locked
KB4074588 causes issue certificate on Windows 10 Build 170x's RRS feed

  • Question

  • Hi,

    So we have upgraded many Windows 10 workstations from 1511 to 1709 and all has gone will until I installed KB4074588 (cumulative update).

    https://support.microsoft.com/en-gb/help/4074588/windows-10-update-kb4074588

    Bugs

    https://www.computerworld.com/article/3256218/microsoft-windows/buggy-win10-1709-cumulative-update-kb-4074588-redlining-bluescreening-borking-usb.html

    When installed all users would get his strange error:

    If you click details it shows the fingerprint address of our Radius servers certificate (Cisco ISE).  If we click connect it says select certificate, but you can't select one and the only option it gives you is "cancel".  If I click cancel it then connects to our corporate WiFi.

    If I uninstall the KB all is good again.  I've disabled it of the WSUS server, so not sure what to do now, just leave it off?  Can WSUS uninstall this patch as I've only ever installed?

    Thanks

    Monday, February 26, 2018 11:59 AM

All replies

  • Hi,

    I don't know why this KB caused the issue.

    But if you want to uninstall this KB, you could refer to this link:
    https://www.geekshangout.com/wsus-how-to-remove-an-update-from-computers/


    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, February 27, 2018 1:34 AM
  • Thanks - how do I report this bug to Microsoft?
    • Edited by TB303 Thursday, March 1, 2018 11:23 AM
    Tuesday, February 27, 2018 10:56 PM
  • Hi,

    We could submit a bug to Connect in the past.
    But now I see Microsoft Connect Has Been Retired:
    https://docs.microsoft.com/en-us/collaborate/connect-redirect.

    So now maybe only to submit a bug to uservoice:
    https://configurationmanager.uservoice.com/forums/300492-ideas.
    But it needs to wait a long time to wait for the vote and review.

    If you need to solve it as soon as possible, I suggest you open a case directly to Microsoft.


    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, February 28, 2018 9:11 AM
  • We have the same problem in our environment now, too. I'm hoping that everyone tomorrow clicks the Connect button and it will go away for awhile... We have a few Windows 7 machines around and they don't have any issues. Just Windows 10.

    Is there a different way for reporting this??

    Thursday, March 29, 2018 12:00 AM
  • I've yet to find a fix other than uninstall the latest cumulative update.

    Feb and March's did this on any Windows 10 workstations on Build 170x, 1511 and 1607 are fine.

    I can't believe many are not getting this.

    Did you remove the update and all was ok?

     
    Thursday, March 29, 2018 10:54 AM
  • I've yet to find a fix other than uninstall the latest cumulative update.

    Feb and March's did this on any Windows 10 workstations on Build 170x, 1511 and 1607 are fine.

    I can't believe many are not getting this.

    Did you remove the update and all was ok?

     
    We only have 170x, no other versions. We have not uninstalled the update as of yet. We are monitoring this and are hoping (knock on wood) that our end users read the communication we sent regarding the issue. As of this morning, we are still waiting on how many calls hit the help desk.
    Thursday, March 29, 2018 12:45 PM
  • ok hope it goes ok, let me know how you get on etc

    I'm so surprise no one else has reported it.

    Thursday, March 29, 2018 1:03 PM
  • Have you reviewed the known issues section in KB4074588 (https://support.microsoft.com/en-US/help/4074588) to see if it resolves this? I don’t see one that is a direct match, perhaps the blocked ports issue? If one of those works, let them know and they can add that symptom to the list.<o:p></o:p>

    Also, since Windows 10 updates are cumulative, you can skip KB4074588 and install the latest, KB4089848 (https://support.microsoft.com/en-us/help/4089848) instead.<o:p></o:p>


    Thursday, March 29, 2018 4:57 PM
  • The best way to report bugs is to use the Feedback Hub app from the Microsoft Store. (Search for Feedback Hub in the store or search bar.) 
    Thursday, March 29, 2018 4:58 PM
  • ok hope it goes ok, let me know how you get on etc

    I'm so surprise no one else has reported it.

    Me too. But here is what we ended up doing that has been successful. Before this all started we did not have a wireless policy being pushed to clients. We created a test policy and the attached to the test OU.

    We used the following properties for the Protected EAP properties in the policy object and selected the option highlighted in red.

    We let the policy roll to the machines and let Windows Update do its thing... after the cumulative update completed and we restarted, we had no issues with prompts...


    Thursday, March 29, 2018 6:07 PM
  • Did you have any certificate selected in the Trusted Root Certification Authority?

    Friday, March 30, 2018 8:36 AM
  • Did you have any certificate selected in the Trusted Root Certification Authority?

    No.
    Friday, March 30, 2018 2:00 PM
  • Tried your settings, but users don't automatically connect to the WiFi, then need to select the SSID now, do yours connects automatically?
    Wednesday, April 4, 2018 9:49 AM
  • Tried your settings, but users don't automatically connect to the WiFi, then need to select the SSID now, do yours connects automatically?

    Yes. There is an option to accomplish this.

    Wednesday, April 4, 2018 2:46 PM
  • What did you have in the "connect to these server" in the earlier screenshot, ours is blank.

    We already have the "Connect automatically.." option set.

    Thanks

    Wednesday, April 4, 2018 6:13 PM
  • We have the FQDN of the NPS server in that path.
    Wednesday, April 4, 2018 7:26 PM
  • The issue with us could be that our Radius server (Cisco ISE) is using a SHA1 certificate and the Cumulative updates no longer like using SHA1 and should be SHA256 instead.

    Will test and feed back here for others in case they get this.

    Friday, April 6, 2018 8:06 AM
  • We did bump our certificate to SHA256, too.
    Friday, April 6, 2018 12:36 PM