Windows 8.1 early adopters forced to update, or become insecure

Those of us who like to stay on the cutting edge of technology are probably well on our way to fully deploying Windows Server 2012 R2 and Windows 8.1. While it’s great to be on the cutting edge, sometimes that edge is sharp enough to put us on the bleeding edge. That’s where many of Microsoft’s customers find themselves with the most recent release for both 8.1 and 2012 R2.

Called simply an update or Update 1, KB2919355 details a new update release for Windows 8.1, Windows RT 8.1 and Windows Server 2012 R2 that has a very interesting ramification for all users.

Important: All future security and non-security updates for Windows RT 8.1, Windows 8.1 and Windows Server 2012 R2 require this update to be installed. We recommend that you install this update on your Windows RT 8.1, Windows 8.1, or Windows Server 2012 R2-based computer in order to receive continued future updates.

The backlash to this pronouncement was immediate and severe, considering both the short notice given and that there are apparently chronic problems with installing this update

Known issues

• If you receive error 0x80071a91 when you install update 2919355, install update 2939087. For more information, click the following article number to view the article in the Microsoft Knowledge Base: 2939087 Error 0x80071a91 when installing update 2919355 in Windows.
• To fix an issue with the Internet Explorer Enterprise Mode feature that occurs after the update is installed, go to the following Microsoft website: 2956283 Internet Explorer 11 crashes when you turn on or turn off the Enterprise Mode feature.
• After you install this update on a computer, the computer may stop scanning against Windows Server Update Services 3.0 Service Pack 2 (WSUS 3.0 SP2 or WSUS 3.2)-based servers that are configured to use HTTPS and do not have TLS 1.2 enabled. This issue was resolved in the latest version of this update that is released on April 15.
  If you encounter this issue, visit the following Microsoft Knowledge Base (KB) article for the fix: 2959977 Windows Update Client SSL issue for Windows Server Update Services.
• After the update is installed, you cannot uninstall Web Server (IIS) roles on Windows Server 2012 R2. To resolve the issue, visit the following KB article: 2957390 You are unable to uninstall IIS after you install KB2919355 in Windows 8.1 or Windows Server 2012 R2.

In addition to the known issues listed on the KB, support forums are filled with users and admins seeking help with myriad install issues and errors. This update has issues with WSUS, which makes it rather difficult for enterprise customers to push out to their systems. Further, the outcry over mandating enterprises to deploy a patch to all systems within 30 days was loud and clear, so much so that Microsoft has extended the date for requiring this update to August 2014.

Customers running Windows 8.0, Windows RT, or Windows Server 2012 (not the R2 version) are not impacted by this, and are not required to install a particular update, yet. It will be interesting to see what develops on the patching front with these platforms. But both enterprise and consumer customers will need to deploy this update by August in order to receive both security and non-security updates going forward. That much is clear, even if the timeline has shifted and the install methods are still a bit fuzzy for some users using automatic updates, WSUS, Intune or SCCM. GFI LanGuard supports deploying this update to systems, and was not affected by the issue that broke SCCM patching.

Even with third party patching solutions, the actual patches Microsoft releases for 8.1, 2012 R2, and RT going forward will require that KB2919355 be installed in order to work, so make sure you get this patch onto your systems soon. New media available on MSDN and Volume Licensing downloads will incorporate this already, so any new systems or images you deploy should be set for the future.