, apps and operating system code were isolated by use of memory addresses and privilege levels, but with VBS, the CPU plays a part in enforcing isolation by presenting a “virtualized” (sort of a synthetic or a “fake”) view of the computer’s resources. Because SMM protection involves firmware, it is enforced when Windows boots.

 

Hope this helps.

Cheers,

Joseph

 

 

 

 

From: win10@win10.groups.io <win10@win10.groups.io> On Behalf Of enes saribas
Sent: Monday, June 21, 2021 8:29 PM
To: win10@win10.groups.io
Subject: Re: [win10] June 2021 optional cumulative update: KB5003690/build 19042(3).1081 #KBAlert

 

Hi Joseph,

Could you explain what this change is, and what processors support it?

Adds Windows support for System Management Mode protections (firmware protection version 2.0) for certain processors that support Secure Launch.

On 6/21/2021 8:30 PM, Joseph Lee wrote:

Hi all,

IMPORTANT REMINDER: regular cumulative update (KB alert) announcements for Version 20H2 (October 2020 Update/build 19042) will end on July 13, 2021; a final 20H2 KB alert will be sent next May when it leaves consumer support.

 

June 2021 optional cumulative update is now available:

June 21, 2021—KB5003690 (OS Builds 19041.1081, 19042.1081, and 19043.1081) Preview (microsoft.com)

 

Changelog:

Updates an issue in a small subset of users that have lower than expected performance in games after installing KB5000842 or later.  

Updates an issue that causes the Japanese Input Method Editor (IME) to suddenly stop working while you are typing. 

Updates an issue in which signing in using a PIN fails. The error message is "Something happened and your PIN isn’t available. Click to set up your PIN again."

Updates an issue that, in certain cases, takes you out of the exclusive virtual reality (VR) app and back to Windows Mixed Reality Home when you press the Windows button on the controller.

Updates an issue that causes blurry text on the news and interests button on the Windows taskbar for some screen resolutions.

Updates an issue with Search box graphics on the Windows taskbar that occurs if you right-click the taskbar and turn off News and interests. This graphics issue is especially visible when using dark mode.

Updates an issue that might prevent you from using your fingerprint to sign in after startup or waking up your device from sleep.

Updates an issue that might cause a high-pitched noise or squeak in certain apps when you play 5.1 Dolby Digital audio using certain audio devices and Windows settings.

 

Details:

 

Version 20H2 (build 19042.1081):

Addresses an issue that causes communication between apps to stop working after you enable the “AppMgmt_COM_SearchForCLSID” policy.

Addresses a performance issue in the MultiByteToWideChar() function that occurs when it is used in a non-English locale.

Addresses an issue that prevents sorting from working properly when using multiple versions of National Language Support (NLS) sorting.

Addresses an issue in a small subset of users that have lower than expected performance in games after installing KB5000842 or later.

Addresses an issue that causes the Japanese Input Method Editor (IME) to suddenly stop working while you are typing.

Addresses an issue that causes WMIMigrationPlugin.dll to return an error when you attempt to migrate in offline mode.

Addresses an issue with the Set-RuleOption PowerShell command that fails to provide the option for the Windows Defender Application Control (WDAC) policy to treat files signed with an expired certificate as unsigned.

Addresses an issue that causes Windows to stop working when it uses AppLocker to validate a file that has multiple signatures. The error is 0x3B.

Addresses an issue that might cause BitLocker to go into recovery mode after updating the Trusted Platform Module (TPM) firmware. This occurs when the "Interactive logon: Machine account lockout Threshold" policy is set and there were incorrect password attempts.

Addresses an issue that causes Windows to generate many AppLocker or SmartLocker success events.

Addresses an issue with authenticating for a domain controller when Credential Guard and Remote Credential Guard are enabled.

Addresses an issue that prevents certain screen reader apps from running when Hypervisor-protected code integrity (HVCI) is enabled.

Addresses an issue in which signing in using a PIN fails. The error message is "Something happened and your PIN isn’t available. Click to set up your PIN again."

Adds Windows support for System Management Mode protections (firmware protection version 2.0) for certain processors that support Secure Launch.

Addresses an issue that, in certain cases, takes you out of the exclusive virtual reality (VR) app and back to Windows Mixed Reality Home when you press the Windows button on the controller. With this update, when you press the Windows button, the Windows Start menu appears. When you close the Start menu, you will go back to the exclusive VR app.

Improves the accuracy and efficiency of sensitive data analysis in the Microsoft 365 Endpoint data loss prevention (DLP) Classification Engine.

Addresses an issue with the Internet Key Exchange (IKE) VPN service on remote access server (RAS) servers. Periodically, users cannot connect a VPN to the server over the IKE protocol. This issue might start several hours or days after restarting the server or restarting the IKEEXT service. Some users can connect while many others cannot connect because the service is in DoS Protection mode, which limits incoming connection attempts.

Addresses an issue that causes Wi-Fi connections to fail because of an invalid Message Integrity Check (MIC) on a four-way handshake if Management Frame Protection (MFP) is enabled.

Addresses an issue that might cause a VPN to fail after renewing a user auto-enrolled certificate. The error message is "There are no more files".

Addresses an issue with the Tunnel Extensible Authentication protocol (TEAP) that replaces the outer identity with “anonymous” even though identity privacy is not selected or is disabled.

Addresses an issue that causes Remote Desktop sessions to stop responding while the User Datagram Protocol (UDP) is enabled.

Adds support for the USB Test and Measurement Class.

Addresses an issue in Adamsync.exe that affects the syncing of large Active Directory subtrees.

Addresses an error that occurs when the Lightweight Directory Access Protocol (LDAP) bind cache is full, and the LDAP client library receives a referral.

Addresses a redirector stop error that is caused by a race condition that occurs when the system deletes binding objects when connections close.

Addresses an issue that prevents users from setting or querying disk quotas on the C drive.

Addresses an issue that causes 16-bit apps that run on NT Virtual DOS Machine (NTVDM) to stop working when you open them.

Addresses an issue that causes fontdrvhost.exe to stop working when Compact Font Format version 2 (CFF2) fonts are installed.

Addresses an issue that might prevent End User Defined Characters (EUDC) from printing correctly because of font fallback settings.

Addresses an issue that causes blurry text on the news and interests button on the Windows taskbar for some display configurations.

Addresses an issue with Search box graphics on the Windows taskbar that occurs if you use the taskbar’s context menu to turn off News and interests. This graphics issue is especially visible when using dark mode.

Addresses an issue that might cause signing in with your fingerprint to fail after the system starts up or resumes from sleep.

Addresses an issue that might cause a high-pitched noise or squeak in certain apps when you play 5.1 Dolby Digital audio using certain audio devices and Windows settings.

 

Version 21H1 (build 19043.1081): same as 20H2.

 

Cheers,

Joseph


 

Him

As for specifics, I’m not sure at this time.

Cheers,

Joseph

 

From: win10@win10.groups.io <win10@win10.groups.io> On Behalf Of enes saribas
Sent: Monday, June 21, 2021 11:27 PM
To: win10@win10.groups.io
Subject: Re: [win10] June 2021 optional cumulative update: KB5003690/build 19042(3).1081 #KBAlert

 

Hi Joseph,

The blog article and your description was clear to me.  So do you know what the 2.0 revision mentioned in changelog is, and which AMD processor you need. I have a Ryzen 4800H, and a TPM 2.0 chip.  I also noticed this AMD processor comes with a PST.

On 6/21/2021 11:32 PM, Joseph Lee wrote:

Hi,

A brief search says:

  1. Requires more recent Intel or Qualcomm processors (the latter is applicable for Windows 10 on ARM), and it is possible to test this with AMD processors.
  2. The hardware and firmware must support virtualization and a discrete Trusted Platform Module (TPM) must be present.

 

Based on the following document:

Force firmware code to be measured and attested by Secure Launch on Windows 10 | Microsoft Security Blog

 

If I understand this correctly, SMM (System Management Mode) protection is intended to isolate critical firmware-facing code from the rest of the operating system through means of virtualization. It assumes that the processor hardware can distinguish between code coming from the regular operating system, a hypervisor such as Hyper-V, and a piece of code that verifies security of platform specific code that is more privileged (less restricted) than the operating system. It is a bit hard to describe how things interact at the high level, but the general idea is (please hold on, we’ll get geeky here):

Think of an operating system and apps as “tenants” inside a building managed by someone (operating system). When apps run (including screen reader executables), they (the tenants) will think they have all hardware resources at their disposal. In reality, they don’t- they can conduct business from the “building floor” i.e. memory addresses they are assigned to. As long as the “tenant” (app) doesn’t violate the terms of its “contract” (API’s) with the building manager (operating system), they can conduct their business.

But it was soon discovered that a “smart tenant” can fool the building manager to giving them a specific advantage over other tenants. Advantages can include viewing records of other businesses without their approval (memory access), or perhaps “clogging” another businesses’ printers with junk (memory write) simply by impersonating itself as the building manager. After other businesses complain about the badly behaving tenant, the building manager hires an “auditor” – really, two auditors, one to advise the manager on resource usage of tenants and to which the manager seeds certain duties (hypervisor), and the second auditor to enforce the work of the first auditor to ensure no tenant can interfere with the work done by the first auditor and the building manager unless approved (virtualization).

It turns out that these two auditors were not enough – there are certain things the building manager can offer that no-one can refuse, and that has to do with changing the “overall interior decorations” (firmware settings) of the building. There was one problem: any tenant (app) can forcefully claim to be the building manager and do whatever it desires by walking through unlikely passageways (privilege escalation). So the building manager and the first two auditors hire a third auditor, someone who will be part of the auditing team to make sure interior decorations were indeed made by the building manager (SMM protection). In short, the overall idea of SMM protection is to make sure security is not compromised when critical parts of firmware are accessed and modified by leveraging virtualization hardware, the hypervisor, and support from the operating system.

Supposing that a piece of code will need to read critical parts of device firmware using system management mode (SMM), something only the operating system can do. Before SMM protection, it went something like this:

  1. Somehow the operating system is alerted that it needs to read specific part of device firmware (UEFI settings, for instance).
  2. The operating system instructs the processor to enter system management mode, which is even less restricted than the environment the operating system lives in.
  3. The operating system code reads the desired part of the device firmware.
  4. System management mode is turned off, and the operating system returns to business as usual.

 

A slight improvement is made when a hypervisor is active:

  1. The operating system tries to read critical parts of device firmware.
  2. The operating system will first ask the hypervisor (supervisor of the supervisor (operating system), sometimes called “virtual machine monitor) for permission to proceed.
  3. The hypervisor will grant permission to the operating system after checking that it is indeed the operating system that is requesting firmware access.
  4. System management mode is entered, the operating system, together with parts of the hypervisor, reads the firmware part the operating system is interested in.
  5. System management mode is turned off, and the hypervisor returns control to the operating system, which resumes its operation.

 

With SMM protection active: in addition to looking at where the firmware access request is coming from, the hypervisor will also ask hardware and firmware about letting the operating system access firmware parts. This leverages virtualization-based security (VBS), which is parts of Hyper-V and hardware virtualization feature used to better isolate parts of the operating system code and user applications from one another. In the past, apps and operating system code were isolated by use of memory addresses and privilege levels, but with VBS, the CPU plays a part in enforcing isolation by presenting a “virtualized” (sort of a synthetic or a “fake”) view of the computer’s resources. Because SMM protection involves firmware, it is enforced when Windows boots.

 

Hope this helps.

Cheers,

Joseph

 

 

 

 

From: win10@win10.groups.io <win10@win10.groups.io> On Behalf Of enes saribas
Sent: Monday, June 21, 2021 8:29 PM
To: win10@win10.groups.io
Subject: Re: [win10] June 2021 optional cumulative update: KB5003690/build 19042(3).1081 #KBAlert

 

Hi Joseph,

Could you explain what this change is, and what processors support it?

Adds Windows support for System Management Mode protections (firmware protection version 2.0) for certain processors that support Secure Launch.

On 6/21/2021 8:30 PM, Joseph Lee wrote:

Hi all,

IMPORTANT REMINDER: regular cumulative update (KB alert) announcements for Version 20H2 (October 2020 Update/build 19042) will end on July 13, 2021; a final 20H2 KB alert will be sent next May when it leaves consumer support.

 

June 2021 optional cumulative update is now available:

June 21, 2021—KB5003690 (OS Builds 19041.1081, 19042.1081, and 19043.1081) Preview (microsoft.com)

 

Changelog:

Updates an issue in a small subset of users that have lower than expected performance in games after installing KB5000842 or later.  

Updates an issue that causes the Japanese Input Method Editor (IME) to suddenly stop working while you are typing. 

Updates an issue in which signing in using a PIN fails. The error message is "Something happened and your PIN isn’t available. Click to set up your PIN again."

Updates an issue that, in certain cases, takes you out of the exclusive virtual reality (VR) app and back to Windows Mixed Reality Home when you press the Windows button on the controller.

Updates an issue that causes blurry text on the news and interests button on the Windows taskbar for some screen resolutions.

Updates an issue with Search box graphics on the Windows taskbar that occurs if you right-click the taskbar and turn off News and interests. This graphics issue is especially visible when using dark mode.

Updates an issue that might prevent you from using your fingerprint to sign in after startup or waking up your device from sleep.

Updates an issue that might cause a high-pitched noise or squeak in certain apps when you play 5.1 Dolby Digital audio using certain audio devices and Windows settings.

 

Details:

 

Version 20H2 (build 19042.1081):

Addresses an issue that causes communication between apps to stop working after you enable the “AppMgmt_COM_SearchForCLSID” policy.

Addresses a performance issue in the MultiByteToWideChar() function that occurs when it is used in a non-English locale.

Addresses an issue that prevents sorting from working properly when using multiple versions of National Language Support (NLS) sorting.

Addresses an issue in a small subset of users that have lower than expected performance in games after installing KB5000842 or later.

Addresses an issue that causes the Japanese Input Method Editor (IME) to suddenly stop working while you are typing.

Addresses an issue that causes WMIMigrationPlugin.dll to return an error when you attempt to migrate in offline mode.

Addresses an issue with the Set-RuleOption PowerShell command that fails to provide the option for the Windows Defender Application Control (WDAC) policy to treat files signed with an expired certificate as unsigned.

Addresses an issue that causes Windows to stop working when it uses AppLocker to validate a file that has multiple signatures. The error is 0x3B.

Addresses an issue that might cause BitLocker to go into recovery mode after updating the Trusted Platform Module (TPM) firmware. This occurs when the "Interactive logon: Machine account lockout Threshold" policy is set and there were incorrect password attempts.

Addresses an issue that causes Windows to generate many AppLocker or SmartLocker success events.

Addresses an issue with authenticating for a domain controller when Credential Guard and Remote Credential Guard are enabled.

Addresses an issue that prevents certain screen reader apps from running when Hypervisor-protected code integrity (HVCI) is enabled.

Addresses an issue in which signing in using a PIN fails. The error message is "Something happened and your PIN isn’t available. Click to set up your PIN again."

Adds Windows support for System Management Mode protections (firmware protection version 2.0) for certain processors that support Secure Launch.

Addresses an issue that, in certain cases, takes you out of the exclusive virtual reality (VR) app and back to Windows Mixed Reality Home when you press the Windows button on the controller. With this update, when you press the Windows button, the Windows Start menu appears. When you close the Start menu, you will go back to the exclusive VR app.

Improves the accuracy and efficiency of sensitive data analysis in the Microsoft 365 Endpoint data loss prevention (DLP) Classification Engine.

Addresses an issue with the Internet Key Exchange (IKE) VPN service on remote access server (RAS) servers. Periodically, users cannot connect a VPN to the server over the IKE protocol. This issue might start several hours or days after restarting the server or restarting the IKEEXT service. Some users can connect while many others cannot connect because the service is in DoS Protection mode, which limits incoming connection attempts.

Addresses an issue that causes Wi-Fi connections to fail because of an invalid Message Integrity Check (MIC) on a four-way handshake if Management Frame Protection (MFP) is enabled.

Addresses an issue that might cause a VPN to fail after renewing a user auto-enrolled certificate. The error message is "There are no more files".

Addresses an issue with the Tunnel Extensible Authentication protocol (TEAP) that replaces the outer identity with “anonymous” even though identity privacy is not selected or is disabled.

Addresses an issue that causes Remote Desktop sessions to stop responding while the User Datagram Protocol (UDP) is enabled.

Adds support for the USB Test and Measurement Class.

Addresses an issue in Adamsync.exe that affects the syncing of large Active Directory subtrees.

Addresses an error that occurs when the Lightweight Directory Access Protocol (LDAP) bind cache is full, and the LDAP client library receives a referral.

Addresses a redirector stop error that is caused by a race condition that occurs when the system deletes binding objects when connections close.

Addresses an issue that prevents users from setting or querying disk quotas on the C drive.

Addresses an issue that causes 16-bit apps that run on NT Virtual DOS Machine (NTVDM) to stop working when you open them.

Addresses an issue that causes fontdrvhost.exe to stop working when Compact Font Format version 2 (CFF2) fonts are installed.

Addresses an issue that might prevent End User Defined Characters (EUDC) from printing correctly because of font fallback settings.

Addresses an issue that causes blurry text on the news and interests button on the Windows taskbar for some display configurations.

Addresses an issue with Search box graphics on the Windows taskbar that occurs if you use the taskbar’s context menu to turn off News and interests. This graphics issue is especially visible when using dark mode.

Addresses an issue that might cause signing in with your fingerprint to fail after the system starts up or resumes from sleep.

Addresses an issue that might cause a high-pitched noise or squeak in certain apps when you play 5.1 Dolby Digital audio using certain audio devices and Windows settings.

 

Version 21H1 (build 19043.1081): same as 20H2.

 

Cheers,

Joseph


 

I have a tenth gen intel, but I did disable virtulazation in BIOS, should I leave this enabled?

 

From: win10@win10.groups.io <win10@win10.groups.io> On Behalf Of Joseph Lee
Sent: Monday, June 21, 2021 11:32 PM
To: win10@win10.groups.io
Subject: [Special] Re: [win10] June 2021 optional cumulative update: KB5003690/build 19042(3).1081 #KBAlert

 

Hi,

A brief search says:

  • Requires more recent Intel or Qualcomm processors (the latter is applicable for Windows 10 on ARM), and it is possible to test this with AMD processors.
  • The hardware and firmware must support virtualization and a discrete Trusted Platform Module (TPM) must be present.

 

Based on the following document:

Force firmware code to be measured and attested by Secure Launch on Windows 10 | Microsoft Security Blog

 

If I understand this correctly, SMM (System Management Mode) protection is intended to isolate critical firmware-facing code from the rest of the operating system through means of virtualization. It assumes that the processor hardware can distinguish between code coming from the regular operating system, a hypervisor such as Hyper-V, and a piece of code that verifies security of platform specific code that is more privileged (less restricted) than the operating system. It is a bit hard to describe how things interact at the high level, but the general idea is (please hold on, we’ll get geeky here):

Think of an operating system and apps as “tenants” inside a building managed by someone (operating system). When apps run (including screen reader executables), they (the tenants) will think they have all hardware resources at their disposal. In reality, they don’t- they can conduct business from the “building floor” i.e. memory addresses they are assigned to. As long as the “tenant” (app) doesn’t violate the terms of its “contract” (API’s) with the building manager (operating system), they can conduct their business.

But it was soon discovered that a “smart tenant” can fool the building manager to giving them a specific advantage over other tenants. Advantages can include viewing records of other businesses without their approval (memory access), or perhaps “clogging” another businesses’ printers with junk (memory write) simply by impersonating itself as the building manager. After other businesses complain about the badly behaving tenant, the building manager hires an “auditor” – really, two auditors, one to advise the manager on resource usage of tenants and to which the manager seeds certain duties (hypervisor), and the second auditor to enforce the work of the first auditor to ensure no tenant can interfere with the work done by the first auditor and the building manager unless approved (virtualization).

It turns out that these two auditors were not enough – there are certain things the building manager can offer that no-one can refuse, and that has to do with changing the “overall interior decorations” (firmware settings) of the building. There was one problem: any tenant (app) can forcefully claim to be the building manager and do whatever it desires by walking through unlikely passageways (privilege escalation). So the building manager and the first two auditors hire a third auditor, someone who will be part of the auditing team to make sure interior decorations were indeed made by the building manager (SMM protection). In short, the overall idea of SMM protection is to make sure security is not compromised when critical parts of firmware are accessed and modified by leveraging virtualization hardware, the hypervisor, and support from the operating system.

Supposing that a piece of code will need to read critical parts of device firmware using system management mode (SMM), something only the operating system can do. Before SMM protection, it went something like this:

  1. Somehow the operating system is alerted that it needs to read specific part of device firmware (UEFI settings, for instance).
  2. The operating system instructs the processor to enter system management mode, which is even less restricted than the environment the operating system lives in.
  3. The operating system code reads the desired part of the device firmware.
  4. System management mode is turned off, and the operating system returns to business as usual.

 

A slight improvement is made when a hypervisor is active:

  1. The operating system tries to read critical parts of device firmware.
  2. The operating system will first ask the hypervisor (supervisor of the supervisor (operating system), sometimes called “virtual machine monitor) for permission to proceed.
  3. The hypervisor will grant permission to the operating system after checking that it is indeed the operating system that is requesting firmware access.
  4. System management mode is entered, the operating system, together with parts of the hypervisor, reads the firmware part the operating system is interested in.
  5. System management mode is turned off, and the hypervisor returns control to the operating system, which resumes its operation.

 

With SMM protection active: in addition to looking at where the firmware access request is coming from, the hypervisor will also ask hardware and firmware about letting the operating system access firmware parts. This leverages virtualization-based security (VBS), which is parts of Hyper-V and hardware virtualization feature used to better isolate parts of the operating system code and user applications from one another. In the past, apps and operating system code were isolated by use of memory addresses and privilege levels, but with VBS, the CPU plays a part in enforcing isolation by presenting a “virtualized” (sort of a synthetic or a “fake”) view of the computer’s resources. Because SMM protection involves firmware, it is enforced when Windows boots.

 

Hope this helps.

Cheers,

Joseph

 

 

 

 

From: win10@win10.groups.io <win10@win10.groups.io> On Behalf Of enes saribas
Sent: Monday, June 21, 2021 8:29 PM
To: win10@win10.groups.io
Subject: Re: [win10] June 2021 optional cumulative update: KB5003690/build 19042(3).1081 #KBAlert

 

Hi Joseph,

Could you explain what this change is, and what processors support it?

Adds Windows support for System Management Mode protections (firmware protection version 2.0) for certain processors that support Secure Launch.

On 6/21/2021 8:30 PM, Joseph Lee wrote:

Hi all,

IMPORTANT REMINDER: regular cumulative update (KB alert) announcements for Version 20H2 (October 2020 Update/build 19042) will end on July 13, 2021; a final 20H2 KB alert will be sent next May when it leaves consumer support.

 

June 2021 optional cumulative update is now available:

June 21, 2021—KB5003690 (OS Builds 19041.1081, 19042.1081, and 19043.1081) Preview (microsoft.com)

 

Changelog:

Updates an issue in a small subset of users that have lower than expected performance in games after installing KB5000842 or later.  

Updates an issue that causes the Japanese Input Method Editor (IME) to suddenly stop working while you are typing. 

Updates an issue in which signing in using a PIN fails. The error message is "Something happened and your PIN isn’t available. Click to set up your PIN again."

Updates an issue that, in certain cases, takes you out of the exclusive virtual reality (VR) app and back to Windows Mixed Reality Home when you press the Windows button on the controller.

Updates an issue that causes blurry text on the news and interests button on the Windows taskbar for some screen resolutions.

Updates an issue with Search box graphics on the Windows taskbar that occurs if you right-click the taskbar and turn off News and interests. This graphics issue is especially visible when using dark mode.

Updates an issue that might prevent you from using your fingerprint to sign in after startup or waking up your device from sleep.

Updates an issue that might cause a high-pitched noise or squeak in certain apps when you play 5.1 Dolby Digital audio using certain audio devices and Windows settings.

 

Details:

 

Version 20H2 (build 19042.1081):

Addresses an issue that causes communication between apps to stop working after you enable the “AppMgmt_COM_SearchForCLSID” policy.

Addresses a performance issue in the MultiByteToWideChar() function that occurs when it is used in a non-English locale.

Addresses an issue that prevents sorting from working properly when using multiple versions of National Language Support (NLS) sorting.

Addresses an issue in a small subset of users that have lower than expected performance in games after installing KB5000842 or later.

Addresses an issue that causes the Japanese Input Method Editor (IME) to suddenly stop working while you are typing.

Addresses an issue that causes WMIMigrationPlugin.dll to return an error when you attempt to migrate in offline mode.

Addresses an issue with the Set-RuleOption PowerShell command that fails to provide the option for the Windows Defender Application Control (WDAC) policy to treat files signed with an expired certificate as unsigned.

Addresses an issue that causes Windows to stop working when it uses AppLocker to validate a file that has multiple signatures. The error is 0x3B.

Addresses an issue that might cause BitLocker to go into recovery mode after updating the Trusted Platform Module (TPM) firmware. This occurs when the "Interactive logon: Machine account lockout Threshold" policy is set and there were incorrect password attempts.

Addresses an issue that causes Windows to generate many AppLocker or SmartLocker success events.

Addresses an issue with authenticating for a domain controller when Credential Guard and Remote Credential Guard are enabled.

Addresses an issue that prevents certain screen reader apps from running when Hypervisor-protected code integrity (HVCI) is enabled.

Addresses an issue in which signing in using a PIN fails. The error message is "Something happened and your PIN isn’t available. Click to set up your PIN again."

Adds Windows support for System Management Mode protections (firmware protection version 2.0) for certain processors that support Secure Launch.

Addresses an issue that, in certain cases, takes you out of the exclusive virtual reality (VR) app and back to Windows Mixed Reality Home when you press the Windows button on the controller. With this update, when you press the Windows button, the Windows Start menu appears. When you close the Start menu, you will go back to the exclusive VR app.

Improves the accuracy and efficiency of sensitive data analysis in the Microsoft 365 Endpoint data loss prevention (DLP) Classification Engine.

Addresses an issue with the Internet Key Exchange (IKE) VPN service on remote access server (RAS) servers. Periodically, users cannot connect a VPN to the server over the IKE protocol. This issue might start several hours or days after restarting the server or restarting the IKEEXT service. Some users can connect while many others cannot connect because the service is in DoS Protection mode, which limits incoming connection attempts.

Addresses an issue that causes Wi-Fi connections to fail because of an invalid Message Integrity Check (MIC) on a four-way handshake if Management Frame Protection (MFP) is enabled.

Addresses an issue that might cause a VPN to fail after renewing a user auto-enrolled certificate. The error message is "There are no more files".

Addresses an issue with the Tunnel Extensible Authentication protocol (TEAP) that replaces the outer identity with “anonymous” even though identity privacy is not selected or is disabled.

Addresses an issue that causes Remote Desktop sessions to stop responding while the User Datagram Protocol (UDP) is enabled.

Adds support for the USB Test and Measurement Class.

Addresses an issue in Adamsync.exe that affects the syncing of large Active Directory subtrees.

Addresses an error that occurs when the Lightweight Directory Access Protocol (LDAP) bind cache is full, and the LDAP client library receives a referral.

Addresses a redirector stop error that is caused by a race condition that occurs when the system deletes binding objects when connections close.

Addresses an issue that prevents users from setting or querying disk quotas on the C drive.

Addresses an issue that causes 16-bit apps that run on NT Virtual DOS Machine (NTVDM) to stop working when you open them.

Addresses an issue that causes fontdrvhost.exe to stop working when Compact Font Format version 2 (CFF2) fonts are installed.

Addresses an issue that might prevent End User Defined Characters (EUDC) from printing correctly because of font fallback settings.

Addresses an issue that causes blurry text on the news and interests button on the Windows taskbar for some display configurations.

Addresses an issue with Search box graphics on the Windows taskbar that occurs if you use the taskbar’s context menu to turn off News and interests. This graphics issue is especially visible when using dark mode.

Addresses an issue that might cause signing in with your fingerprint to fail after the system starts up or resumes from sleep.

Addresses an issue that might cause a high-pitched noise or squeak in certain apps when you play 5.1 Dolby Digital audio using certain audio devices and Windows settings.

 

Version 21H1 (build 19043.1081): same as 20H2.

 

Cheers,

Joseph


 

Hi,

I recommend keeping virtualization on if it was enabled from the beginning. But to be safe, I recommend enabling virtualization because there will come a day when Windows may require it in order to function correctly (this is the case for enterprises these days).

Cheers,

Joseph

 

From: win10@win10.groups.io <win10@win10.groups.io> On Behalf Of Capelle, Michael C.
Sent: Tuesday, June 22, 2021 12:14 AM
To: win10@win10.groups.io
Subject: Re: [win10] June 2021 optional cumulative update: KB5003690/build 19042(3).1081 #KBAlert

 

I have a tenth gen intel, but I did disable virtulazation in BIOS, should I leave this enabled?

 

From: win10@win10.groups.io <win10@win10.groups.io> On Behalf Of Joseph Lee
Sent: Monday, June 21, 2021 11:32 PM
To: win10@win10.groups.io
Subject: [Special] Re: [win10] June 2021 optional cumulative update: KB5003690/build 19042(3).1081 #KBAlert

 

Hi,

A brief search says:

  • Requires more recent Intel or Qualcomm processors (the latter is applicable for Windows 10 on ARM), and it is possible to test this with AMD processors.
  • The hardware and firmware must support virtualization and a discrete Trusted Platform Module (TPM) must be present.

 

Based on the following document:

Force firmware code to be measured and attested by Secure Launch on Windows 10 | Microsoft Security Blog

 

If I understand this correctly, SMM (System Management Mode) protection is intended to isolate critical firmware-facing code from the rest of the operating system through means of virtualization. It assumes that the processor hardware can distinguish between code coming from the regular operating system, a hypervisor such as Hyper-V, and a piece of code that verifies security of platform specific code that is more privileged (less restricted) than the operating system. It is a bit hard to describe how things interact at the high level, but the general idea is (please hold on, we’ll get geeky here):

Think of an operating system and apps as “tenants” inside a building managed by someone (operating system). When apps run (including screen reader executables), they (the tenants) will think they have all hardware resources at their disposal. In reality, they don’t- they can conduct business from the “building floor” i.e. memory addresses they are assigned to. As long as the “tenant” (app) doesn’t violate the terms of its “contract” (API’s) with the building manager (operating system), they can conduct their business.

But it was soon discovered that a “smart tenant” can fool the building manager to giving them a specific advantage over other tenants. Advantages can include viewing records of other businesses without their approval (memory access), or perhaps “clogging” another businesses’ printers with junk (memory write) simply by impersonating itself as the building manager. After other businesses complain about the badly behaving tenant, the building manager hires an “auditor” – really, two auditors, one to advise the manager on resource usage of tenants and to which the manager seeds certain duties (hypervisor), and the second auditor to enforce the work of the first auditor to ensure no tenant can interfere with the work done by the first auditor and the building manager unless approved (virtualization).

It turns out that these two auditors were not enough – there are certain things the building manager can offer that no-one can refuse, and that has to do with changing the “overall interior decorations” (firmware settings) of the building. There was one problem: any tenant (app) can forcefully claim to be the building manager and do whatever it desires by walking through unlikely passageways (privilege escalation). So the building manager and the first two auditors hire a third auditor, someone who will be part of the auditing team to make sure interior decorations were indeed made by the building manager (SMM protection). In short, the overall idea of SMM protection is to make sure security is not compromised when critical parts of firmware are accessed and modified by leveraging virtualization hardware, the hypervisor, and support from the operating system.

Supposing that a piece of code will need to read critical parts of device firmware using system management mode (SMM), something only the operating system can do. Before SMM protection, it went something like this:

  1. Somehow the operating system is alerted that it needs to read specific part of device firmware (UEFI settings, for instance).
  2. The operating system instructs the processor to enter system management mode, which is even less restricted than the environment the operating system lives in.
  3. The operating system code reads the desired part of the device firmware.
  4. System management mode is turned off, and the operating system returns to business as usual.

 

A slight improvement is made when a hypervisor is active:

  1. The operating system tries to read critical parts of device firmware.
  2. The operating system will first ask the hypervisor (supervisor of the supervisor (operating system), sometimes called “virtual machine monitor) for permission to proceed.
  3. The hypervisor will grant permission to the operating system after checking that it is indeed the operating system that is requesting firmware access.
  4. System management mode is entered, the operating system, together with parts of the hypervisor, reads the firmware part the operating system is interested in.
  5. System management mode is turned off, and the hypervisor returns control to the operating system, which resumes its operation.

 

With SMM protection active: in addition to looking at where the firmware access request is coming from, the hypervisor will also ask hardware and firmware about letting the operating system access firmware parts. This leverages virtualization-based security (VBS), which is parts of Hyper-V and hardware virtualization feature used to better isolate parts of the operating system code and user applications from one another. In the past, apps and operating system code were isolated by use of memory addresses and privilege levels, but with VBS, the CPU plays a part in enforcing isolation by presenting a “virtualized” (sort of a synthetic or a “fake”) view of the computer’s resources. Because SMM protection involves firmware, it is enforced when Windows boots.

 

Hope this helps.

Cheers,

Joseph

 

 

 

 

From: win10@win10.groups.io <win10@win10.groups.io> On Behalf Of enes saribas
Sent: Monday, June 21, 2021 8:29 PM
To: win10@win10.groups.io
Subject: Re: [win10] June 2021 optional cumulative update: KB5003690/build 19042(3).1081 #KBAlert

 

Hi Joseph,

Could you explain what this change is, and what processors support it?

Adds Windows support for System Management Mode protections (firmware protection version 2.0) for certain processors that support Secure Launch.

On 6/21/2021 8:30 PM, Joseph Lee wrote:

Hi all,

IMPORTANT REMINDER: regular cumulative update (KB alert) announcements for Version 20H2 (October 2020 Update/build 19042) will end on July 13, 2021; a final 20H2 KB alert will be sent next May when it leaves consumer support.

 

June 2021 optional cumulative update is now available:

June 21, 2021—KB5003690 (OS Builds 19041.1081, 19042.1081, and 19043.1081) Preview (microsoft.com)

 

Changelog:

Updates an issue in a small subset of users that have lower than expected performance in games after installing KB5000842 or later.  

Updates an issue that causes the Japanese Input Method Editor (IME) to suddenly stop working while you are typing. 

Updates an issue in which signing in using a PIN fails. The error message is "Something happened and your PIN isn’t available. Click to set up your PIN again."

Updates an issue that, in certain cases, takes you out of the exclusive virtual reality (VR) app and back to Windows Mixed Reality Home when you press the Windows button on the controller.

Updates an issue that causes blurry text on the news and interests button on the Windows taskbar for some screen resolutions.

Updates an issue with Search box graphics on the Windows taskbar that occurs if you right-click the taskbar and turn off News and interests. This graphics issue is especially visible when using dark mode.

Updates an issue that might prevent you from using your fingerprint to sign in after startup or waking up your device from sleep.

Updates an issue that might cause a high-pitched noise or squeak in certain apps when you play 5.1 Dolby Digital audio using certain audio devices and Windows settings.

 

Details:

 

Version 20H2 (build 19042.1081):

Addresses an issue that causes communication between apps to stop working after you enable the “AppMgmt_COM_SearchForCLSID” policy.

Addresses a performance issue in the MultiByteToWideChar() function that occurs when it is used in a non-English locale.

Addresses an issue that prevents sorting from working properly when using multiple versions of National Language Support (NLS) sorting.

Addresses an issue in a small subset of users that have lower than expected performance in games after installing KB5000842 or later.

Addresses an issue that causes the Japanese Input Method Editor (IME) to suddenly stop working while you are typing.

Addresses an issue that causes WMIMigrationPlugin.dll to return an error when you attempt to migrate in offline mode.

Addresses an issue with the Set-RuleOption PowerShell command that fails to provide the option for the Windows Defender Application Control (WDAC) policy to treat files signed with an expired certificate as unsigned.

Addresses an issue that causes Windows to stop working when it uses AppLocker to validate a file that has multiple signatures. The error is 0x3B.

Addresses an issue that might cause BitLocker to go into recovery mode after updating the Trusted Platform Module (TPM) firmware. This occurs when the "Interactive logon: Machine account lockout Threshold" policy is set and there were incorrect password attempts.

Addresses an issue that causes Windows to generate many AppLocker or SmartLocker success events.

Addresses an issue with authenticating for a domain controller when Credential Guard and Remote Credential Guard are enabled.

Addresses an issue that prevents certain screen reader apps from running when Hypervisor-protected code integrity (HVCI) is enabled.

Addresses an issue in which signing in using a PIN fails. The error message is "Something happened and your PIN isn’t available. Click to set up your PIN again."

Adds Windows support for System Management Mode protections (firmware protection version 2.0) for certain processors that support Secure Launch.

Addresses an issue that, in certain cases, takes you out of the exclusive virtual reality (VR) app and back to Windows Mixed Reality Home when you press the Windows button on the controller. With this update, when you press the Windows button, the Windows Start menu appears. When you close the Start menu, you will go back to the exclusive VR app.

Improves the accuracy and efficiency of sensitive data analysis in the Microsoft 365 Endpoint data loss prevention (DLP) Classification Engine.

Addresses an issue with the Internet Key Exchange (IKE) VPN service on remote access server (RAS) servers. Periodically, users cannot connect a VPN to the server over the IKE protocol. This issue might start several hours or days after restarting the server or restarting the IKEEXT service. Some users can connect while many others cannot connect because the service is in DoS Protection mode, which limits incoming connection attempts.

Addresses an issue that causes Wi-Fi connections to fail because of an invalid Message Integrity Check (MIC) on a four-way handshake if Management Frame Protection (MFP) is enabled.

Addresses an issue that might cause a VPN to fail after renewing a user auto-enrolled certificate. The error message is "There are no more files".

Addresses an issue with the Tunnel Extensible Authentication protocol (TEAP) that replaces the outer identity with “anonymous” even though identity privacy is not selected or is disabled.

Addresses an issue that causes Remote Desktop sessions to stop responding while the User Datagram Protocol (UDP) is enabled.

Adds support for the USB Test and Measurement Class.

Addresses an issue in Adamsync.exe that affects the syncing of large Active Directory subtrees.

Addresses an error that occurs when the Lightweight Directory Access Protocol (LDAP) bind cache is full, and the LDAP client library receives a referral.

Addresses a redirector stop error that is caused by a race condition that occurs when the system deletes binding objects when connections close.

Addresses an issue that prevents users from setting or querying disk quotas on the C drive.

Addresses an issue that causes 16-bit apps that run on NT Virtual DOS Machine (NTVDM) to stop working when you open them.

Addresses an issue that causes fontdrvhost.exe to stop working when Compact Font Format version 2 (CFF2) fonts are installed.

Addresses an issue that might prevent End User Defined Characters (EUDC) from printing correctly because of font fallback settings.

Addresses an issue that causes blurry text on the news and interests button on the Windows taskbar for some display configurations.

Addresses an issue with Search box graphics on the Windows taskbar that occurs if you use the taskbar’s context menu to turn off News and interests. This graphics issue is especially visible when using dark mode.

Addresses an issue that might cause signing in with your fingerprint to fail after the system starts up or resumes from sleep.

Addresses an issue that might cause a high-pitched noise or squeak in certain apps when you play 5.1 Dolby Digital audio using certain audio devices and Windows settings.

 

Version 21H1 (build 19043.1081): same as 20H2.

 

Cheers,

Joseph


Richard Villa
 

I just had a system built with a Ryzen 5800x and am wonder how this impacts me.

 

From: win10@win10.groups.io <win10@win10.groups.io> On Behalf Of enes saribas
Sent: Tuesday, June 22, 2021 1:27 AM
To: win10@win10.groups.io
Subject: Re: [win10] June 2021 optional cumulative update: KB5003690/build 19042(3).1081 #KBAlert

 

Hi Joseph,

The blog article and your description was clear to me.  So do you know what the 2.0 revision mentioned in changelog is, and which AMD processor you need. I have a Ryzen 4800H, and a TPM 2.0 chip.  I also noticed this AMD processor comes with a PST.

On 6/21/2021 11:32 PM, Joseph Lee wrote:

Hi,

A brief search says:

1.       Requires more recent Intel or Qualcomm processors (the latter is applicable for Windows 10 on ARM), and it is possible to test this with AMD processors.

2.       The hardware and firmware must support virtualization and a discrete Trusted Platform Module (TPM) must be present.

 

Based on the following document:

Force firmware code to be measured and attested by Secure Launch on Windows 10 | Microsoft Security Blog

 

If I understand this correctly, SMM (System Management Mode) protection is intended to isolate critical firmware-facing code from the rest of the operating system through means of virtualization. It assumes that the processor hardware can distinguish between code coming from the regular operating system, a hypervisor such as Hyper-V, and a piece of code that verifies security of platform specific code that is more privileged (less restricted) than the operating system. It is a bit hard to describe how things interact at the high level, but the general idea is (please hold on, we’ll get geeky here):

Think of an operating system and apps as “tenants” inside a building managed by someone (operating system). When apps run (including screen reader executables), they (the tenants) will think they have all hardware resources at their disposal. In reality, they don’t- they can conduct business from the “building floor” i.e. memory addresses they are assigned to. As long as the “tenant” (app) doesn’t violate the terms of its “contract” (API’s) with the building manager (operating system), they can conduct their business.

But it was soon discovered that a “smart tenant” can fool the building manager to giving them a specific advantage over other tenants. Advantages can include viewing records of other businesses without their approval (memory access), or perhaps “clogging” another businesses’ printers with junk (memory write) simply by impersonating itself as the building manager. After other businesses complain about the badly behaving tenant, the building manager hires an “auditor” – really, two auditors, one to advise the manager on resource usage of tenants and to which the manager seeds certain duties (hypervisor), and the second auditor to enforce the work of the first auditor to ensure no tenant can interfere with the work done by the first auditor and the building manager unless approved (virtualization).

It turns out that these two auditors were not enough – there are certain things the building manager can offer that no-one can refuse, and that has to do with changing the “overall interior decorations” (firmware settings) of the building. There was one problem: any tenant (app) can forcefully claim to be the building manager and do whatever it desires by walking through unlikely passageways (privilege escalation). So the building manager and the first two auditors hire a third auditor, someone who will be part of the auditing team to make sure interior decorations were indeed made by the building manager (SMM protection). In short, the overall idea of SMM protection is to make sure security is not compromised when critical parts of firmware are accessed and modified by leveraging virtualization hardware, the hypervisor, and support from the operating system.

Supposing that a piece of code will need to read critical parts of device firmware using system management mode (SMM), something only the operating system can do. Before SMM protection, it went something like this:

1.       Somehow the operating system is alerted that it needs to read specific part of device firmware (UEFI settings, for instance).

2.       The operating system instructs the processor to enter system management mode, which is even less restricted than the environment the operating system lives in.

3.       The operating system code reads the desired part of the device firmware.

4.       System management mode is turned off, and the operating system returns to business as usual.

 

A slight improvement is made when a hypervisor is active:

1.       The operating system tries to read critical parts of device firmware.

2.       The operating system will first ask the hypervisor (supervisor of the supervisor (operating system), sometimes called “virtual machine monitor) for permission to proceed.

3.       The hypervisor will grant permission to the operating system after checking that it is indeed the operating system that is requesting firmware access.

4.       System management mode is entered, the operating system, together with parts of the hypervisor, reads the firmware part the operating system is interested in.

5.       System management mode is turned off, and the hypervisor returns control to the operating system, which resumes its operation.

 

With SMM protection active: in addition to looking at where the firmware access request is coming from, the hypervisor will also ask hardware and firmware about letting the operating system access firmware parts. This leverages virtualization-based security (VBS), which is parts of Hyper-V and hardware virtualization feature used to better isolate parts of the operating system code and user applications from one another. In the past, apps and operating system code were isolated by use of memory addresses and privilege levels, but with VBS, the CPU plays a part in enforcing isolation by presenting a “virtualized” (sort of a synthetic or a “fake”) view of the computer’s resources. Because SMM protection involves firmware, it is enforced when Windows boots.

 

Hope this helps.

Cheers,

Joseph

 

 

 

 

From: win10@win10.groups.io <win10@win10.groups.io> On Behalf Of enes saribas
Sent: Monday, June 21, 2021 8:29 PM
To: win10@win10.groups.io
Subject: Re: [win10] June 2021 optional cumulative update: KB5003690/build 19042(3).1081 #KBAlert

 

Hi Joseph,

Could you explain what this change is, and what processors support it?

Adds Windows support for System Management Mode protections (firmware protection version 2.0) for certain processors that support Secure Launch.

On 6/21/2021 8:30 PM, Joseph Lee wrote:

Hi all,

IMPORTANT REMINDER: regular cumulative update (KB alert) announcements for Version 20H2 (October 2020 Update/build 19042) will end on July 13, 2021; a final 20H2 KB alert will be sent next May when it leaves consumer support.

 

June 2021 optional cumulative update is now available:

June 21, 2021—KB5003690 (OS Builds 19041.1081, 19042.1081, and 19043.1081) Preview (microsoft.com)

 

Changelog:

Updates an issue in a small subset of users that have lower than expected performance in games after installing KB5000842 or later.  

Updates an issue that causes the Japanese Input Method Editor (IME) to suddenly stop working while you are typing. 

Updates an issue in which signing in using a PIN fails. The error message is "Something happened and your PIN isn’t available. Click to set up your PIN again."

Updates an issue that, in certain cases, takes you out of the exclusive virtual reality (VR) app and back to Windows Mixed Reality Home when you press the Windows button on the controller.

Updates an issue that causes blurry text on the news and interests button on the Windows taskbar for some screen resolutions.

Updates an issue with Search box graphics on the Windows taskbar that occurs if you right-click the taskbar and turn off News and interests. This graphics issue is especially visible when using dark mode.

Updates an issue that might prevent you from using your fingerprint to sign in after startup or waking up your device from sleep.

Updates an issue that might cause a high-pitched noise or squeak in certain apps when you play 5.1 Dolby Digital audio using certain audio devices and Windows settings.

 

Details:

 

Version 20H2 (build 19042.1081):

Addresses an issue that causes communication between apps to stop working after you enable the “AppMgmt_COM_SearchForCLSID” policy.

Addresses a performance issue in the MultiByteToWideChar() function that occurs when it is used in a non-English locale.

Addresses an issue that prevents sorting from working properly when using multiple versions of National Language Support (NLS) sorting.

Addresses an issue in a small subset of users that have lower than expected performance in games after installing KB5000842 or later.

Addresses an issue that causes the Japanese Input Method Editor (IME) to suddenly stop working while you are typing.

Addresses an issue that causes WMIMigrationPlugin.dll to return an error when you attempt to migrate in offline mode.

Addresses an issue with the Set-RuleOption PowerShell command that fails to provide the option for the Windows Defender Application Control (WDAC) policy to treat files signed with an expired certificate as unsigned.

Addresses an issue that causes Windows to stop working when it uses AppLocker to validate a file that has multiple signatures. The error is 0x3B.

Addresses an issue that might cause BitLocker to go into recovery mode after updating the Trusted Platform Module (TPM) firmware. This occurs when the "Interactive logon: Machine account lockout Threshold" policy is set and there were incorrect password attempts.

Addresses an issue that causes Windows to generate many AppLocker or SmartLocker success events.

Addresses an issue with authenticating for a domain controller when Credential Guard and Remote Credential Guard are enabled.

Addresses an issue that prevents certain screen reader apps from running when Hypervisor-protected code integrity (HVCI) is enabled.

Addresses an issue in which signing in using a PIN fails. The error message is "Something happened and your PIN isn’t available. Click to set up your PIN again."

Adds Windows support for System Management Mode protections (firmware protection version 2.0) for certain processors that support Secure Launch.

Addresses an issue that, in certain cases, takes you out of the exclusive virtual reality (VR) app and back to Windows Mixed Reality Home when you press the Windows button on the controller. With this update, when you press the Windows button, the Windows Start menu appears. When you close the Start menu, you will go back to the exclusive VR app.

Improves the accuracy and efficiency of sensitive data analysis in the Microsoft 365 Endpoint data loss prevention (DLP) Classification Engine.

Addresses an issue with the Internet Key Exchange (IKE) VPN service on remote access server (RAS) servers. Periodically, users cannot connect a VPN to the server over the IKE protocol. This issue might start several hours or days after restarting the server or restarting the IKEEXT service. Some users can connect while many others cannot connect because the service is in DoS Protection mode, which limits incoming connection attempts.

Addresses an issue that causes Wi-Fi connections to fail because of an invalid Message Integrity Check (MIC) on a four-way handshake if Management Frame Protection (MFP) is enabled.

Addresses an issue that might cause a VPN to fail after renewing a user auto-enrolled certificate. The error message is "There are no more files".

Addresses an issue with the Tunnel Extensible Authentication protocol (TEAP) that replaces the outer identity with “anonymous” even though identity privacy is not selected or is disabled.

Addresses an issue that causes Remote Desktop sessions to stop responding while the User Datagram Protocol (UDP) is enabled.

Adds support for the USB Test and Measurement Class.

Addresses an issue in Adamsync.exe that affects the syncing of large Active Directory subtrees.

Addresses an error that occurs when the Lightweight Directory Access Protocol (LDAP) bind cache is full, and the LDAP client library receives a referral.

Addresses a redirector stop error that is caused by a race condition that occurs when the system deletes binding objects when connections close.

Addresses an issue that prevents users from setting or querying disk quotas on the C drive.

Addresses an issue that causes 16-bit apps that run on NT Virtual DOS Machine (NTVDM) to stop working when you open them.

Addresses an issue that causes fontdrvhost.exe to stop working when Compact Font Format version 2 (CFF2) fonts are installed.

Addresses an issue that might prevent End User Defined Characters (EUDC) from printing correctly because of font fallback settings.

Addresses an issue that causes blurry text on the news and interests button on the Windows taskbar for some display configurations.

Addresses an issue with Search box graphics on the Windows taskbar that occurs if you use the taskbar’s context menu to turn off News and interests. This graphics issue is especially visible when using dark mode.

Addresses an issue that might cause signing in with your fingerprint to fail after the system starts up or resumes from sleep.

Addresses an issue that might cause a high-pitched noise or squeak in certain apps when you play 5.1 Dolby Digital audio using certain audio devices and Windows settings.

 

Version 21H1 (build 19043.1081): same as 20H2.

 

Cheers,

Joseph


 

Hi,

It ultimately comes down to what Microsoft and the system manufacturer says about this feature, and I expect it won’t impact many of us for now.

Cheers,

Joseph

 

From: win10@win10.groups.io <win10@win10.groups.io> On Behalf Of Richard Villa
Sent: Tuesday, June 22, 2021 1:30 AM
To: win10@win10.groups.io
Subject: Re: [win10] June 2021 optional cumulative update: KB5003690/build 19042(3).1081 #KBAlert

 

I just had a system built with a Ryzen 5800x and am wonder how this impacts me.

 

From: win10@win10.groups.io <win10@win10.groups.io> On Behalf Of enes saribas
Sent: Tuesday, June 22, 2021 1:27 AM
To: win10@win10.groups.io
Subject: Re: [win10] June 2021 optional cumulative update: KB5003690/build 19042(3).1081 #KBAlert

 

Hi Joseph,

The blog article and your description was clear to me.  So do you know what the 2.0 revision mentioned in changelog is, and which AMD processor you need. I have a Ryzen 4800H, and a TPM 2.0 chip.  I also noticed this AMD processor comes with a PST.

On 6/21/2021 11:32 PM, Joseph Lee wrote:

Hi,

A brief search says:

1.       Requires more recent Intel or Qualcomm processors (the latter is applicable for Windows 10 on ARM), and it is possible to test this with AMD processors.

2.       The hardware and firmware must support virtualization and a discrete Trusted Platform Module (TPM) must be present.

 

Based on the following document:

Force firmware code to be measured and attested by Secure Launch on Windows 10 | Microsoft Security Blog

 

If I understand this correctly, SMM (System Management Mode) protection is intended to isolate critical firmware-facing code from the rest of the operating system through means of virtualization. It assumes that the processor hardware can distinguish between code coming from the regular operating system, a hypervisor such as Hyper-V, and a piece of code that verifies security of platform specific code that is more privileged (less restricted) than the operating system. It is a bit hard to describe how things interact at the high level, but the general idea is (please hold on, we’ll get geeky here):

Think of an operating system and apps as “tenants” inside a building managed by someone (operating system). When apps run (including screen reader executables), they (the tenants) will think they have all hardware resources at their disposal. In reality, they don’t- they can conduct business from the “building floor” i.e. memory addresses they are assigned to. As long as the “tenant” (app) doesn’t violate the terms of its “contract” (API’s) with the building manager (operating system), they can conduct their business.

But it was soon discovered that a “smart tenant” can fool the building manager to giving them a specific advantage over other tenants. Advantages can include viewing records of other businesses without their approval (memory access), or perhaps “clogging” another businesses’ printers with junk (memory write) simply by impersonating itself as the building manager. After other businesses complain about the badly behaving tenant, the building manager hires an “auditor” – really, two auditors, one to advise the manager on resource usage of tenants and to which the manager seeds certain duties (hypervisor), and the second auditor to enforce the work of the first auditor to ensure no tenant can interfere with the work done by the first auditor and the building manager unless approved (virtualization).

It turns out that these two auditors were not enough – there are certain things the building manager can offer that no-one can refuse, and that has to do with changing the “overall interior decorations” (firmware settings) of the building. There was one problem: any tenant (app) can forcefully claim to be the building manager and do whatever it desires by walking through unlikely passageways (privilege escalation). So the building manager and the first two auditors hire a third auditor, someone who will be part of the auditing team to make sure interior decorations were indeed made by the building manager (SMM protection). In short, the overall idea of SMM protection is to make sure security is not compromised when critical parts of firmware are accessed and modified by leveraging virtualization hardware, the hypervisor, and support from the operating system.

Supposing that a piece of code will need to read critical parts of device firmware using system management mode (SMM), something only the operating system can do. Before SMM protection, it went something like this:

1.       Somehow the operating system is alerted that it needs to read specific part of device firmware (UEFI settings, for instance).

2.       The operating system instructs the processor to enter system management mode, which is even less restricted than the environment the operating system lives in.

3.       The operating system code reads the desired part of the device firmware.

4.       System management mode is turned off, and the operating system returns to business as usual.

 

A slight improvement is made when a hypervisor is active:

1.       The operating system tries to read critical parts of device firmware.

2.       The operating system will first ask the hypervisor (supervisor of the supervisor (operating system), sometimes called “virtual machine monitor) for permission to proceed.

3.       The hypervisor will grant permission to the operating system after checking that it is indeed the operating system that is requesting firmware access.

4.       System management mode is entered, the operating system, together with parts of the hypervisor, reads the firmware part the operating system is interested in.

5.       System management mode is turned off, and the hypervisor returns control to the operating system, which resumes its operation.

 

With SMM protection active: in addition to looking at where the firmware access request is coming from, the hypervisor will also ask hardware and firmware about letting the operating system access firmware parts. This leverages virtualization-based security (VBS), which is parts of Hyper-V and hardware virtualization feature used to better isolate parts of the operating system code and user applications from one another. In the past, apps and operating system code were isolated by use of memory addresses and privilege levels, but with VBS, the CPU plays a part in enforcing isolation by presenting a “virtualized” (sort of a synthetic or a “fake”) view of the computer’s resources. Because SMM protection involves firmware, it is enforced when Windows boots.

 

Hope this helps.

Cheers,

Joseph

 

 

 

 

From: win10@win10.groups.io <win10@win10.groups.io> On Behalf Of enes saribas
Sent: Monday, June 21, 2021 8:29 PM
To: win10@win10.groups.io
Subject: Re: [win10] June 2021 optional cumulative update: KB5003690/build 19042(3).1081 #KBAlert

 

Hi Joseph,

Could you explain what this change is, and what processors support it?

Adds Windows support for System Management Mode protections (firmware protection version 2.0) for certain processors that support Secure Launch.

On 6/21/2021 8:30 PM, Joseph Lee wrote:

Hi all,

IMPORTANT REMINDER: regular cumulative update (KB alert) announcements for Version 20H2 (October 2020 Update/build 19042) will end on July 13, 2021; a final 20H2 KB alert will be sent next May when it leaves consumer support.

 

June 2021 optional cumulative update is now available:

June 21, 2021—KB5003690 (OS Builds 19041.1081, 19042.1081, and 19043.1081) Preview (microsoft.com)

 

Changelog:

Updates an issue in a small subset of users that have lower than expected performance in games after installing KB5000842 or later.  

Updates an issue that causes the Japanese Input Method Editor (IME) to suddenly stop working while you are typing. 

Updates an issue in which signing in using a PIN fails. The error message is "Something happened and your PIN isn’t available. Click to set up your PIN again."

Updates an issue that, in certain cases, takes you out of the exclusive virtual reality (VR) app and back to Windows Mixed Reality Home when you press the Windows button on the controller.

Updates an issue that causes blurry text on the news and interests button on the Windows taskbar for some screen resolutions.

Updates an issue with Search box graphics on the Windows taskbar that occurs if you right-click the taskbar and turn off News and interests. This graphics issue is especially visible when using dark mode.

Updates an issue that might prevent you from using your fingerprint to sign in after startup or waking up your device from sleep.

Updates an issue that might cause a high-pitched noise or squeak in certain apps when you play 5.1 Dolby Digital audio using certain audio devices and Windows settings.

 

Details:

 

Version 20H2 (build 19042.1081):

Addresses an issue that causes communication between apps to stop working after you enable the “AppMgmt_COM_SearchForCLSID” policy.

Addresses a performance issue in the MultiByteToWideChar() function that occurs when it is used in a non-English locale.

Addresses an issue that prevents sorting from working properly when using multiple versions of National Language Support (NLS) sorting.

Addresses an issue in a small subset of users that have lower than expected performance in games after installing KB5000842 or later.

Addresses an issue that causes the Japanese Input Method Editor (IME) to suddenly stop working while you are typing.

Addresses an issue that causes WMIMigrationPlugin.dll to return an error when you attempt to migrate in offline mode.

Addresses an issue with the Set-RuleOption PowerShell command that fails to provide the option for the Windows Defender Application Control (WDAC) policy to treat files signed with an expired certificate as unsigned.

Addresses an issue that causes Windows to stop working when it uses AppLocker to validate a file that has multiple signatures. The error is 0x3B.

Addresses an issue that might cause BitLocker to go into recovery mode after updating the Trusted Platform Module (TPM) firmware. This occurs when the "Interactive logon: Machine account lockout Threshold" policy is set and there were incorrect password attempts.

Addresses an issue that causes Windows to generate many AppLocker or SmartLocker success events.

Addresses an issue with authenticating for a domain controller when Credential Guard and Remote Credential Guard are enabled.

Addresses an issue that prevents certain screen reader apps from running when Hypervisor-protected code integrity (HVCI) is enabled.

Addresses an issue in which signing in using a PIN fails. The error message is "Something happened and your PIN isn’t available. Click to set up your PIN again."

Adds Windows support for System Management Mode protections (firmware protection version 2.0) for certain processors that support Secure Launch.

Addresses an issue that, in certain cases, takes you out of the exclusive virtual reality (VR) app and back to Windows Mixed Reality Home when you press the Windows button on the controller. With this update, when you press the Windows button, the Windows Start menu appears. When you close the Start menu, you will go back to the exclusive VR app.

Improves the accuracy and efficiency of sensitive data analysis in the Microsoft 365 Endpoint data loss prevention (DLP) Classification Engine.

Addresses an issue with the Internet Key Exchange (IKE) VPN service on remote access server (RAS) servers. Periodically, users cannot connect a VPN to the server over the IKE protocol. This issue might start several hours or days after restarting the server or restarting the IKEEXT service. Some users can connect while many others cannot connect because the service is in DoS Protection mode, which limits incoming connection attempts.

Addresses an issue that causes Wi-Fi connections to fail because of an invalid Message Integrity Check (MIC) on a four-way handshake if Management Frame Protection (MFP) is enabled.

Addresses an issue that might cause a VPN to fail after renewing a user auto-enrolled certificate. The error message is "There are no more files".

Addresses an issue with the Tunnel Extensible Authentication protocol (TEAP) that replaces the outer identity with “anonymous” even though identity privacy is not selected or is disabled.

Addresses an issue that causes Remote Desktop sessions to stop responding while the User Datagram Protocol (UDP) is enabled.

Adds support for the USB Test and Measurement Class.

Addresses an issue in Adamsync.exe that affects the syncing of large Active Directory subtrees.

Addresses an error that occurs when the Lightweight Directory Access Protocol (LDAP) bind cache is full, and the LDAP client library receives a referral.

Addresses a redirector stop error that is caused by a race condition that occurs when the system deletes binding objects when connections close.

Addresses an issue that prevents users from setting or querying disk quotas on the C drive.

Addresses an issue that causes 16-bit apps that run on NT Virtual DOS Machine (NTVDM) to stop working when you open them.

Addresses an issue that causes fontdrvhost.exe to stop working when Compact Font Format version 2 (CFF2) fonts are installed.

Addresses an issue that might prevent End User Defined Characters (EUDC) from printing correctly because of font fallback settings.

Addresses an issue that causes blurry text on the news and interests button on the Windows taskbar for some display configurations.

Addresses an issue with Search box graphics on the Windows taskbar that occurs if you use the taskbar’s context menu to turn off News and interests. This graphics issue is especially visible when using dark mode.

Addresses an issue that might cause signing in with your fingerprint to fail after the system starts up or resumes from sleep.

Addresses an issue that might cause a high-pitched noise or squeak in certain apps when you play 5.1 Dolby Digital audio using certain audio devices and Windows settings.

 

Version 21H1 (build 19043.1081): same as 20H2.

 

Cheers,

Joseph


 

No problem, then I am going to return it back on, it was enabled from the start.

 

From: win10@win10.groups.io <win10@win10.groups.io> On Behalf Of Joseph Lee
Sent: Tuesday, June 22, 2021 2:18 AM
To: win10@win10.groups.io
Subject: [Special] Re: [win10] June 2021 optional cumulative update: KB5003690/build 19042(3).1081 #KBAlert

 

Hi,

I recommend keeping virtualization on if it was enabled from the beginning. But to be safe, I recommend enabling virtualization because there will come a day when Windows may require it in order to function correctly (this is the case for enterprises these days).

Cheers,

Joseph

 

From: win10@win10.groups.io <win10@win10.groups.io> On Behalf Of Capelle, Michael C.
Sent: Tuesday, June 22, 2021 12:14 AM
To: win10@win10.groups.io
Subject: Re: [win10] June 2021 optional cumulative update: KB5003690/build 19042(3).1081 #KBAlert

 

I have a tenth gen intel, but I did disable virtulazation in BIOS, should I leave this enabled?

 

From: win10@win10.groups.io <win10@win10.groups.io> On Behalf Of Joseph Lee
Sent: Monday, June 21, 2021 11:32 PM
To: win10@win10.groups.io
Subject: [Special] Re: [win10] June 2021 optional cumulative update: KB5003690/build 19042(3).1081 #KBAlert

 

Hi,

A brief search says:

  • Requires more recent Intel or Qualcomm processors (the latter is applicable for Windows 10 on ARM), and it is possible to test this with AMD processors.
  • The hardware and firmware must support virtualization and a discrete Trusted Platform Module (TPM) must be present.

 

Based on the following document:

Force firmware code to be measured and attested by Secure Launch on Windows 10 | Microsoft Security Blog

 

If I understand this correctly, SMM (System Management Mode) protection is intended to isolate critical firmware-facing code from the rest of the operating system through means of virtualization. It assumes that the processor hardware can distinguish between code coming from the regular operating system, a hypervisor such as Hyper-V, and a piece of code that verifies security of platform specific code that is more privileged (less restricted) than the operating system. It is a bit hard to describe how things interact at the high level, but the general idea is (please hold on, we’ll get geeky here):

Think of an operating system and apps as “tenants” inside a building managed by someone (operating system). When apps run (including screen reader executables), they (the tenants) will think they have all hardware resources at their disposal. In reality, they don’t- they can conduct business from the “building floor” i.e. memory addresses they are assigned to. As long as the “tenant” (app) doesn’t violate the terms of its “contract” (API’s) with the building manager (operating system), they can conduct their business.

But it was soon discovered that a “smart tenant” can fool the building manager to giving them a specific advantage over other tenants. Advantages can include viewing records of other businesses without their approval (memory access), or perhaps “clogging” another businesses’ printers with junk (memory write) simply by impersonating itself as the building manager. After other businesses complain about the badly behaving tenant, the building manager hires an “auditor” – really, two auditors, one to advise the manager on resource usage of tenants and to which the manager seeds certain duties (hypervisor), and the second auditor to enforce the work of the first auditor to ensure no tenant can interfere with the work done by the first auditor and the building manager unless approved (virtualization).

It turns out that these two auditors were not enough – there are certain things the building manager can offer that no-one can refuse, and that has to do with changing the “overall interior decorations” (firmware settings) of the building. There was one problem: any tenant (app) can forcefully claim to be the building manager and do whatever it desires by walking through unlikely passageways (privilege escalation). So the building manager and the first two auditors hire a third auditor, someone who will be part of the auditing team to make sure interior decorations were indeed made by the building manager (SMM protection). In short, the overall idea of SMM protection is to make sure security is not compromised when critical parts of firmware are accessed and modified by leveraging virtualization hardware, the hypervisor, and support from the operating system.

Supposing that a piece of code will need to read critical parts of device firmware using system management mode (SMM), something only the operating system can do. Before SMM protection, it went something like this:

  1. Somehow the operating system is alerted that it needs to read specific part of device firmware (UEFI settings, for instance).
  2. The operating system instructs the processor to enter system management mode, which is even less restricted than the environment the operating system lives in.
  3. The operating system code reads the desired part of the device firmware.
  4. System management mode is turned off, and the operating system returns to business as usual.

 

A slight improvement is made when a hypervisor is active:

  1. The operating system tries to read critical parts of device firmware.
  2. The operating system will first ask the hypervisor (supervisor of the supervisor (operating system), sometimes called “virtual machine monitor) for permission to proceed.
  3. The hypervisor will grant permission to the operating system after checking that it is indeed the operating system that is requesting firmware access.
  4. System management mode is entered, the operating system, together with parts of the hypervisor, reads the firmware part the operating system is interested in.
  5. System management mode is turned off, and the hypervisor returns control to the operating system, which resumes its operation.

 

With SMM protection active: in addition to looking at where the firmware access request is coming from, the hypervisor will also ask hardware and firmware about letting the operating system access firmware parts. This leverages virtualization-based security (VBS), which is parts of Hyper-V and hardware virtualization feature used to better isolate parts of the operating system code and user applications from one another. In the past, apps and operating system code were isolated by use of memory addresses and privilege levels, but with VBS, the CPU plays a part in enforcing isolation by presenting a “virtualized” (sort of a synthetic or a “fake”) view of the computer’s resources. Because SMM protection involves firmware, it is enforced when Windows boots.

 

Hope this helps.

Cheers,

Joseph

 

 

 

 

From: win10@win10.groups.io <win10@win10.groups.io> On Behalf Of enes saribas
Sent: Monday, June 21, 2021 8:29 PM
To: win10@win10.groups.io
Subject: Re: [win10] June 2021 optional cumulative update: KB5003690/build 19042(3).1081 #KBAlert

 

Hi Joseph,

Could you explain what this change is, and what processors support it?

Adds Windows support for System Management Mode protections (firmware protection version 2.0) for certain processors that support Secure Launch.

On 6/21/2021 8:30 PM, Joseph Lee wrote:

Hi all,

IMPORTANT REMINDER: regular cumulative update (KB alert) announcements for Version 20H2 (October 2020 Update/build 19042) will end on July 13, 2021; a final 20H2 KB alert will be sent next May when it leaves consumer support.

 

June 2021 optional cumulative update is now available:

June 21, 2021—KB5003690 (OS Builds 19041.1081, 19042.1081, and 19043.1081) Preview (microsoft.com)

 

Changelog:

Updates an issue in a small subset of users that have lower than expected performance in games after installing KB5000842 or later.  

Updates an issue that causes the Japanese Input Method Editor (IME) to suddenly stop working while you are typing. 

Updates an issue in which signing in using a PIN fails. The error message is "Something happened and your PIN isn’t available. Click to set up your PIN again."

Updates an issue that, in certain cases, takes you out of the exclusive virtual reality (VR) app and back to Windows Mixed Reality Home when you press the Windows button on the controller.

Updates an issue that causes blurry text on the news and interests button on the Windows taskbar for some screen resolutions.

Updates an issue with Search box graphics on the Windows taskbar that occurs if you right-click the taskbar and turn off News and interests. This graphics issue is especially visible when using dark mode.

Updates an issue that might prevent you from using your fingerprint to sign in after startup or waking up your device from sleep.

Updates an issue that might cause a high-pitched noise or squeak in certain apps when you play 5.1 Dolby Digital audio using certain audio devices and Windows settings.

 

Details:

 

Version 20H2 (build 19042.1081):

Addresses an issue that causes communication between apps to stop working after you enable the “AppMgmt_COM_SearchForCLSID” policy.

Addresses a performance issue in the MultiByteToWideChar() function that occurs when it is used in a non-English locale.

Addresses an issue that prevents sorting from working properly when using multiple versions of National Language Support (NLS) sorting.

Addresses an issue in a small subset of users that have lower than expected performance in games after installing KB5000842 or later.

Addresses an issue that causes the Japanese Input Method Editor (IME) to suddenly stop working while you are typing.

Addresses an issue that causes WMIMigrationPlugin.dll to return an error when you attempt to migrate in offline mode.

Addresses an issue with the Set-RuleOption PowerShell command that fails to provide the option for the Windows Defender Application Control (WDAC) policy to treat files signed with an expired certificate as unsigned.

Addresses an issue that causes Windows to stop working when it uses AppLocker to validate a file that has multiple signatures. The error is 0x3B.

Addresses an issue that might cause BitLocker to go into recovery mode after updating the Trusted Platform Module (TPM) firmware. This occurs when the "Interactive logon: Machine account lockout Threshold" policy is set and there were incorrect password attempts.

Addresses an issue that causes Windows to generate many AppLocker or SmartLocker success events.

Addresses an issue with authenticating for a domain controller when Credential Guard and Remote Credential Guard are enabled.

Addresses an issue that prevents certain screen reader apps from running when Hypervisor-protected code integrity (HVCI) is enabled.

Addresses an issue in which signing in using a PIN fails. The error message is "Something happened and your PIN isn’t available. Click to set up your PIN again."

Adds Windows support for System Management Mode protections (firmware protection version 2.0) for certain processors that support Secure Launch.

Addresses an issue that, in certain cases, takes you out of the exclusive virtual reality (VR) app and back to Windows Mixed Reality Home when you press the Windows button on the controller. With this update, when you press the Windows button, the Windows Start menu appears. When you close the Start menu, you will go back to the exclusive VR app.

Improves the accuracy and efficiency of sensitive data analysis in the Microsoft 365 Endpoint data loss prevention (DLP) Classification Engine.

Addresses an issue with the Internet Key Exchange (IKE) VPN service on remote access server (RAS) servers. Periodically, users cannot connect a VPN to the server over the IKE protocol. This issue might start several hours or days after restarting the server or restarting the IKEEXT service. Some users can connect while many others cannot connect because the service is in DoS Protection mode, which limits incoming connection attempts.

Addresses an issue that causes Wi-Fi connections to fail because of an invalid Message Integrity Check (MIC) on a four-way handshake if Management Frame Protection (MFP) is enabled.

Addresses an issue that might cause a VPN to fail after renewing a user auto-enrolled certificate. The error message is "There are no more files".

Addresses an issue with the Tunnel Extensible Authentication protocol (TEAP) that replaces the outer identity with “anonymous” even though identity privacy is not selected or is disabled.

Addresses an issue that causes Remote Desktop sessions to stop responding while the User Datagram Protocol (UDP) is enabled.

Adds support for the USB Test and Measurement Class.

Addresses an issue in Adamsync.exe that affects the syncing of large Active Directory subtrees.

Addresses an error that occurs when the Lightweight Directory Access Protocol (LDAP) bind cache is full, and the LDAP client library receives a referral.

Addresses a redirector stop error that is caused by a race condition that occurs when the system deletes binding objects when connections close.

Addresses an issue that prevents users from setting or querying disk quotas on the C drive.

Addresses an issue that causes 16-bit apps that run on NT Virtual DOS Machine (NTVDM) to stop working when you open them.

Addresses an issue that causes fontdrvhost.exe to stop working when Compact Font Format version 2 (CFF2) fonts are installed.

Addresses an issue that might prevent End User Defined Characters (EUDC) from printing correctly because of font fallback settings.

Addresses an issue that causes blurry text on the news and interests button on the Windows taskbar for some display configurations.

Addresses an issue with Search box graphics on the Windows taskbar that occurs if you use the taskbar’s context menu to turn off News and interests. This graphics issue is especially visible when using dark mode.

Addresses an issue that might cause signing in with your fingerprint to fail after the system starts up or resumes from sleep.

Addresses an issue that might cause a high-pitched noise or squeak in certain apps when you play 5.1 Dolby Digital audio using certain audio devices and Windows settings.

 

Version 21H1 (build 19043.1081): same as 20H2.

 

Cheers,

Joseph


tim
 

you can't run any vertual machines on your computer if that is turned off.

So if you don't use vm's then its not a problem.

I have it turned off one one box and it runs just fine.

On 6/22/2021 3:14 AM, Capelle, Michael C. wrote:

I have a tenth gen intel, but I did disable virtulazation in BIOS, should I leave this enabled?

 

From: win10@win10.groups.io <win10@win10.groups.io> On Behalf Of Joseph Lee
Sent: Monday, June 21, 2021 11:32 PM
To: win10@win10.groups.io
Subject: [Special] Re: [win10] June 2021 optional cumulative update: KB5003690/build 19042(3).1081 #KBAlert

 

Hi,

A brief search says:

  • Requires more recent Intel or Qualcomm processors (the latter is applicable for Windows 10 on ARM), and it is possible to test this with AMD processors.
  • The hardware and firmware must support virtualization and a discrete Trusted Platform Module (TPM) must be present.

 

Based on the following document:

Force firmware code to be measured and attested by Secure Launch on Windows 10 | Microsoft Security Blog

 

If I understand this correctly, SMM (System Management Mode) protection is intended to isolate critical firmware-facing code from the rest of the operating system through means of virtualization. It assumes that the processor hardware can distinguish between code coming from the regular operating system, a hypervisor such as Hyper-V, and a piece of code that verifies security of platform specific code that is more privileged (less restricted) than the operating system. It is a bit hard to describe how things interact at the high level, but the general idea is (please hold on, we’ll get geeky here):

Think of an operating system and apps as “tenants” inside a building managed by someone (operating system). When apps run (including screen reader executables), they (the tenants) will think they have all hardware resources at their disposal. In reality, they don’t- they can conduct business from the “building floor” i.e. memory addresses they are assigned to. As long as the “tenant” (app) doesn’t violate the terms of its “contract” (API’s) with the building manager (operating system), they can conduct their business.

But it was soon discovered that a “smart tenant” can fool the building manager to giving them a specific advantage over other tenants. Advantages can include viewing records of other businesses without their approval (memory access), or perhaps “clogging” another businesses’ printers with junk (memory write) simply by impersonating itself as the building manager. After other businesses complain about the badly behaving tenant, the building manager hires an “auditor” – really, two auditors, one to advise the manager on resource usage of tenants and to which the manager seeds certain duties (hypervisor), and the second auditor to enforce the work of the first auditor to ensure no tenant can interfere with the work done by the first auditor and the building manager unless approved (virtualization).

It turns out that these two auditors were not enough – there are certain things the building manager can offer that no-one can refuse, and that has to do with changing the “overall interior decorations” (firmware settings) of the building. There was one problem: any tenant (app) can forcefully claim to be the building manager and do whatever it desires by walking through unlikely passageways (privilege escalation). So the building manager and the first two auditors hire a third auditor, someone who will be part of the auditing team to make sure interior decorations were indeed made by the building manager (SMM protection). In short, the overall idea of SMM protection is to make sure security is not compromised when critical parts of firmware are accessed and modified by leveraging virtualization hardware, the hypervisor, and support from the operating system.

Supposing that a piece of code will need to read critical parts of device firmware using system management mode (SMM), something only the operating system can do. Before SMM protection, it went something like this:

  1. Somehow the operating system is alerted that it needs to read specific part of device firmware (UEFI settings, for instance).
  2. The operating system instructs the processor to enter system management mode, which is even less restricted than the environment the operating system lives in.
  3. The operating system code reads the desired part of the device firmware.
  4. System management mode is turned off, and the operating system returns to business as usual.

 

A slight improvement is made when a hypervisor is active:

  1. The operating system tries to read critical parts of device firmware.
  2. The operating system will first ask the hypervisor (supervisor of the supervisor (operating system), sometimes called “virtual machine monitor) for permission to proceed.
  3. The hypervisor will grant permission to the operating system after checking that it is indeed the operating system that is requesting firmware access.
  4. System management mode is entered, the operating system, together with parts of the hypervisor, reads the firmware part the operating system is interested in.
  5. System management mode is turned off, and the hypervisor returns control to the operating system, which resumes its operation.

 

With SMM protection active: in addition to looking at where the firmware access request is coming from, the hypervisor will also ask hardware and firmware about letting the operating system access firmware parts. This leverages virtualization-based security (VBS), which is parts of Hyper-V and hardware virtualization feature used to better isolate parts of the operating system code and user applications from one another. In the past, apps and operating system code were isolated by use of memory addresses and privilege levels, but with VBS, the CPU plays a part in enforcing isolation by presenting a “virtualized” (sort of a synthetic or a “fake”) view of the computer’s resources. Because SMM protection involves firmware, it is enforced when Windows boots.

 

Hope this helps.

Cheers,

Joseph

 

 

 

 

From: win10@win10.groups.io <win10@win10.groups.io> On Behalf Of enes saribas
Sent: Monday, June 21, 2021 8:29 PM
To: win10@win10.groups.io
Subject: Re: [win10] June 2021 optional cumulative update: KB5003690/build 19042(3).1081 #KBAlert

 

Hi Joseph,

Could you explain what this change is, and what processors support it?

Adds Windows support for System Management Mode protections (firmware protection version 2.0) for certain processors that support Secure Launch.

On 6/21/2021 8:30 PM, Joseph Lee wrote:

Hi all,

IMPORTANT REMINDER: regular cumulative update (KB alert) announcements for Version 20H2 (October 2020 Update/build 19042) will end on July 13, 2021; a final 20H2 KB alert will be sent next May when it leaves consumer support.

 

June 2021 optional cumulative update is now available:

June 21, 2021—KB5003690 (OS Builds 19041.1081, 19042.1081, and 19043.1081) Preview (microsoft.com)

 

Changelog:

Updates an issue in a small subset of users that have lower than expected performance in games after installing KB5000842 or later.  

Updates an issue that causes the Japanese Input Method Editor (IME) to suddenly stop working while you are typing. 

Updates an issue in which signing in using a PIN fails. The error message is "Something happened and your PIN isn’t available. Click to set up your PIN again."

Updates an issue that, in certain cases, takes you out of the exclusive virtual reality (VR) app and back to Windows Mixed Reality Home when you press the Windows button on the controller.

Updates an issue that causes blurry text on the news and interests button on the Windows taskbar for some screen resolutions.

Updates an issue with Search box graphics on the Windows taskbar that occurs if you right-click the taskbar and turn off News and interests. This graphics issue is especially visible when using dark mode.

Updates an issue that might prevent you from using your fingerprint to sign in after startup or waking up your device from sleep.

Updates an issue that might cause a high-pitched noise or squeak in certain apps when you play 5.1 Dolby Digital audio using certain audio devices and Windows settings.

 

Details:

 

Version 20H2 (build 19042.1081):

Addresses an issue that causes communication between apps to stop working after you enable the “AppMgmt_COM_SearchForCLSID” policy.

Addresses a performance issue in the MultiByteToWideChar() function that occurs when it is used in a non-English locale.

Addresses an issue that prevents sorting from working properly when using multiple versions of National Language Support (NLS) sorting.

Addresses an issue in a small subset of users that have lower than expected performance in games after installing KB5000842 or later.

Addresses an issue that causes the Japanese Input Method Editor (IME) to suddenly stop working while you are typing.

Addresses an issue that causes WMIMigrationPlugin.dll to return an error when you attempt to migrate in offline mode.

Addresses an issue with the Set-RuleOption PowerShell command that fails to provide the option for the Windows Defender Application Control (WDAC) policy to treat files signed with an expired certificate as unsigned.

Addresses an issue that causes Windows to stop working when it uses AppLocker to validate a file that has multiple signatures. The error is 0x3B.

Addresses an issue that might cause BitLocker to go into recovery mode after updating the Trusted Platform Module (TPM) firmware. This occurs when the "Interactive logon: Machine account lockout Threshold" policy is set and there were incorrect password attempts.

Addresses an issue that causes Windows to generate many AppLocker or SmartLocker success events.

Addresses an issue with authenticating for a domain controller when Credential Guard and Remote Credential Guard are enabled.

Addresses an issue that prevents certain screen reader apps from running when Hypervisor-protected code integrity (HVCI) is enabled.

Addresses an issue in which signing in using a PIN fails. The error message is "Something happened and your PIN isn’t available. Click to set up your PIN again."

Adds Windows support for System Management Mode protections (firmware protection version 2.0) for certain processors that support Secure Launch.

Addresses an issue that, in certain cases, takes you out of the exclusive virtual reality (VR) app and back to Windows Mixed Reality Home when you press the Windows button on the controller. With this update, when you press the Windows button, the Windows Start menu appears. When you close the Start menu, you will go back to the exclusive VR app.

Improves the accuracy and efficiency of sensitive data analysis in the Microsoft 365 Endpoint data loss prevention (DLP) Classification Engine.

Addresses an issue with the Internet Key Exchange (IKE) VPN service on remote access server (RAS) servers. Periodically, users cannot connect a VPN to the server over the IKE protocol. This issue might start several hours or days after restarting the server or restarting the IKEEXT service. Some users can connect while many others cannot connect because the service is in DoS Protection mode, which limits incoming connection attempts.

Addresses an issue that causes Wi-Fi connections to fail because of an invalid Message Integrity Check (MIC) on a four-way handshake if Management Frame Protection (MFP) is enabled.

Addresses an issue that might cause a VPN to fail after renewing a user auto-enrolled certificate. The error message is "There are no more files".

Addresses an issue with the Tunnel Extensible Authentication protocol (TEAP) that replaces the outer identity with “anonymous” even though identity privacy is not selected or is disabled.

Addresses an issue that causes Remote Desktop sessions to stop responding while the User Datagram Protocol (UDP) is enabled.

Adds support for the USB Test and Measurement Class.

Addresses an issue in Adamsync.exe that affects the syncing of large Active Directory subtrees.

Addresses an error that occurs when the Lightweight Directory Access Protocol (LDAP) bind cache is full, and the LDAP client library receives a referral.

Addresses a redirector stop error that is caused by a race condition that occurs when the system deletes binding objects when connections close.

Addresses an issue that prevents users from setting or querying disk quotas on the C drive.

Addresses an issue that causes 16-bit apps that run on NT Virtual DOS Machine (NTVDM) to stop working when you open them.

Addresses an issue that causes fontdrvhost.exe to stop working when Compact Font Format version 2 (CFF2) fonts are installed.

Addresses an issue that might prevent End User Defined Characters (EUDC) from printing correctly because of font fallback settings.

Addresses an issue that causes blurry text on the news and interests button on the Windows taskbar for some display configurations.

Addresses an issue with Search box graphics on the Windows taskbar that occurs if you use the taskbar’s context menu to turn off News and interests. This graphics issue is especially visible when using dark mode.

Addresses an issue that might cause signing in with your fingerprint to fail after the system starts up or resumes from sleep.

Addresses an issue that might cause a high-pitched noise or squeak in certain apps when you play 5.1 Dolby Digital audio using certain audio devices and Windows settings.

 

Version 21H1 (build 19043.1081): same as 20H2.

 

Cheers,

Joseph


enes sarıbaş
 

So a question. My pc shipped with secure boot off to facilitate OS install. If I turn this on with sighted assistance, if I need to do a windows reinstall, can I accessibly boot into a USB  media without toggling secure boot back off? And I presume there is no way to do this without sighted help?

On 6/22/2021 9:01 AM, tim wrote:

you can't run any vertual machines on your computer if that is turned off.

So if you don't use vm's then its not a problem.

I have it turned off one one box and it runs just fine.

On 6/22/2021 3:14 AM, Capelle, Michael C. wrote:

I have a tenth gen intel, but I did disable virtulazation in BIOS, should I leave this enabled?

 

From: win10@win10.groups.io <win10@win10.groups.io> On Behalf Of Joseph Lee
Sent: Monday, June 21, 2021 11:32 PM
To: win10@win10.groups.io
Subject: [Special] Re: [win10] June 2021 optional cumulative update: KB5003690/build 19042(3).1081 #KBAlert

 

Hi,

A brief search says:

  • Requires more recent Intel or Qualcomm processors (the latter is applicable for Windows 10 on ARM), and it is possible to test this with AMD processors.
  • The hardware and firmware must support virtualization and a discrete Trusted Platform Module (TPM) must be present.

 

Based on the following document:

Force firmware code to be measured and attested by Secure Launch on Windows 10 | Microsoft Security Blog

 

If I understand this correctly, SMM (System Management Mode) protection is intended to isolate critical firmware-facing code from the rest of the operating system through means of virtualization. It assumes that the processor hardware can distinguish between code coming from the regular operating system, a hypervisor such as Hyper-V, and a piece of code that verifies security of platform specific code that is more privileged (less restricted) than the operating system. It is a bit hard to describe how things interact at the high level, but the general idea is (please hold on, we’ll get geeky here):

Think of an operating system and apps as “tenants” inside a building managed by someone (operating system). When apps run (including screen reader executables), they (the tenants) will think they have all hardware resources at their disposal. In reality, they don’t- they can conduct business from the “building floor” i.e. memory addresses they are assigned to. As long as the “tenant” (app) doesn’t violate the terms of its “contract” (API’s) with the building manager (operating system), they can conduct their business.

But it was soon discovered that a “smart tenant” can fool the building manager to giving them a specific advantage over other tenants. Advantages can include viewing records of other businesses without their approval (memory access), or perhaps “clogging” another businesses’ printers with junk (memory write) simply by impersonating itself as the building manager. After other businesses complain about the badly behaving tenant, the building manager hires an “auditor” – really, two auditors, one to advise the manager on resource usage of tenants and to which the manager seeds certain duties (hypervisor), and the second auditor to enforce the work of the first auditor to ensure no tenant can interfere with the work done by the first auditor and the building manager unless approved (virtualization).

It turns out that these two auditors were not enough – there are certain things the building manager can offer that no-one can refuse, and that has to do with changing the “overall interior decorations” (firmware settings) of the building. There was one problem: any tenant (app) can forcefully claim to be the building manager and do whatever it desires by walking through unlikely passageways (privilege escalation). So the building manager and the first two auditors hire a third auditor, someone who will be part of the auditing team to make sure interior decorations were indeed made by the building manager (SMM protection). In short, the overall idea of SMM protection is to make sure security is not compromised when critical parts of firmware are accessed and modified by leveraging virtualization hardware, the hypervisor, and support from the operating system.

Supposing that a piece of code will need to read critical parts of device firmware using system management mode (SMM), something only the operating system can do. Before SMM protection, it went something like this:

  1. Somehow the operating system is alerted that it needs to read specific part of device firmware (UEFI settings, for instance).
  2. The operating system instructs the processor to enter system management mode, which is even less restricted than the environment the operating system lives in.
  3. The operating system code reads the desired part of the device firmware.
  4. System management mode is turned off, and the operating system returns to business as usual.

 

A slight improvement is made when a hypervisor is active:

  1. The operating system tries to read critical parts of device firmware.
  2. The operating system will first ask the hypervisor (supervisor of the supervisor (operating system), sometimes called “virtual machine monitor) for permission to proceed.
  3. The hypervisor will grant permission to the operating system after checking that it is indeed the operating system that is requesting firmware access.
  4. System management mode is entered, the operating system, together with parts of the hypervisor, reads the firmware part the operating system is interested in.
  5. System management mode is turned off, and the hypervisor returns control to the operating system, which resumes its operation.

 

With SMM protection active: in addition to looking at where the firmware access request is coming from, the hypervisor will also ask hardware and firmware about letting the operating system access firmware parts. This leverages virtualization-based security (VBS), which is parts of Hyper-V and hardware virtualization feature used to better isolate parts of the operating system code and user applications from one another. In the past, apps and operating system code were isolated by use of memory addresses and privilege levels, but with VBS, the CPU plays a part in enforcing isolation by presenting a “virtualized” (sort of a synthetic or a “fake”) view of the computer’s resources. Because SMM protection involves firmware, it is enforced when Windows boots.

 

Hope this helps.

Cheers,

Joseph

 

 

 

 

From: win10@win10.groups.io <win10@win10.groups.io> On Behalf Of enes saribas
Sent: Monday, June 21, 2021 8:29 PM
To: win10@win10.groups.io
Subject: Re: [win10] June 2021 optional cumulative update: KB5003690/build 19042(3).1081 #KBAlert

 

Hi Joseph,

Could you explain what this change is, and what processors support it?

Adds Windows support for System Management Mode protections (firmware protection version 2.0) for certain processors that support Secure Launch.

On 6/21/2021 8:30 PM, Joseph Lee wrote:

Hi all,

IMPORTANT REMINDER: regular cumulative update (KB alert) announcements for Version 20H2 (October 2020 Update/build 19042) will end on July 13, 2021; a final 20H2 KB alert will be sent next May when it leaves consumer support.

 

June 2021 optional cumulative update is now available:

June 21, 2021—KB5003690 (OS Builds 19041.1081, 19042.1081, and 19043.1081) Preview (microsoft.com)

 

Changelog:

Updates an issue in a small subset of users that have lower than expected performance in games after installing KB5000842 or later.  

Updates an issue that causes the Japanese Input Method Editor (IME) to suddenly stop working while you are typing. 

Updates an issue in which signing in using a PIN fails. The error message is "Something happened and your PIN isn’t available. Click to set up your PIN again."

Updates an issue that, in certain cases, takes you out of the exclusive virtual reality (VR) app and back to Windows Mixed Reality Home when you press the Windows button on the controller.

Updates an issue that causes blurry text on the news and interests button on the Windows taskbar for some screen resolutions.

Updates an issue with Search box graphics on the Windows taskbar that occurs if you right-click the taskbar and turn off News and interests. This graphics issue is especially visible when using dark mode.

Updates an issue that might prevent you from using your fingerprint to sign in after startup or waking up your device from sleep.

Updates an issue that might cause a high-pitched noise or squeak in certain apps when you play 5.1 Dolby Digital audio using certain audio devices and Windows settings.

 

Details:

 

Version 20H2 (build 19042.1081):

Addresses an issue that causes communication between apps to stop working after you enable the “AppMgmt_COM_SearchForCLSID” policy.

Addresses a performance issue in the MultiByteToWideChar() function that occurs when it is used in a non-English locale.

Addresses an issue that prevents sorting from working properly when using multiple versions of National Language Support (NLS) sorting.

Addresses an issue in a small subset of users that have lower than expected performance in games after installing KB5000842 or later.

Addresses an issue that causes the Japanese Input Method Editor (IME) to suddenly stop working while you are typing.

Addresses an issue that causes WMIMigrationPlugin.dll to return an error when you attempt to migrate in offline mode.

Addresses an issue with the Set-RuleOption PowerShell command that fails to provide the option for the Windows Defender Application Control (WDAC) policy to treat files signed with an expired certificate as unsigned.

Addresses an issue that causes Windows to stop working when it uses AppLocker to validate a file that has multiple signatures. The error is 0x3B.

Addresses an issue that might cause BitLocker to go into recovery mode after updating the Trusted Platform Module (TPM) firmware. This occurs when the "Interactive logon: Machine account lockout Threshold" policy is set and there were incorrect password attempts.

Addresses an issue that causes Windows to generate many AppLocker or SmartLocker success events.

Addresses an issue with authenticating for a domain controller when Credential Guard and Remote Credential Guard are enabled.

Addresses an issue that prevents certain screen reader apps from running when Hypervisor-protected code integrity (HVCI) is enabled.

Addresses an issue in which signing in using a PIN fails. The error message is "Something happened and your PIN isn’t available. Click to set up your PIN again."

Adds Windows support for System Management Mode protections (firmware protection version 2.0) for certain processors that support Secure Launch.

Addresses an issue that, in certain cases, takes you out of the exclusive virtual reality (VR) app and back to Windows Mixed Reality Home when you press the Windows button on the controller. With this update, when you press the Windows button, the Windows Start menu appears. When you close the Start menu, you will go back to the exclusive VR app.

Improves the accuracy and efficiency of sensitive data analysis in the Microsoft 365 Endpoint data loss prevention (DLP) Classification Engine.

Addresses an issue with the Internet Key Exchange (IKE) VPN service on remote access server (RAS) servers. Periodically, users cannot connect a VPN to the server over the IKE protocol. This issue might start several hours or days after restarting the server or restarting the IKEEXT service. Some users can connect while many others cannot connect because the service is in DoS Protection mode, which limits incoming connection attempts.

Addresses an issue that causes Wi-Fi connections to fail because of an invalid Message Integrity Check (MIC) on a four-way handshake if Management Frame Protection (MFP) is enabled.

Addresses an issue that might cause a VPN to fail after renewing a user auto-enrolled certificate. The error message is "There are no more files".

Addresses an issue with the Tunnel Extensible Authentication protocol (TEAP) that replaces the outer identity with “anonymous” even though identity privacy is not selected or is disabled.

Addresses an issue that causes Remote Desktop sessions to stop responding while the User Datagram Protocol (UDP) is enabled.

Adds support for the USB Test and Measurement Class.

Addresses an issue in Adamsync.exe that affects the syncing of large Active Directory subtrees.

Addresses an error that occurs when the Lightweight Directory Access Protocol (LDAP) bind cache is full, and the LDAP client library receives a referral.

Addresses a redirector stop error that is caused by a race condition that occurs when the system deletes binding objects when connections close.

Addresses an issue that prevents users from setting or querying disk quotas on the C drive.

Addresses an issue that causes 16-bit apps that run on NT Virtual DOS Machine (NTVDM) to stop working when you open them.

Addresses an issue that causes fontdrvhost.exe to stop working when Compact Font Format version 2 (CFF2) fonts are installed.

Addresses an issue that might prevent End User Defined Characters (EUDC) from printing correctly because of font fallback settings.

Addresses an issue that causes blurry text on the news and interests button on the Windows taskbar for some display configurations.

Addresses an issue with Search box graphics on the Windows taskbar that occurs if you use the taskbar’s context menu to turn off News and interests. This graphics issue is especially visible when using dark mode.

Addresses an issue that might cause signing in with your fingerprint to fail after the system starts up or resumes from sleep.

Addresses an issue that might cause a high-pitched noise or squeak in certain apps when you play 5.1 Dolby Digital audio using certain audio devices and Windows settings.

 

Version 21H1 (build 19043.1081): same as 20H2.

 

Cheers,

Joseph


 

Hi,

Based on a quick search, it mostly depends on the installation media, in that the installer must be compatible with UEFI secure boot standard (Windows 10 installation media is one such case).

Cheers,

Joseph

 

From: win10@win10.groups.io <win10@win10.groups.io> On Behalf Of enes saribas
Sent: Tuesday, June 22, 2021 8:16 PM
To: win10@win10.groups.io
Subject: Re: [win10] June 2021 optional cumulative update: KB5003690/build 19042(3).1081 #KBAlert

 

So a question. My pc shipped with secure boot off to facilitate OS install. If I turn this on with sighted assistance, if I need to do a windows reinstall, can I accessibly boot into a USB  media without toggling secure boot back off? And I presume there is no way to do this without sighted help?

On 6/22/2021 9:01 AM, tim wrote:

you can't run any vertual machines on your computer if that is turned off.

So if you don't use vm's then its not a problem.

I have it turned off one one box and it runs just fine.

On 6/22/2021 3:14 AM, Capelle, Michael C. wrote:

I have a tenth gen intel, but I did disable virtulazation in BIOS, should I leave this enabled?

 

From: win10@win10.groups.io <win10@win10.groups.io> On Behalf Of Joseph Lee
Sent: Monday, June 21, 2021 11:32 PM
To: win10@win10.groups.io
Subject: [Special] Re: [win10] June 2021 optional cumulative update: KB5003690/build 19042(3).1081 #KBAlert

 

Hi,

A brief search says:

  1. Requires more recent Intel or Qualcomm processors (the latter is applicable for Windows 10 on ARM), and it is possible to test this with AMD processors.
  2. The hardware and firmware must support virtualization and a discrete Trusted Platform Module (TPM) must be present.

 

Based on the following document:

Force firmware code to be measured and attested by Secure Launch on Windows 10 | Microsoft Security Blog

 

If I understand this correctly, SMM (System Management Mode) protection is intended to isolate critical firmware-facing code from the rest of the operating system through means of virtualization. It assumes that the processor hardware can distinguish between code coming from the regular operating system, a hypervisor such as Hyper-V, and a piece of code that verifies security of platform specific code that is more privileged (less restricted) than the operating system. It is a bit hard to describe how things interact at the high level, but the general idea is (please hold on, we’ll get geeky here):

Think of an operating system and apps as “tenants” inside a building managed by someone (operating system). When apps run (including screen reader executables), they (the tenants) will think they have all hardware resources at their disposal. In reality, they don’t- they can conduct business from the “building floor” i.e. memory addresses they are assigned to. As long as the “tenant” (app) doesn’t violate the terms of its “contract” (API’s) with the building manager (operating system), they can conduct their business.

But it was soon discovered that a “smart tenant” can fool the building manager to giving them a specific advantage over other tenants. Advantages can include viewing records of other businesses without their approval (memory access), or perhaps “clogging” another businesses’ printers with junk (memory write) simply by impersonating itself as the building manager. After other businesses complain about the badly behaving tenant, the building manager hires an “auditor” – really, two auditors, one to advise the manager on resource usage of tenants and to which the manager seeds certain duties (hypervisor), and the second auditor to enforce the work of the first auditor to ensure no tenant can interfere with the work done by the first auditor and the building manager unless approved (virtualization).

It turns out that these two auditors were not enough – there are certain things the building manager can offer that no-one can refuse, and that has to do with changing the “overall interior decorations” (firmware settings) of the building. There was one problem: any tenant (app) can forcefully claim to be the building manager and do whatever it desires by walking through unlikely passageways (privilege escalation). So the building manager and the first two auditors hire a third auditor, someone who will be part of the auditing team to make sure interior decorations were indeed made by the building manager (SMM protection). In short, the overall idea of SMM protection is to make sure security is not compromised when critical parts of firmware are accessed and modified by leveraging virtualization hardware, the hypervisor, and support from the operating system.

Supposing that a piece of code will need to read critical parts of device firmware using system management mode (SMM), something only the operating system can do. Before SMM protection, it went something like this:

  1. Somehow the operating system is alerted that it needs to read specific part of device firmware (UEFI settings, for instance).
  2. The operating system instructs the processor to enter system management mode, which is even less restricted than the environment the operating system lives in.
  3. The operating system code reads the desired part of the device firmware.
  4. System management mode is turned off, and the operating system returns to business as usual.

 

A slight improvement is made when a hypervisor is active:

  1. The operating system tries to read critical parts of device firmware.
  2. The operating system will first ask the hypervisor (supervisor of the supervisor (operating system), sometimes called “virtual machine monitor) for permission to proceed.
  3. The hypervisor will grant permission to the operating system after checking that it is indeed the operating system that is requesting firmware access.
  4. System management mode is entered, the operating system, together with parts of the hypervisor, reads the firmware part the operating system is interested in.
  5. System management mode is turned off, and the hypervisor returns control to the operating system, which resumes its operation.

 

With SMM protection active: in addition to looking at where the firmware access request is coming from, the hypervisor will also ask hardware and firmware about letting the operating system access firmware parts. This leverages virtualization-based security (VBS), which is parts of Hyper-V and hardware virtualization feature used to better isolate parts of the operating system code and user applications from one another. In the past, apps and operating system code were isolated by use of memory addresses and privilege levels, but with VBS, the CPU plays a part in enforcing isolation by presenting a “virtualized” (sort of a synthetic or a “fake”) view of the computer’s resources. Because SMM protection involves firmware, it is enforced when Windows boots.

 

Hope this helps.

Cheers,

Joseph

 

 

 

 

From: win10@win10.groups.io <win10@win10.groups.io> On Behalf Of enes saribas
Sent: Monday, June 21, 2021 8:29 PM
To: win10@win10.groups.io
Subject: Re: [win10] June 2021 optional cumulative update: KB5003690/build 19042(3).1081 #KBAlert

 

Hi Joseph,

Could you explain what this change is, and what processors support it?

Adds Windows support for System Management Mode protections (firmware protection version 2.0) for certain processors that support Secure Launch.

On 6/21/2021 8:30 PM, Joseph Lee wrote:

Hi all,

IMPORTANT REMINDER: regular cumulative update (KB alert) announcements for Version 20H2 (October 2020 Update/build 19042) will end on July 13, 2021; a final 20H2 KB alert will be sent next May when it leaves consumer support.

 

June 2021 optional cumulative update is now available:

June 21, 2021—KB5003690 (OS Builds 19041.1081, 19042.1081, and 19043.1081) Preview (microsoft.com)

 

Changelog:

Updates an issue in a small subset of users that have lower than expected performance in games after installing KB5000842 or later.  

Updates an issue that causes the Japanese Input Method Editor (IME) to suddenly stop working while you are typing. 

Updates an issue in which signing in using a PIN fails. The error message is "Something happened and your PIN isn’t available. Click to set up your PIN again."

Updates an issue that, in certain cases, takes you out of the exclusive virtual reality (VR) app and back to Windows Mixed Reality Home when you press the Windows button on the controller.

Updates an issue that causes blurry text on the news and interests button on the Windows taskbar for some screen resolutions.

Updates an issue with Search box graphics on the Windows taskbar that occurs if you right-click the taskbar and turn off News and interests. This graphics issue is especially visible when using dark mode.

Updates an issue that might prevent you from using your fingerprint to sign in after startup or waking up your device from sleep.

Updates an issue that might cause a high-pitched noise or squeak in certain apps when you play 5.1 Dolby Digital audio using certain audio devices and Windows settings.

 

Details:

 

Version 20H2 (build 19042.1081):

Addresses an issue that causes communication between apps to stop working after you enable the “AppMgmt_COM_SearchForCLSID” policy.

Addresses a performance issue in the MultiByteToWideChar() function that occurs when it is used in a non-English locale.

Addresses an issue that prevents sorting from working properly when using multiple versions of National Language Support (NLS) sorting.

Addresses an issue in a small subset of users that have lower than expected performance in games after installing KB5000842 or later.

Addresses an issue that causes the Japanese Input Method Editor (IME) to suddenly stop working while you are typing.

Addresses an issue that causes WMIMigrationPlugin.dll to return an error when you attempt to migrate in offline mode.

Addresses an issue with the Set-RuleOption PowerShell command that fails to provide the option for the Windows Defender Application Control (WDAC) policy to treat files signed with an expired certificate as unsigned.

Addresses an issue that causes Windows to stop working when it uses AppLocker to validate a file that has multiple signatures. The error is 0x3B.

Addresses an issue that might cause BitLocker to go into recovery mode after updating the Trusted Platform Module (TPM) firmware. This occurs when the "Interactive logon: Machine account lockout Threshold" policy is set and there were incorrect password attempts.

Addresses an issue that causes Windows to generate many AppLocker or SmartLocker success events.

Addresses an issue with authenticating for a domain controller when Credential Guard and Remote Credential Guard are enabled.

Addresses an issue that prevents certain screen reader apps from running when Hypervisor-protected code integrity (HVCI) is enabled.

Addresses an issue in which signing in using a PIN fails. The error message is "Something happened and your PIN isn’t available. Click to set up your PIN again."

Adds Windows support for System Management Mode protections (firmware protection version 2.0) for certain processors that support Secure Launch.

Addresses an issue that, in certain cases, takes you out of the exclusive virtual reality (VR) app and back to Windows Mixed Reality Home when you press the Windows button on the controller. With this update, when you press the Windows button, the Windows Start menu appears. When you close the Start menu, you will go back to the exclusive VR app.

Improves the accuracy and efficiency of sensitive data analysis in the Microsoft 365 Endpoint data loss prevention (DLP) Classification Engine.

Addresses an issue with the Internet Key Exchange (IKE) VPN service on remote access server (RAS) servers. Periodically, users cannot connect a VPN to the server over the IKE protocol. This issue might start several hours or days after restarting the server or restarting the IKEEXT service. Some users can connect while many others cannot connect because the service is in DoS Protection mode, which limits incoming connection attempts.

Addresses an issue that causes Wi-Fi connections to fail because of an invalid Message Integrity Check (MIC) on a four-way handshake if Management Frame Protection (MFP) is enabled.

Addresses an issue that might cause a VPN to fail after renewing a user auto-enrolled certificate. The error message is "There are no more files".

Addresses an issue with the Tunnel Extensible Authentication protocol (TEAP) that replaces the outer identity with “anonymous” even though identity privacy is not selected or is disabled.

Addresses an issue that causes Remote Desktop sessions to stop responding while the User Datagram Protocol (UDP) is enabled.

Adds support for the USB Test and Measurement Class.

Addresses an issue in Adamsync.exe that affects the syncing of large Active Directory subtrees.

Addresses an error that occurs when the Lightweight Directory Access Protocol (LDAP) bind cache is full, and the LDAP client library receives a referral.

Addresses a redirector stop error that is caused by a race condition that occurs when the system deletes binding objects when connections close.

Addresses an issue that prevents users from setting or querying disk quotas on the C drive.

Addresses an issue that causes 16-bit apps that run on NT Virtual DOS Machine (NTVDM) to stop working when you open them.

Addresses an issue that causes fontdrvhost.exe to stop working when Compact Font Format version 2 (CFF2) fonts are installed.

Addresses an issue that might prevent End User Defined Characters (EUDC) from printing correctly because of font fallback settings.

Addresses an issue that causes blurry text on the news and interests button on the Windows taskbar for some display configurations.

Addresses an issue with Search box graphics on the Windows taskbar that occurs if you use the taskbar’s context menu to turn off News and interests. This graphics issue is especially visible when using dark mode.

Addresses an issue that might cause signing in with your fingerprint to fail after the system starts up or resumes from sleep.

Addresses an issue that might cause a high-pitched noise or squeak in certain apps when you play 5.1 Dolby Digital audio using certain audio devices and Windows settings.

 

Version 21H1 (build 19043.1081): same as 20H2.

 

Cheers,

Joseph


enes sarıbaş
 

So when using tools such as rufus, to burn an iso to usb, I would need to burn it as gpt?

On 6/22/2021 10:34 PM, Joseph Lee wrote:

Hi,

Based on a quick search, it mostly depends on the installation media, in that the installer must be compatible with UEFI secure boot standard (Windows 10 installation media is one such case).

Cheers,

Joseph

 

From: win10@win10.groups.io <win10@win10.groups.io> On Behalf Of enes saribas
Sent: Tuesday, June 22, 2021 8:16 PM
To: win10@win10.groups.io
Subject: Re: [win10] June 2021 optional cumulative update: KB5003690/build 19042(3).1081 #KBAlert

 

So a question. My pc shipped with secure boot off to facilitate OS install. If I turn this on with sighted assistance, if I need to do a windows reinstall, can I accessibly boot into a USB  media without toggling secure boot back off? And I presume there is no way to do this without sighted help?

On 6/22/2021 9:01 AM, tim wrote:

you can't run any vertual machines on your computer if that is turned off.

So if you don't use vm's then its not a problem.

I have it turned off one one box and it runs just fine.

On 6/22/2021 3:14 AM, Capelle, Michael C. wrote:

I have a tenth gen intel, but I did disable virtulazation in BIOS, should I leave this enabled?

 

From: win10@win10.groups.io <win10@win10.groups.io> On Behalf Of Joseph Lee
Sent: Monday, June 21, 2021 11:32 PM
To: win10@win10.groups.io
Subject: [Special] Re: [win10] June 2021 optional cumulative update: KB5003690/build 19042(3).1081 #KBAlert

 

Hi,

A brief search says:

  1. Requires more recent Intel or Qualcomm processors (the latter is applicable for Windows 10 on ARM), and it is possible to test this with AMD processors.
  2. The hardware and firmware must support virtualization and a discrete Trusted Platform Module (TPM) must be present.

 

Based on the following document:

Force firmware code to be measured and attested by Secure Launch on Windows 10 | Microsoft Security Blog

 

If I understand this correctly, SMM (System Management Mode) protection is intended to isolate critical firmware-facing code from the rest of the operating system through means of virtualization. It assumes that the processor hardware can distinguish between code coming from the regular operating system, a hypervisor such as Hyper-V, and a piece of code that verifies security of platform specific code that is more privileged (less restricted) than the operating system. It is a bit hard to describe how things interact at the high level, but the general idea is (please hold on, we’ll get geeky here):

Think of an operating system and apps as “tenants” inside a building managed by someone (operating system). When apps run (including screen reader executables), they (the tenants) will think they have all hardware resources at their disposal. In reality, they don’t- they can conduct business from the “building floor” i.e. memory addresses they are assigned to. As long as the “tenant” (app) doesn’t violate the terms of its “contract” (API’s) with the building manager (operating system), they can conduct their business.

But it was soon discovered that a “smart tenant” can fool the building manager to giving them a specific advantage over other tenants. Advantages can include viewing records of other businesses without their approval (memory access), or perhaps “clogging” another businesses’ printers with junk (memory write) simply by impersonating itself as the building manager. After other businesses complain about the badly behaving tenant, the building manager hires an “auditor” – really, two auditors, one to advise the manager on resource usage of tenants and to which the manager seeds certain duties (hypervisor), and the second auditor to enforce the work of the first auditor to ensure no tenant can interfere with the work done by the first auditor and the building manager unless approved (virtualization).

It turns out that these two auditors were not enough – there are certain things the building manager can offer that no-one can refuse, and that has to do with changing the “overall interior decorations” (firmware settings) of the building. There was one problem: any tenant (app) can forcefully claim to be the building manager and do whatever it desires by walking through unlikely passageways (privilege escalation). So the building manager and the first two auditors hire a third auditor, someone who will be part of the auditing team to make sure interior decorations were indeed made by the building manager (SMM protection). In short, the overall idea of SMM protection is to make sure security is not compromised when critical parts of firmware are accessed and modified by leveraging virtualization hardware, the hypervisor, and support from the operating system.

Supposing that a piece of code will need to read critical parts of device firmware using system management mode (SMM), something only the operating system can do. Before SMM protection, it went something like this:

  1. Somehow the operating system is alerted that it needs to read specific part of device firmware (UEFI settings, for instance).
  2. The operating system instructs the processor to enter system management mode, which is even less restricted than the environment the operating system lives in.
  3. The operating system code reads the desired part of the device firmware.
  4. System management mode is turned off, and the operating system returns to business as usual.

 

A slight improvement is made when a hypervisor is active:

  1. The operating system tries to read critical parts of device firmware.
  2. The operating system will first ask the hypervisor (supervisor of the supervisor (operating system), sometimes called “virtual machine monitor) for permission to proceed.
  3. The hypervisor will grant permission to the operating system after checking that it is indeed the operating system that is requesting firmware access.
  4. System management mode is entered, the operating system, together with parts of the hypervisor, reads the firmware part the operating system is interested in.
  5. System management mode is turned off, and the hypervisor returns control to the operating system, which resumes its operation.

 

With SMM protection active: in addition to looking at where the firmware access request is coming from, the hypervisor will also ask hardware and firmware about letting the operating system access firmware parts. This leverages virtualization-based security (VBS), which is parts of Hyper-V and hardware virtualization feature used to better isolate parts of the operating system code and user applications from one another. In the past, apps and operating system code were isolated by use of memory addresses and privilege levels, but with VBS, the CPU plays a part in enforcing isolation by presenting a “virtualized” (sort of a synthetic or a “fake”) view of the computer’s resources. Because SMM protection involves firmware, it is enforced when Windows boots.

 

Hope this helps.

Cheers,

Joseph

 

 

 

 

From: win10@win10.groups.io <win10@win10.groups.io> On Behalf Of enes saribas
Sent: Monday, June 21, 2021 8:29 PM
To: win10@win10.groups.io
Subject: Re: [win10] June 2021 optional cumulative update: KB5003690/build 19042(3).1081 #KBAlert

 

Hi Joseph,

Could you explain what this change is, and what processors support it?

Adds Windows support for System Management Mode protections (firmware protection version 2.0) for certain processors that support Secure Launch.

On 6/21/2021 8:30 PM, Joseph Lee wrote:

Hi all,

IMPORTANT REMINDER: regular cumulative update (KB alert) announcements for Version 20H2 (October 2020 Update/build 19042) will end on July 13, 2021; a final 20H2 KB alert will be sent next May when it leaves consumer support.

 

June 2021 optional cumulative update is now available:

June 21, 2021—KB5003690 (OS Builds 19041.1081, 19042.1081, and 19043.1081) Preview (microsoft.com)

 

Changelog:

Updates an issue in a small subset of users that have lower than expected performance in games after installing KB5000842 or later.  

Updates an issue that causes the Japanese Input Method Editor (IME) to suddenly stop working while you are typing. 

Updates an issue in which signing in using a PIN fails. The error message is "Something happened and your PIN isn’t available. Click to set up your PIN again."

Updates an issue that, in certain cases, takes you out of the exclusive virtual reality (VR) app and back to Windows Mixed Reality Home when you press the Windows button on the controller.

Updates an issue that causes blurry text on the news and interests button on the Windows taskbar for some screen resolutions.

Updates an issue with Search box graphics on the Windows taskbar that occurs if you right-click the taskbar and turn off News and interests. This graphics issue is especially visible when using dark mode.

Updates an issue that might prevent you from using your fingerprint to sign in after startup or waking up your device from sleep.

Updates an issue that might cause a high-pitched noise or squeak in certain apps when you play 5.1 Dolby Digital audio using certain audio devices and Windows settings.

 

Details:

 

Version 20H2 (build 19042.1081):

Addresses an issue that causes communication between apps to stop working after you enable the “AppMgmt_COM_SearchForCLSID” policy.

Addresses a performance issue in the MultiByteToWideChar() function that occurs when it is used in a non-English locale.

Addresses an issue that prevents sorting from working properly when using multiple versions of National Language Support (NLS) sorting.

Addresses an issue in a small subset of users that have lower than expected performance in games after installing KB5000842 or later.

Addresses an issue that causes the Japanese Input Method Editor (IME) to suddenly stop working while you are typing.

Addresses an issue that causes WMIMigrationPlugin.dll to return an error when you attempt to migrate in offline mode.

Addresses an issue with the Set-RuleOption PowerShell command that fails to provide the option for the Windows Defender Application Control (WDAC) policy to treat files signed with an expired certificate as unsigned.

Addresses an issue that causes Windows to stop working when it uses AppLocker to validate a file that has multiple signatures. The error is 0x3B.

Addresses an issue that might cause BitLocker to go into recovery mode after updating the Trusted Platform Module (TPM) firmware. This occurs when the "Interactive logon: Machine account lockout Threshold" policy is set and there were incorrect password attempts.

Addresses an issue that causes Windows to generate many AppLocker or SmartLocker success events.

Addresses an issue with authenticating for a domain controller when Credential Guard and Remote Credential Guard are enabled.

Addresses an issue that prevents certain screen reader apps from running when Hypervisor-protected code integrity (HVCI) is enabled.

Addresses an issue in which signing in using a PIN fails. The error message is "Something happened and your PIN isn’t available. Click to set up your PIN again."

Adds Windows support for System Management Mode protections (firmware protection version 2.0) for certain processors that support Secure Launch.

Addresses an issue that, in certain cases, takes you out of the exclusive virtual reality (VR) app and back to Windows Mixed Reality Home when you press the Windows button on the controller. With this update, when you press the Windows button, the Windows Start menu appears. When you close the Start menu, you will go back to the exclusive VR app.

Improves the accuracy and efficiency of sensitive data analysis in the Microsoft 365 Endpoint data loss prevention (DLP) Classification Engine.

Addresses an issue with the Internet Key Exchange (IKE) VPN service on remote access server (RAS) servers. Periodically, users cannot connect a VPN to the server over the IKE protocol. This issue might start several hours or days after restarting the server or restarting the IKEEXT service. Some users can connect while many others cannot connect because the service is in DoS Protection mode, which limits incoming connection attempts.

Addresses an issue that causes Wi-Fi connections to fail because of an invalid Message Integrity Check (MIC) on a four-way handshake if Management Frame Protection (MFP) is enabled.

Addresses an issue that might cause a VPN to fail after renewing a user auto-enrolled certificate. The error message is "There are no more files".

Addresses an issue with the Tunnel Extensible Authentication protocol (TEAP) that replaces the outer identity with “anonymous” even though identity privacy is not selected or is disabled.

Addresses an issue that causes Remote Desktop sessions to stop responding while the User Datagram Protocol (UDP) is enabled.

Adds support for the USB Test and Measurement Class.

Addresses an issue in Adamsync.exe that affects the syncing of large Active Directory subtrees.

Addresses an error that occurs when the Lightweight Directory Access Protocol (LDAP) bind cache is full, and the LDAP client library receives a referral.

Addresses a redirector stop error that is caused by a race condition that occurs when the system deletes binding objects when connections close.

Addresses an issue that prevents users from setting or querying disk quotas on the C drive.

Addresses an issue that causes 16-bit apps that run on NT Virtual DOS Machine (NTVDM) to stop working when you open them.

Addresses an issue that causes fontdrvhost.exe to stop working when Compact Font Format version 2 (CFF2) fonts are installed.

Addresses an issue that might prevent End User Defined Characters (EUDC) from printing correctly because of font fallback settings.

Addresses an issue that causes blurry text on the news and interests button on the Windows taskbar for some display configurations.

Addresses an issue with Search box graphics on the Windows taskbar that occurs if you use the taskbar’s context menu to turn off News and interests. This graphics issue is especially visible when using dark mode.

Addresses an issue that might cause signing in with your fingerprint to fail after the system starts up or resumes from sleep.

Addresses an issue that might cause a high-pitched noise or squeak in certain apps when you play 5.1 Dolby Digital audio using certain audio devices and Windows settings.

 

Version 21H1 (build 19043.1081): same as 20H2.

 

Cheers,

Joseph


 

Hi,

What’s more important is letting UEFI recognize the installation media as bootable and compliant with UEFI standard – that is, a boot program must be found in a specific location that UEFI will search.

Cheers,

Joseph

 

From: win10@win10.groups.io <win10@win10.groups.io> On Behalf Of enes saribas
Sent: Tuesday, June 22, 2021 9:46 PM
To: win10@win10.groups.io
Subject: Re: [win10] June 2021 optional cumulative update: KB5003690/build 19042(3).1081 #KBAlert

 

So when using tools such as rufus, to burn an iso to usb, I would need to burn it as gpt?

On 6/22/2021 10:34 PM, Joseph Lee wrote:

Hi,

Based on a quick search, it mostly depends on the installation media, in that the installer must be compatible with UEFI secure boot standard (Windows 10 installation media is one such case).

Cheers,

Joseph

 

From: win10@win10.groups.io <win10@win10.groups.io> On Behalf Of enes saribas
Sent: Tuesday, June 22, 2021 8:16 PM
To: win10@win10.groups.io
Subject: Re: [win10] June 2021 optional cumulative update: KB5003690/build 19042(3).1081 #KBAlert

 

So a question. My pc shipped with secure boot off to facilitate OS install. If I turn this on with sighted assistance, if I need to do a windows reinstall, can I accessibly boot into a USB  media without toggling secure boot back off? And I presume there is no way to do this without sighted help?

On 6/22/2021 9:01 AM, tim wrote:

you can't run any vertual machines on your computer if that is turned off.

So if you don't use vm's then its not a problem.

I have it turned off one one box and it runs just fine.

On 6/22/2021 3:14 AM, Capelle, Michael C. wrote:

I have a tenth gen intel, but I did disable virtulazation in BIOS, should I leave this enabled?

 

From: win10@win10.groups.io <win10@win10.groups.io> On Behalf Of Joseph Lee
Sent: Monday, June 21, 2021 11:32 PM
To: win10@win10.groups.io
Subject: [Special] Re: [win10] June 2021 optional cumulative update: KB5003690/build 19042(3).1081 #KBAlert

 

Hi,

A brief search says:

  1. Requires more recent Intel or Qualcomm processors (the latter is applicable for Windows 10 on ARM), and it is possible to test this with AMD processors.
  2. The hardware and firmware must support virtualization and a discrete Trusted Platform Module (TPM) must be present.

 

Based on the following document:

Force firmware code to be measured and attested by Secure Launch on Windows 10 | Microsoft Security Blog

 

If I understand this correctly, SMM (System Management Mode) protection is intended to isolate critical firmware-facing code from the rest of the operating system through means of virtualization. It assumes that the processor hardware can distinguish between code coming from the regular operating system, a hypervisor such as Hyper-V, and a piece of code that verifies security of platform specific code that is more privileged (less restricted) than the operating system. It is a bit hard to describe how things interact at the high level, but the general idea is (please hold on, we’ll get geeky here):

Think of an operating system and apps as “tenants” inside a building managed by someone (operating system). When apps run (including screen reader executables), they (the tenants) will think they have all hardware resources at their disposal. In reality, they don’t- they can conduct business from the “building floor” i.e. memory addresses they are assigned to. As long as the “tenant” (app) doesn’t violate the terms of its “contract” (API’s) with the building manager (operating system), they can conduct their business.

But it was soon discovered that a “smart tenant” can fool the building manager to giving them a specific advantage over other tenants. Advantages can include viewing records of other businesses without their approval (memory access), or perhaps “clogging” another businesses’ printers with junk (memory write) simply by impersonating itself as the building manager. After other businesses complain about the badly behaving tenant, the building manager hires an “auditor” – really, two auditors, one to advise the manager on resource usage of tenants and to which the manager seeds certain duties (hypervisor), and the second auditor to enforce the work of the first auditor to ensure no tenant can interfere with the work done by the first auditor and the building manager unless approved (virtualization).

It turns out that these two auditors were not enough – there are certain things the building manager can offer that no-one can refuse, and that has to do with changing the “overall interior decorations” (firmware settings) of the building. There was one problem: any tenant (app) can forcefully claim to be the building manager and do whatever it desires by walking through unlikely passageways (privilege escalation). So the building manager and the first two auditors hire a third auditor, someone who will be part of the auditing team to make sure interior decorations were indeed made by the building manager (SMM protection). In short, the overall idea of SMM protection is to make sure security is not compromised when critical parts of firmware are accessed and modified by leveraging virtualization hardware, the hypervisor, and support from the operating system.

Supposing that a piece of code will need to read critical parts of device firmware using system management mode (SMM), something only the operating system can do. Before SMM protection, it went something like this:

  1. Somehow the operating system is alerted that it needs to read specific part of device firmware (UEFI settings, for instance).
  2. The operating system instructs the processor to enter system management mode, which is even less restricted than the environment the operating system lives in.
  3. The operating system code reads the desired part of the device firmware.
  4. System management mode is turned off, and the operating system returns to business as usual.

 

A slight improvement is made when a hypervisor is active:

  1. The operating system tries to read critical parts of device firmware.
  2. The operating system will first ask the hypervisor (supervisor of the supervisor (operating system), sometimes called “virtual machine monitor) for permission to proceed.
  3. The hypervisor will grant permission to the operating system after checking that it is indeed the operating system that is requesting firmware access.
  4. System management mode is entered, the operating system, together with parts of the hypervisor, reads the firmware part the operating system is interested in.
  5. System management mode is turned off, and the hypervisor returns control to the operating system, which resumes its operation.

 

With SMM protection active: in addition to looking at where the firmware access request is coming from, the hypervisor will also ask hardware and firmware about letting the operating system access firmware parts. This leverages virtualization-based security (VBS), which is parts of Hyper-V and hardware virtualization feature used to better isolate parts of the operating system code and user applications from one another. In the past, apps and operating system code were isolated by use of memory addresses and privilege levels, but with VBS, the CPU plays a part in enforcing isolation by presenting a “virtualized” (sort of a synthetic or a “fake”) view of the computer’s resources. Because SMM protection involves firmware, it is enforced when Windows boots.

 

Hope this helps.

Cheers,

Joseph

 

 

 

 

From: win10@win10.groups.io <win10@win10.groups.io> On Behalf Of enes saribas
Sent: Monday, June 21, 2021 8:29 PM
To: win10@win10.groups.io
Subject: Re: [win10] June 2021 optional cumulative update: KB5003690/build 19042(3).1081 #KBAlert

 

Hi Joseph,

Could you explain what this change is, and what processors support it?

Adds Windows support for System Management Mode protections (firmware protection version 2.0) for certain processors that support Secure Launch.

On 6/21/2021 8:30 PM, Joseph Lee wrote:

Hi all,

IMPORTANT REMINDER: regular cumulative update (KB alert) announcements for Version 20H2 (October 2020 Update/build 19042) will end on July 13, 2021; a final 20H2 KB alert will be sent next May when it leaves consumer support.

 

June 2021 optional cumulative update is now available:

June 21, 2021—KB5003690 (OS Builds 19041.1081, 19042.1081, and 19043.1081) Preview (microsoft.com)

 

Changelog:

Updates an issue in a small subset of users that have lower than expected performance in games after installing KB5000842 or later.  

Updates an issue that causes the Japanese Input Method Editor (IME) to suddenly stop working while you are typing. 

Updates an issue in which signing in using a PIN fails. The error message is "Something happened and your PIN isn’t available. Click to set up your PIN again."

Updates an issue that, in certain cases, takes you out of the exclusive virtual reality (VR) app and back to Windows Mixed Reality Home when you press the Windows button on the controller.

Updates an issue that causes blurry text on the news and interests button on the Windows taskbar for some screen resolutions.

Updates an issue with Search box graphics on the Windows taskbar that occurs if you right-click the taskbar and turn off News and interests. This graphics issue is especially visible when using dark mode.

Updates an issue that might prevent you from using your fingerprint to sign in after startup or waking up your device from sleep.

Updates an issue that might cause a high-pitched noise or squeak in certain apps when you play 5.1 Dolby Digital audio using certain audio devices and Windows settings.

 

Details:

 

Version 20H2 (build 19042.1081):

Addresses an issue that causes communication between apps to stop working after you enable the “AppMgmt_COM_SearchForCLSID” policy.

Addresses a performance issue in the MultiByteToWideChar() function that occurs when it is used in a non-English locale.

Addresses an issue that prevents sorting from working properly when using multiple versions of National Language Support (NLS) sorting.

Addresses an issue in a small subset of users that have lower than expected performance in games after installing KB5000842 or later.

Addresses an issue that causes the Japanese Input Method Editor (IME) to suddenly stop working while you are typing.

Addresses an issue that causes WMIMigrationPlugin.dll to return an error when you attempt to migrate in offline mode.

Addresses an issue with the Set-RuleOption PowerShell command that fails to provide the option for the Windows Defender Application Control (WDAC) policy to treat files signed with an expired certificate as unsigned.

Addresses an issue that causes Windows to stop working when it uses AppLocker to validate a file that has multiple signatures. The error is 0x3B.

Addresses an issue that might cause BitLocker to go into recovery mode after updating the Trusted Platform Module (TPM) firmware. This occurs when the "Interactive logon: Machine account lockout Threshold" policy is set and there were incorrect password attempts.

Addresses an issue that causes Windows to generate many AppLocker or SmartLocker success events.

Addresses an issue with authenticating for a domain controller when Credential Guard and Remote Credential Guard are enabled.

Addresses an issue that prevents certain screen reader apps from running when Hypervisor-protected code integrity (HVCI) is enabled.

Addresses an issue in which signing in using a PIN fails. The error message is "Something happened and your PIN isn’t available. Click to set up your PIN again."

Adds Windows support for System Management Mode protections (firmware protection version 2.0) for certain processors that support Secure Launch.

Addresses an issue that, in certain cases, takes you out of the exclusive virtual reality (VR) app and back to Windows Mixed Reality Home when you press the Windows button on the controller. With this update, when you press the Windows button, the Windows Start menu appears. When you close the Start menu, you will go back to the exclusive VR app.

Improves the accuracy and efficiency of sensitive data analysis in the Microsoft 365 Endpoint data loss prevention (DLP) Classification Engine.

Addresses an issue with the Internet Key Exchange (IKE) VPN service on remote access server (RAS) servers. Periodically, users cannot connect a VPN to the server over the IKE protocol. This issue might start several hours or days after restarting the server or restarting the IKEEXT service. Some users can connect while many others cannot connect because the service is in DoS Protection mode, which limits incoming connection attempts.

Addresses an issue that causes Wi-Fi connections to fail because of an invalid Message Integrity Check (MIC) on a four-way handshake if Management Frame Protection (MFP) is enabled.

Addresses an issue that might cause a VPN to fail after renewing a user auto-enrolled certificate. The error message is "There are no more files".

Addresses an issue with the Tunnel Extensible Authentication protocol (TEAP) that replaces the outer identity with “anonymous” even though identity privacy is not selected or is disabled.

Addresses an issue that causes Remote Desktop sessions to stop responding while the User Datagram Protocol (UDP) is enabled.

Adds support for the USB Test and Measurement Class.

Addresses an issue in Adamsync.exe that affects the syncing of large Active Directory subtrees.

Addresses an error that occurs when the Lightweight Directory Access Protocol (LDAP) bind cache is full, and the LDAP client library receives a referral.

Addresses a redirector stop error that is caused by a race condition that occurs when the system deletes binding objects when connections close.

Addresses an issue that prevents users from setting or querying disk quotas on the C drive.

Addresses an issue that causes 16-bit apps that run on NT Virtual DOS Machine (NTVDM) to stop working when you open them.

Addresses an issue that causes fontdrvhost.exe to stop working when Compact Font Format version 2 (CFF2) fonts are installed.

Addresses an issue that might prevent End User Defined Characters (EUDC) from printing correctly because of font fallback settings.

Addresses an issue that causes blurry text on the news and interests button on the Windows taskbar for some display configurations.

Addresses an issue with Search box graphics on the Windows taskbar that occurs if you use the taskbar’s context menu to turn off News and interests. This graphics issue is especially visible when using dark mode.

Addresses an issue that might cause signing in with your fingerprint to fail after the system starts up or resumes from sleep.

Addresses an issue that might cause a high-pitched noise or squeak in certain apps when you play 5.1 Dolby Digital audio using certain audio devices and Windows settings.

 

Version 21H1 (build 19043.1081): same as 20H2.

 

Cheers,

Joseph


 

Much easier to use the Media Creation tool, you simply select to use a USB drive and click next a few times and everything else happens automatically.

 

From: win10@win10.groups.io <win10@win10.groups.io> On Behalf Of enes saribas
Sent: Tuesday, June 22, 2021 9:46 PM
To: win10@win10.groups.io
Subject: Re: [win10] June 2021 optional cumulative update: KB5003690/build 19042(3).1081 #KBAlert

 

So when using tools such as rufus, to burn an iso to usb, I would need to burn it as gpt?

On 6/22/2021 10:34 PM, Joseph Lee wrote:

Hi,

Based on a quick search, it mostly depends on the installation media, in that the installer must be compatible with UEFI secure boot standard (Windows 10 installation media is one such case).

Cheers,

Joseph

 

From: win10@win10.groups.io <win10@win10.groups.io> On Behalf Of enes saribas
Sent: Tuesday, June 22, 2021 8:16 PM
To: win10@win10.groups.io
Subject: Re: [win10] June 2021 optional cumulative update: KB5003690/build 19042(3).1081 #KBAlert

 

So a question. My pc shipped with secure boot off to facilitate OS install. If I turn this on with sighted assistance, if I need to do a windows reinstall, can I accessibly boot into a USB  media without toggling secure boot back off? And I presume there is no way to do this without sighted help?

On 6/22/2021 9:01 AM, tim wrote:

you can't run any vertual machines on your computer if that is turned off.

So if you don't use vm's then its not a problem.

I have it turned off one one box and it runs just fine.

On 6/22/2021 3:14 AM, Capelle, Michael C. wrote:

I have a tenth gen intel, but I did disable virtulazation in BIOS, should I leave this enabled?

 

From: win10@win10.groups.io <win10@win10.groups.io> On Behalf Of Joseph Lee
Sent: Monday, June 21, 2021 11:32 PM
To: win10@win10.groups.io
Subject: [Special] Re: [win10] June 2021 optional cumulative update: KB5003690/build 19042(3).1081 #KBAlert

 

Hi,

A brief search says:

  1. Requires more recent Intel or Qualcomm processors (the latter is applicable for Windows 10 on ARM), and it is possible to test this with AMD processors.
  2. The hardware and firmware must support virtualization and a discrete Trusted Platform Module (TPM) must be present.

 

Based on the following document:

Force firmware code to be measured and attested by Secure Launch on Windows 10 | Microsoft Security Blog

 

If I understand this correctly, SMM (System Management Mode) protection is intended to isolate critical firmware-facing code from the rest of the operating system through means of virtualization. It assumes that the processor hardware can distinguish between code coming from the regular operating system, a hypervisor such as Hyper-V, and a piece of code that verifies security of platform specific code that is more privileged (less restricted) than the operating system. It is a bit hard to describe how things interact at the high level, but the general idea is (please hold on, we’ll get geeky here):

Think of an operating system and apps as “tenants” inside a building managed by someone (operating system). When apps run (including screen reader executables), they (the tenants) will think they have all hardware resources at their disposal. In reality, they don’t- they can conduct business from the “building floor” i.e. memory addresses they are assigned to. As long as the “tenant” (app) doesn’t violate the terms of its “contract” (API’s) with the building manager (operating system), they can conduct their business.

But it was soon discovered that a “smart tenant” can fool the building manager to giving them a specific advantage over other tenants. Advantages can include viewing records of other businesses without their approval (memory access), or perhaps “clogging” another businesses’ printers with junk (memory write) simply by impersonating itself as the building manager. After other businesses complain about the badly behaving tenant, the building manager hires an “auditor” – really, two auditors, one to advise the manager on resource usage of tenants and to which the manager seeds certain duties (hypervisor), and the second auditor to enforce the work of the first auditor to ensure no tenant can interfere with the work done by the first auditor and the building manager unless approved (virtualization).

It turns out that these two auditors were not enough – there are certain things the building manager can offer that no-one can refuse, and that has to do with changing the “overall interior decorations” (firmware settings) of the building. There was one problem: any tenant (app) can forcefully claim to be the building manager and do whatever it desires by walking through unlikely passageways (privilege escalation). So the building manager and the first two auditors hire a third auditor, someone who will be part of the auditing team to make sure interior decorations were indeed made by the building manager (SMM protection). In short, the overall idea of SMM protection is to make sure security is not compromised when critical parts of firmware are accessed and modified by leveraging virtualization hardware, the hypervisor, and support from the operating system.

Supposing that a piece of code will need to read critical parts of device firmware using system management mode (SMM), something only the operating system can do. Before SMM protection, it went something like this:

  1. Somehow the operating system is alerted that it needs to read specific part of device firmware (UEFI settings, for instance).
  2. The operating system instructs the processor to enter system management mode, which is even less restricted than the environment the operating system lives in.
  3. The operating system code reads the desired part of the device firmware.
  4. System management mode is turned off, and the operating system returns to business as usual.

 

A slight improvement is made when a hypervisor is active:

  1. The operating system tries to read critical parts of device firmware.
  2. The operating system will first ask the hypervisor (supervisor of the supervisor (operating system), sometimes called “virtual machine monitor) for permission to proceed.
  3. The hypervisor will grant permission to the operating system after checking that it is indeed the operating system that is requesting firmware access.
  4. System management mode is entered, the operating system, together with parts of the hypervisor, reads the firmware part the operating system is interested in.
  5. System management mode is turned off, and the hypervisor returns control to the operating system, which resumes its operation.

 

With SMM protection active: in addition to looking at where the firmware access request is coming from, the hypervisor will also ask hardware and firmware about letting the operating system access firmware parts. This leverages virtualization-based security (VBS), which is parts of Hyper-V and hardware virtualization feature used to better isolate parts of the operating system code and user applications from one another. In the past, apps and operating system code were isolated by use of memory addresses and privilege levels, but with VBS, the CPU plays a part in enforcing isolation by presenting a “virtualized” (sort of a synthetic or a “fake”) view of the computer’s resources. Because SMM protection involves firmware, it is enforced when Windows boots.

 

Hope this helps.

Cheers,

Joseph

 

 

 

 

From: win10@win10.groups.io <win10@win10.groups.io> On Behalf Of enes saribas
Sent: Monday, June 21, 2021 8:29 PM
To: win10@win10.groups.io
Subject: Re: [win10] June 2021 optional cumulative update: KB5003690/build 19042(3).1081 #KBAlert

 

Hi Joseph,

Could you explain what this change is, and what processors support it?

Adds Windows support for System Management Mode protections (firmware protection version 2.0) for certain processors that support Secure Launch.

On 6/21/2021 8:30 PM, Joseph Lee wrote:

Hi all,

IMPORTANT REMINDER: regular cumulative update (KB alert) announcements for Version 20H2 (October 2020 Update/build 19042) will end on July 13, 2021; a final 20H2 KB alert will be sent next May when it leaves consumer support.

 

June 2021 optional cumulative update is now available:

June 21, 2021—KB5003690 (OS Builds 19041.1081, 19042.1081, and 19043.1081) Preview (microsoft.com)

 

Changelog:

Updates an issue in a small subset of users that have lower than expected performance in games after installing KB5000842 or later.  

Updates an issue that causes the Japanese Input Method Editor (IME) to suddenly stop working while you are typing. 

Updates an issue in which signing in using a PIN fails. The error message is "Something happened and your PIN isn’t available. Click to set up your PIN again."

Updates an issue that, in certain cases, takes you out of the exclusive virtual reality (VR) app and back to Windows Mixed Reality Home when you press the Windows button on the controller.

Updates an issue that causes blurry text on the news and interests button on the Windows taskbar for some screen resolutions.

Updates an issue with Search box graphics on the Windows taskbar that occurs if you right-click the taskbar and turn off News and interests. This graphics issue is especially visible when using dark mode.

Updates an issue that might prevent you from using your fingerprint to sign in after startup or waking up your device from sleep.

Updates an issue that might cause a high-pitched noise or squeak in certain apps when you play 5.1 Dolby Digital audio using certain audio devices and Windows settings.

 

Details:

 

Version 20H2 (build 19042.1081):

Addresses an issue that causes communication between apps to stop working after you enable the “AppMgmt_COM_SearchForCLSID” policy.

Addresses a performance issue in the MultiByteToWideChar() function that occurs when it is used in a non-English locale.

Addresses an issue that prevents sorting from working properly when using multiple versions of National Language Support (NLS) sorting.

Addresses an issue in a small subset of users that have lower than expected performance in games after installing KB5000842 or later.

Addresses an issue that causes the Japanese Input Method Editor (IME) to suddenly stop working while you are typing.

Addresses an issue that causes WMIMigrationPlugin.dll to return an error when you attempt to migrate in offline mode.

Addresses an issue with the Set-RuleOption PowerShell command that fails to provide the option for the Windows Defender Application Control (WDAC) policy to treat files signed with an expired certificate as unsigned.

Addresses an issue that causes Windows to stop working when it uses AppLocker to validate a file that has multiple signatures. The error is 0x3B.

Addresses an issue that might cause BitLocker to go into recovery mode after updating the Trusted Platform Module (TPM) firmware. This occurs when the "Interactive logon: Machine account lockout Threshold" policy is set and there were incorrect password attempts.

Addresses an issue that causes Windows to generate many AppLocker or SmartLocker success events.

Addresses an issue with authenticating for a domain controller when Credential Guard and Remote Credential Guard are enabled.

Addresses an issue that prevents certain screen reader apps from running when Hypervisor-protected code integrity (HVCI) is enabled.

Addresses an issue in which signing in using a PIN fails. The error message is "Something happened and your PIN isn’t available. Click to set up your PIN again."

Adds Windows support for System Management Mode protections (firmware protection version 2.0) for certain processors that support Secure Launch.

Addresses an issue that, in certain cases, takes you out of the exclusive virtual reality (VR) app and back to Windows Mixed Reality Home when you press the Windows button on the controller. With this update, when you press the Windows button, the Windows Start menu appears. When you close the Start menu, you will go back to the exclusive VR app.

Improves the accuracy and efficiency of sensitive data analysis in the Microsoft 365 Endpoint data loss prevention (DLP) Classification Engine.

Addresses an issue with the Internet Key Exchange (IKE) VPN service on remote access server (RAS) servers. Periodically, users cannot connect a VPN to the server over the IKE protocol. This issue might start several hours or days after restarting the server or restarting the IKEEXT service. Some users can connect while many others cannot connect because the service is in DoS Protection mode, which limits incoming connection attempts.

Addresses an issue that causes Wi-Fi connections to fail because of an invalid Message Integrity Check (MIC) on a four-way handshake if Management Frame Protection (MFP) is enabled.

Addresses an issue that might cause a VPN to fail after renewing a user auto-enrolled certificate. The error message is "There are no more files".

Addresses an issue with the Tunnel Extensible Authentication protocol (TEAP) that replaces the outer identity with “anonymous” even though identity privacy is not selected or is disabled.

Addresses an issue that causes Remote Desktop sessions to stop responding while the User Datagram Protocol (UDP) is enabled.

Adds support for the USB Test and Measurement Class.

Addresses an issue in Adamsync.exe that affects the syncing of large Active Directory subtrees.

Addresses an error that occurs when the Lightweight Directory Access Protocol (LDAP) bind cache is full, and the LDAP client library receives a referral.

Addresses a redirector stop error that is caused by a race condition that occurs when the system deletes binding objects when connections close.

Addresses an issue that prevents users from setting or querying disk quotas on the C drive.

Addresses an issue that causes 16-bit apps that run on NT Virtual DOS Machine (NTVDM) to stop working when you open them.

Addresses an issue that causes fontdrvhost.exe to stop working when Compact Font Format version 2 (CFF2) fonts are installed.

Addresses an issue that might prevent End User Defined Characters (EUDC) from printing correctly because of font fallback settings.

Addresses an issue that causes blurry text on the news and interests button on the Windows taskbar for some display configurations.

Addresses an issue with Search box graphics on the Windows taskbar that occurs if you use the taskbar’s context menu to turn off News and interests. This graphics issue is especially visible when using dark mode.

Addresses an issue that might cause signing in with your fingerprint to fail after the system starts up or resumes from sleep.

Addresses an issue that might cause a high-pitched noise or squeak in certain apps when you play 5.1 Dolby Digital audio using certain audio devices and Windows settings.

 

Version 21H1 (build 19043.1081): same as 20H2.

 

Cheers,

Joseph


enes sarıbaş
 

issue is downloading the image. I prefer to have an iso in case something happens and I don't have access to the internet and a working computer.

On 6/23/2021 9:22 AM, Sieghard Weitzel wrote:

Much easier to use the Media Creation tool, you simply select to use a USB drive and click next a few times and everything else happens automatically.

 

From: win10@win10.groups.io <win10@win10.groups.io> On Behalf Of enes saribas
Sent: Tuesday, June 22, 2021 9:46 PM
To: win10@win10.groups.io
Subject: Re: [win10] June 2021 optional cumulative update: KB5003690/build 19042(3).1081 #KBAlert

 

So when using tools such as rufus, to burn an iso to usb, I would need to burn it as gpt?

On 6/22/2021 10:34 PM, Joseph Lee wrote:

Hi,

Based on a quick search, it mostly depends on the installation media, in that the installer must be compatible with UEFI secure boot standard (Windows 10 installation media is one such case).

Cheers,

Joseph

 

From: win10@win10.groups.io <win10@win10.groups.io> On Behalf Of enes saribas
Sent: Tuesday, June 22, 2021 8:16 PM
To: win10@win10.groups.io
Subject: Re: [win10] June 2021 optional cumulative update: KB5003690/build 19042(3).1081 #KBAlert

 

So a question. My pc shipped with secure boot off to facilitate OS install. If I turn this on with sighted assistance, if I need to do a windows reinstall, can I accessibly boot into a USB  media without toggling secure boot back off? And I presume there is no way to do this without sighted help?

On 6/22/2021 9:01 AM, tim wrote:

you can't run any vertual machines on your computer if that is turned off.

So if you don't use vm's then its not a problem.

I have it turned off one one box and it runs just fine.

On 6/22/2021 3:14 AM, Capelle, Michael C. wrote:

I have a tenth gen intel, but I did disable virtulazation in BIOS, should I leave this enabled?

 

From: win10@win10.groups.io <win10@win10.groups.io> On Behalf Of Joseph Lee
Sent: Monday, June 21, 2021 11:32 PM
To: win10@win10.groups.io
Subject: [Special] Re: [win10] June 2021 optional cumulative update: KB5003690/build 19042(3).1081 #KBAlert

 

Hi,

A brief search says:

  1. Requires more recent Intel or Qualcomm processors (the latter is applicable for Windows 10 on ARM), and it is possible to test this with AMD processors.
  2. The hardware and firmware must support virtualization and a discrete Trusted Platform Module (TPM) must be present.

 

Based on the following document:

Force firmware code to be measured and attested by Secure Launch on Windows 10 | Microsoft Security Blog

 

If I understand this correctly, SMM (System Management Mode) protection is intended to isolate critical firmware-facing code from the rest of the operating system through means of virtualization. It assumes that the processor hardware can distinguish between code coming from the regular operating system, a hypervisor such as Hyper-V, and a piece of code that verifies security of platform specific code that is more privileged (less restricted) than the operating system. It is a bit hard to describe how things interact at the high level, but the general idea is (please hold on, we’ll get geeky here):

Think of an operating system and apps as “tenants” inside a building managed by someone (operating system). When apps run (including screen reader executables), they (the tenants) will think they have all hardware resources at their disposal. In reality, they don’t- they can conduct business from the “building floor” i.e. memory addresses they are assigned to. As long as the “tenant” (app) doesn’t violate the terms of its “contract” (API’s) with the building manager (operating system), they can conduct their business.

But it was soon discovered that a “smart tenant” can fool the building manager to giving them a specific advantage over other tenants. Advantages can include viewing records of other businesses without their approval (memory access), or perhaps “clogging” another businesses’ printers with junk (memory write) simply by impersonating itself as the building manager. After other businesses complain about the badly behaving tenant, the building manager hires an “auditor” – really, two auditors, one to advise the manager on resource usage of tenants and to which the manager seeds certain duties (hypervisor), and the second auditor to enforce the work of the first auditor to ensure no tenant can interfere with the work done by the first auditor and the building manager unless approved (virtualization).

It turns out that these two auditors were not enough – there are certain things the building manager can offer that no-one can refuse, and that has to do with changing the “overall interior decorations” (firmware settings) of the building. There was one problem: any tenant (app) can forcefully claim to be the building manager and do whatever it desires by walking through unlikely passageways (privilege escalation). So the building manager and the first two auditors hire a third auditor, someone who will be part of the auditing team to make sure interior decorations were indeed made by the building manager (SMM protection). In short, the overall idea of SMM protection is to make sure security is not compromised when critical parts of firmware are accessed and modified by leveraging virtualization hardware, the hypervisor, and support from the operating system.

Supposing that a piece of code will need to read critical parts of device firmware using system management mode (SMM), something only the operating system can do. Before SMM protection, it went something like this:

  1. Somehow the operating system is alerted that it needs to read specific part of device firmware (UEFI settings, for instance).
  2. The operating system instructs the processor to enter system management mode, which is even less restricted than the environment the operating system lives in.
  3. The operating system code reads the desired part of the device firmware.
  4. System management mode is turned off, and the operating system returns to business as usual.

 

A slight improvement is made when a hypervisor is active:

  1. The operating system tries to read critical parts of device firmware.
  2. The operating system will first ask the hypervisor (supervisor of the supervisor (operating system), sometimes called “virtual machine monitor) for permission to proceed.
  3. The hypervisor will grant permission to the operating system after checking that it is indeed the operating system that is requesting firmware access.
  4. System management mode is entered, the operating system, together with parts of the hypervisor, reads the firmware part the operating system is interested in.
  5. System management mode is turned off, and the hypervisor returns control to the operating system, which resumes its operation.

 

With SMM protection active: in addition to looking at where the firmware access request is coming from, the hypervisor will also ask hardware and firmware about letting the operating system access firmware parts. This leverages virtualization-based security (VBS), which is parts of Hyper-V and hardware virtualization feature used to better isolate parts of the operating system code and user applications from one another. In the past, apps and operating system code were isolated by use of memory addresses and privilege levels, but with VBS, the CPU plays a part in enforcing isolation by presenting a “virtualized” (sort of a synthetic or a “fake”) view of the computer’s resources. Because SMM protection involves firmware, it is enforced when Windows boots.

 

Hope this helps.

Cheers,

Joseph

 

 

 

 

From: win10@win10.groups.io <win10@win10.groups.io> On Behalf Of enes saribas
Sent: Monday, June 21, 2021 8:29 PM
To: win10@win10.groups.io
Subject: Re: [win10] June 2021 optional cumulative update: KB5003690/build 19042(3).1081 #KBAlert

 

Hi Joseph,

Could you explain what this change is, and what processors support it?

Adds Windows support for System Management Mode protections (firmware protection version 2.0) for certain processors that support Secure Launch.

On 6/21/2021 8:30 PM, Joseph Lee wrote:

Hi all,

IMPORTANT REMINDER: regular cumulative update (KB alert) announcements for Version 20H2 (October 2020 Update/build 19042) will end on July 13, 2021; a final 20H2 KB alert will be sent next May when it leaves consumer support.

 

June 2021 optional cumulative update is now available:

June 21, 2021—KB5003690 (OS Builds 19041.1081, 19042.1081, and 19043.1081) Preview (microsoft.com)

 

Changelog:

Updates an issue in a small subset of users that have lower than expected performance in games after installing KB5000842 or later.  

Updates an issue that causes the Japanese Input Method Editor (IME) to suddenly stop working while you are typing. 

Updates an issue in which signing in using a PIN fails. The error message is "Something happened and your PIN isn’t available. Click to set up your PIN again."

Updates an issue that, in certain cases, takes you out of the exclusive virtual reality (VR) app and back to Windows Mixed Reality Home when you press the Windows button on the controller.

Updates an issue that causes blurry text on the news and interests button on the Windows taskbar for some screen resolutions.

Updates an issue with Search box graphics on the Windows taskbar that occurs if you right-click the taskbar and turn off News and interests. This graphics issue is especially visible when using dark mode.

Updates an issue that might prevent you from using your fingerprint to sign in after startup or waking up your device from sleep.

Updates an issue that might cause a high-pitched noise or squeak in certain apps when you play 5.1 Dolby Digital audio using certain audio devices and Windows settings.

 

Details:

 

Version 20H2 (build 19042.1081):

Addresses an issue that causes communication between apps to stop working after you enable the “AppMgmt_COM_SearchForCLSID” policy.

Addresses a performance issue in the MultiByteToWideChar() function that occurs when it is used in a non-English locale.

Addresses an issue that prevents sorting from working properly when using multiple versions of National Language Support (NLS) sorting.

Addresses an issue in a small subset of users that have lower than expected performance in games after installing KB5000842 or later.

Addresses an issue that causes the Japanese Input Method Editor (IME) to suddenly stop working while you are typing.

Addresses an issue that causes WMIMigrationPlugin.dll to return an error when you attempt to migrate in offline mode.

Addresses an issue with the Set-RuleOption PowerShell command that fails to provide the option for the Windows Defender Application Control (WDAC) policy to treat files signed with an expired certificate as unsigned.

Addresses an issue that causes Windows to stop working when it uses AppLocker to validate a file that has multiple signatures. The error is 0x3B.

Addresses an issue that might cause BitLocker to go into recovery mode after updating the Trusted Platform Module (TPM) firmware. This occurs when the "Interactive logon: Machine account lockout Threshold" policy is set and there were incorrect password attempts.

Addresses an issue that causes Windows to generate many AppLocker or SmartLocker success events.

Addresses an issue with authenticating for a domain controller when Credential Guard and Remote Credential Guard are enabled.

Addresses an issue that prevents certain screen reader apps from running when Hypervisor-protected code integrity (HVCI) is enabled.

Addresses an issue in which signing in using a PIN fails. The error message is "Something happened and your PIN isn’t available. Click to set up your PIN again."

Adds Windows support for System Management Mode protections (firmware protection version 2.0) for certain processors that support Secure Launch.

Addresses an issue that, in certain cases, takes you out of the exclusive virtual reality (VR) app and back to Windows Mixed Reality Home when you press the Windows button on the controller. With this update, when you press the Windows button, the Windows Start menu appears. When you close the Start menu, you will go back to the exclusive VR app.

Improves the accuracy and efficiency of sensitive data analysis in the Microsoft 365 Endpoint data loss prevention (DLP) Classification Engine.

Addresses an issue with the Internet Key Exchange (IKE) VPN service on remote access server (RAS) servers. Periodically, users cannot connect a VPN to the server over the IKE protocol. This issue might start several hours or days after restarting the server or restarting the IKEEXT service. Some users can connect while many others cannot connect because the service is in DoS Protection mode, which limits incoming connection attempts.

Addresses an issue that causes Wi-Fi connections to fail because of an invalid Message Integrity Check (MIC) on a four-way handshake if Management Frame Protection (MFP) is enabled.

Addresses an issue that might cause a VPN to fail after renewing a user auto-enrolled certificate. The error message is "There are no more files".

Addresses an issue with the Tunnel Extensible Authentication protocol (TEAP) that replaces the outer identity with “anonymous” even though identity privacy is not selected or is disabled.

Addresses an issue that causes Remote Desktop sessions to stop responding while the User Datagram Protocol (UDP) is enabled.

Adds support for the USB Test and Measurement Class.

Addresses an issue in Adamsync.exe that affects the syncing of large Active Directory subtrees.

Addresses an error that occurs when the Lightweight Directory Access Protocol (LDAP) bind cache is full, and the LDAP client library receives a referral.

Addresses a redirector stop error that is caused by a race condition that occurs when the system deletes binding objects when connections close.

Addresses an issue that prevents users from setting or querying disk quotas on the C drive.

Addresses an issue that causes 16-bit apps that run on NT Virtual DOS Machine (NTVDM) to stop working when you open them.

Addresses an issue that causes fontdrvhost.exe to stop working when Compact Font Format version 2 (CFF2) fonts are installed.

Addresses an issue that might prevent End User Defined Characters (EUDC) from printing correctly because of font fallback settings.

Addresses an issue that causes blurry text on the news and interests button on the Windows taskbar for some display configurations.

Addresses an issue with Search box graphics on the Windows taskbar that occurs if you use the taskbar’s context menu to turn off News and interests. This graphics issue is especially visible when using dark mode.

Addresses an issue that might cause signing in with your fingerprint to fail after the system starts up or resumes from sleep.

Addresses an issue that might cause a high-pitched noise or squeak in certain apps when you play 5.1 Dolby Digital audio using certain audio devices and Windows settings.

 

Version 21H1 (build 19043.1081): same as 20H2.

 

Cheers,

Joseph


Jason White
 

On 22/6/21 10:01 am, tim wrote:

you can't run any vertual machines on your computer if that is turned off.

So if you don't use vm's then its not a problem.
It is a problem if you want to use Windows virtualization-based security, which runs a hypervisor to protect the kernel from modification by malware (even if the malware exploits the kernel and runs code under the privileged mode of the processor).

Whenever I try to activate it, I receive an error message stating that one of the drivers isn't compatible. I haven't tried again after this most recent update, however.

Also, I was encountering problems with fingerprint recognition apparently succeeding ("Hello"), but the system would sometimes still remain at the sign-in dialogue instead of starting the desktop environment. It's too early to say whether the bug fix in the latest update has resolved the issue.