Results 1 to 6 of 6
  1. #1
    New Lounger
    Join Date
    Dec 2009
    Location
    Philadelphia, PA
    Posts
    4
    Thanks
    1
    Thanked 0 Times in 0 Posts

    Question Puzzled by Windows Security Update: KB2973351

    I have two Win 7 (x64) Home Premium PCs (desktop and laptop). Among the other Windows updates I received notification about on both computers was KB2973551. It is titled, "Microsoft Security Advisory: Registry update to improve credentials protection and management for Windows-based systems that have the 2919355 update installed: July 8, 2014" (http://support.microsoft.com/kb/2973351).

    Although, all the other recommended Windows security patches were mentioned in this week's newsletter, this one was not. So I checked to see whether I had previously installed KB2919355 on either, or both, PCs. In each, I went to my Control Panel > Programs & Features > View Update History and did not find KB2919355 among the many Security Updates for Windows listed.

    This raises several questions:

    1. Is it possible I do have KB2919355 installed, but it is not listed among the installed Windows security updates on each PC because of some feature of the update itself?
    2. If KB2919355 is not installed on my PCs, will installing KB2973551 cause problems?


    To make the waters even murkier, the Microsoft Support site article includes a link to another, titled appropriately enough, "Microsoft Security Advisory: Registry update to improve credentials protection and management for Windows systems that do not have the 2919355 update installed: July 8, 2014" (http://support.microsoft.com/kb/2975625). I wonder if this is the update notification I should have received.

    I searched the Web, the Lounge, and Windows Secrets and found no relevant information to suggest others have experienced this situation. I do not plan on installing either KB2973551 or KB2975625 until I am comfortable about the appropriate course of action. I hope that someone in the Lounge can provide me with specific guidance on what that is or suggestions on where to find out. Thanks in advance.

  2. Subscribe to our Windows Secrets Newsletter - It's Free!

    Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!

    Excel 2013: The Missing Manual

    + Get this BONUS — free!

    Get the most of Excel! Learn about new features, basics of creating a new spreadsheet and using the infamous Ribbon in the first chapter of Excel 2013: The Missing Manual - Subscribe and download Chapter 1 for free!

  3. #2
    Super Moderator
    Join Date
    Jun 2011
    Location
    New England
    Posts
    2,606
    Thanks
    76
    Thanked 324 Times in 293 Posts
    It's KB2973351 (as in your link), not KB2973551 (as you typed three times):

    Quote Originally Posted by PamS View Post
    One update that I got that is not mentioned in this newsletter is KB2973351. For now I am putting it on hold until someone tells me whether it is safe to install or not. Thanks!

    Pam
    Quote Originally Posted by BruceR View Post
    That's a minor update to a recent security update, and it's only relevant to enterprise IT administrators using Remote Desktop Protocol to connect to servers within a domain.

    It's related to KB2871997 which Sue covered on May 15, 2014:

    > What to do: Home-network users — or anyone who doesn’t sign into a domain — can pass on KB 2871997. Those who do sign into a corporate domain should install the update when offered.

    Details of the May update and its July update are at Update to Improve Credentials Protection and Management.

    Perhaps Susan Bradley will remember to address KB2973351 sometime soon as it will apparently be offered to all Windows 7 and Windows 8 users.

    (I installed this update three days ago and have not noticed any adverse consequences; but I always install all updates immediately and I haven't used RDP on a domain lately.)

    Bruce
    Quote Originally Posted by SusanBradley View Post
    Yup I'll cover it at the end of the month.
    Last edited by BruceR; 2014-07-13 at 01:14.

  4. #3
    Super Moderator satrow's Avatar
    Join Date
    Dec 2009
    Location
    Cardiff, UK
    Posts
    2,045
    Thanks
    98
    Thanked 194 Times in 169 Posts
    I'll try to break this one down as it had me puzzled a few days ago; any/all errors are of course my own because MS doesn't make any.

    From https://support.microsoft.com/kb/2973351, please read it in full.

    I've emphasised what I consider to be important/explanatory:

    The default behavior for Restricted Admin mode changed in Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1.

    By default, Restricted Admin mode is now turned off, and you have to enable it again after you install update 2973351 or 2975625 if it is required.

    Previously, Restricted Admin mode was turned on by default.
    That indicates that this 'bug' was introduced with the latest updated OS versions, W7/8 should still be at the default, 'safe' settings - BUT - judging by the 'fix' packages on offer for earlier OS versions, something (KB2975625 or KB2973351 from the May update?) might have incorrectly set the values in those versions as well.

    So, if you're using Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1, you will need to install the KB (or to manually modify the Registry - DisableRestrictedAdmin should be added and set to 0).

    For earlier versions (W7->8, see below for the full list), checking the Registry entry is required - if there is no DisableRestrictedAdmin entry, no further action should be needed; if DisableRestrictedAdmin exists, the value should be set to 0 or the patch needs to be installed.

    Versions that are affected:
    Windows RT 8.1
    Windows 8.1
    Windows 8.1 Enterprise
    Windows 8.1 Pro
    Windows Server 2012 R2 Datacenter
    Windows Server 2012 R2 Essentials
    Windows Server 2012 R2 Foundation
    Windows Server 2012 R2 Standard
    Versions that might be affected:
    Windows RT
    Windows 8
    Windows 8 Enterprise
    Windows 8 Pro
    Windows Server 2012 Datacenter
    Windows Server 2012 Essentials
    Windows Server 2012 Foundation
    Windows Server 2012 Standard
    Windows 7 Service Pack 1, when used with:

    Windows 7 Enterprise
    Windows 7 Professional
    Windows 7 Ultimate
    Windows 7 Home Premium
    Windows 7 Home Basic

    Windows Server 2008 R2 Service Pack 1, when used with:

    Windows Server 2008 R2 Standard
    Windows Server 2008 R2 Enterprise
    Windows Server 2008 R2 Datacenter
    How to check/modify the setting:
    To configure the Restricted Admin registry setting, add a DWORD value that is named DisableRestrictedAdmin to the following registry subkey:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contro l\Lsa

    To do this, follow these steps:

    Click Start, click Run, type regedit in the Open box, and then click OK.
    Locate and then click the following subkey in the registry:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contro l\Lsa
    On the Edit menu, point to New, and then click DWORD Value.
    Type DisableRestrictedAdmin for the name of the DWORD value, and then press Enter.
    Right-click DisableRestrictedAdmin, and then click Modify.
    To disable Restricted Admin mode, type 1 in the Value data box, and then click OK.
    To enable Restricted Admin mode, type 0 in the Value data box, and then click OK.
    Exit Registry Editor, and then restart the computer.

  5. #4
    New Lounger
    Join Date
    Dec 2009
    Location
    Philadelphia, PA
    Posts
    4
    Thanks
    1
    Thanked 0 Times in 0 Posts
    Thanks. Pardon the dyslexia.

  6. #5
    Lounger
    Join Date
    May 2007
    Posts
    26
    Thanks
    0
    Thanked 1 Time in 1 Post
    Unfortunately, I installed the update KB2973351 (Win 7 Ultimate x64) on 7/12/2014. I saw it wasn't mentioned in Patch Watch, and slipped up by installing it without checking to see if I had previously installed the predecessor mentioned in the article. Bad move. Everything seemed to work well until I tried to print from Photoshop CC and Lightroom 5. The printer driver took 3.5 minutes to load (usual time is less than 5 minutes), and I was unable to change any of the printing settings without waiting at least 4 minutes per subscreen -- effectively destroying my ability to print from Photoshop and LIghtroom. There was no disk activity while waiting, and I had no other programs running at that time. I last printed from Photoshop on 7/8/2014, at which time everything worked normally.
    Started to uninstall the patches from 7/12 one by one, and fortunately, uninstalling the last patch I had installed, KB2973351, fixed the problem. I take the blame for this one because I did not check to see if I had installed it's prerequisite patch.

  7. #6
    Lounger
    Join Date
    May 2007
    Posts
    26
    Thanks
    0
    Thanked 1 Time in 1 Post
    Correction: the usual time for my printer drive to appear in Photoshop and Lightroom is less than 3 seconds, not 5 minutes. (Need another cup of coffee this morning.)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •