Is it a bug or is it expected?

Microsoft acknowledged today that KB5052077 introduced a bug in the jump list for apps. This was triggered by a “dribbled” change.

As Redmond notes, it was triggered by:

… a recent feature rollout that integrates account control experiences in the Start Menu for users on Windows 10, version 22H2. Account control provides users with an easily accessible way to manage their accounts and helps them get the most value from their accounts. This rollout began gradually in March 2025 via Controlled Feature Rollout (CFR), which is the process of gradually rolling out new features to compatible devices.

I find the dribbled updates extremely annoying especially if you have multiple PCs and one gets the change and the other doesn’t. These days, you never know if some change is expected or is a bug until some notification like this shows up. I signed up for notifications from the Microsoft 365 health release dashboard, but they should be also in the public health dashboard.

Cached credentials is not a new bug

Many years ago back in the Windows XP era, there was a security story indicating that you could log into a system with expired credentials. The issue relates to something that has to be balanced all the time.  Security.  Useability.

Seeing a recent story in Ars Technica RDP lets you log in using revokes passwords is touching on exactly the same problem.

If you need absolute security, especially in a domain/network setting, all of us should be setting a value to disable cached credentials. The idea behind this if you cannot connect to the domain controller, you shouldn’t be able to log onto the system. BUT. There’s that time when the Internet is down or there’s a configuration problem.

Even more important for laptops is the need for a way to logon when offline.  As noted in the ITpro article,

“Don’t set the number of logons to cache to 0 on mobile users’ laptops. These users would then be unable to log on with their domain credentials when away from the office. Although the CachedLogonsCount registry key doesn’t appear in the registry by default, Windows NT caches a set of 10 domain credentials by default. The maximum value for CachedLogonsCount is 50. When credential caching is disabled and no DC is available, a user can still log on to a machine via a local machine account.”

Folks, the sky is not falling. Microsoft isn’t making stupid security choices (at least not here). This is, like many, one of the choices you have to make in a network to balance out the ability to do your job with being secure.  Sometimes there are no absolutes.

Does this impact consumers? No. And if you have a local account with no password, you can’t RDP into that box in the first place. Also, I do not recommend opening up RDP to the open world in the first place. Does this impact businesses? Yes. But it’s not the threat or risk you think it is and it’s honestly nothing new.

Security fixes for Firefox

Firefox released a browser update on April 29. It includes security fixes as well as enhancements. There is a new profile manager as well as unique features that are only available in the United States. It’s always interesting to see how software manufacturers must navigate the different mandates from various locations.

I found it interesting that Firefox is also facing bugs in its updater service. As noted in a Mozilla Foundation Security Advisory:

Mozilla Firefox’s update mechanism allowed a medium-integrity user process to interfere with the SYSTEM-level updater by manipulating the file-locking behavior. By injecting code into the user-privileged process, an attacker could bypass intended access controls, allowing SYSTEM-level file operations on paths controlled by a non-privileged user and enabling privilege escalation.

The local account tax

There is a term often used when buying a computer called the “Apple tax.” It means that once you move into the Apple ecosystem, things are more expensive. Or, at a minimum. you must plan on possibly buying extra cables, connectors, and a printer and scanner or two.

Here’s another one, but from the Windows 11 world: the “local account tax.” If you want a local account without a password, there is an easy way to get one set up. It involves zero hacks, no back doors, no dropping to a command line.

How? Buy Windows 11 Professional Edition when you buy a new PC.

With that SKU, you choose the option in setup to Setup for work or school. Don’t enter anything; just click on Sign-in options. Then click on Domain join instead, put in your desired username, and leave the password blank. Click Next and that’s it. No fuss, no muss — you get a local account with no hassle.

So, yes, it’s a “tax.” But if you insist on a local account, my guess is that you’ll think it’s worth it.

Steps to take before updating to 24H2

PATCH WATCH

By Susan Bradley

It’s all about prepping your computer.

This column is specific to the process of upgrading from Windows 11 23H2 to 24H2. Many of the concepts, however, are valid for any sort of computer update process.

I’m going to discuss the steps that I recommend before any patch or upgrade is attempted, and then I’ll go into more detail about the specific steps for 24H2.

Read the full story in our Plus Newsletter (22.17.0, 2025-04-28).
This story also appears in our public Newsletter.

Which Web browser is the most secure for 2025?

PUBLIC DEFENDER

By Brian Livingston

With all the malware threats we face on the Internet these days, running an antivirus program is a must. But your browser can help, too, warning you about shady websites and preventing your browsing history from being tracked by corporations or governments.

I most recently wrote about protecting yourself while Web surfing in my AskWoody column titled Browsers with the best security and privacy in 2021.

Much has changed since that time. We need to question whatever our old choice of browsers may have been and update our knowledge with the latest ratings by security experts.

Read the full story in our Plus Newsletter (22.17.0, 2025-04-28).

Replacing Skype

MICROSOFT 365

By Peter Deegan

In late February, Microsoft announced that Skype would be retired on May 5, 2025. What can you use instead? It’s a lot more complicated than Microsoft makes out.

Originally developed by Skype Technologies and released in 2003, Skype went through several owners before being acquired in 2011 by Microsoft. Among other things, Redmond replaced Windows Live Messenger (aka MSN Messenger) with Skype and created a new tier, Skype for Business.

The seemingly firm date is only partially true. If you’re using Skype as a stand-alone, you’ve got just over a month left. Microsoft 365 users have a bit more time for making phone calls — until March 2026.

Read the full story in our Plus Newsletter (22.17.0, 2025-04-28).

FileOptimizer — Over 90 tools working together to squish your files

FREEWARE SPOTLIGHT

By Deanna McElveen

There are many reasons to make your files smaller, from compressing images for a website so they load faster to sending dog pics to your cousin Brody who uses dial-up Internet in the swamp.

FileOptimizer by Spanish developer Javier Gutiérrez Chamorro is a collection of over 90 free and/or open-source programs that all work together to do one thing: squish your files down to their smallest size without messing them up. So if you’re just too cheap to spend more than $2.95 on a flash drive, this program is for you!

Read the full story in our Plus Newsletter (22.17.0, 2025-04-28).

Inetpub can be tricked

Kevin Beaumont is out this morning with news that the inetpub folder fix introduces another bug:

To fix this, Microsoft precreates the c:\inetpub folder on all Windows systems from April 2025’s Windows OS updates onwards.

However, I’ve discovered this fix introduces a denial-of-service vulnerability in the Windows servicing stack that allows non-admin users to stop all future Windows security updates.

He indicates that admin and non admin users (uh, more like attackers) can create a junction point or symbolic link between the folder and any other application. You go to install the next windows update and voila — the security update won’t install. Now, you and I would know something was up and eventually come to the point of doing a repair over the top, as I often recommend. In a business setting, however, that machine might remain unpatched for a while and thus remain open to attacks.

Microsoft, can you spell “unintended consequences?”

Blank Inetpub folder

The other day, Microsoft created the inetpub folder in the system drive as part of a mitigation protection for CVE-2025-21204. It applies to all versions of Windows. I spotted a news article about the proof of concept with an explanation from the security researcher.

It’s an interesting read and includes some additional hardening suggestions if you think you might be at risk of attack.  The research recommends:

Restrict ACLs on C:\ProgramData\Microsoft\UpdateStack

I do not see this as a risk for consumers. It’s a risk for targeted businesses. For the vast majority of patchers, merely installing the update is good enough.

It does reinforce something that my early testing did not reveal — if you accidentally remove the folder, it will be back again next month. Obviously, Microsoft wants it there for a reason.

Windows 10 finally gets fix

Yesterday Microsoft released a preview update for Windows 10. Although I don’t recommend installing preview updates, this one is notable as it finally has the fix for the “Event Viewer displays an error for System Guard Runtime Monitor Broker service” bug introduced months ago. KB5055612 finally fixes the issue. While you could have “fixed” it by disabling the service, I always prefer to have Microsoft fix what it broke.

The issue was: “The Windows Event Viewer might display an error related to SgrmBroker.exe, on devices which have installed Windows updates released January 14, 2025 (the Originating KBs listed above) or later. This error can be found under Windows Logs, System as Event 7023, with text similar to ‘The System Guard Runtime Monitor Broker service terminated with the following error’. This error is only observable if the Windows Event Viewer is monitored closely. It is otherwise silent and does not appear as a dialog box or notification.”

Clearly, we have folks who monitor for such issues.

MS-DEFCON 3: Cleanup time

By Susan Bradley

After every Patch Tuesday, there is a period I call “cleanup time.”

By the end of the week, side effects start to pop up. Even though Microsoft does not usually document its patches well, we at least know which updates have been released and have had a chance to read through the release notes.

This time, side effects appear to be widespread. I have therefore set the MS-DEFCON level to 3. Patch as necessary but check your results carefully.

Anyone can read the full MS-DEFCON Alert (22.16.1, 2025-04-22).