Each month, the team at Readiness analyses the latest Patch Tuesday updates from Microsoft and provides detailed, actionable testing guidance. This guidance is based on assessing a large application portfolio and a detailed analysis of the Microsoft patches and their potential impact on the Windows platforms and application installations.
Given that this month’s update includes the resolution of 5 (some say 6) zero-day flaws, we have two key drivers of change this month: key functionality changes in core systems and an urgent need to deliver updates. We have broken down the testing scenarios into standard and high-risk profiles to help with prioritising your testing regimes.
High Risk:
Microsoft has documented that two core areas have been updated with significant functionality changes including printing and the local network stack (with a focus on routing). As a result, the following testing should be included before general deployment of this month’s patches:
- Printing: check your local printers as key driver handling has been updated.
- Ensure that our DNS server zones are still functioning as expected after this July update
Standard Risk:
The following changes have been included in this month’s update and have not been raised as either high risk (of unexpected outcomes) and do not include functional changes.
- Windows Hello will need testing. Testing should include Active Directory (as well as Azure AD) Single-Sign-on (SSO)
- Test your remote desktop (RDP) connections with and without Microsoft’s RD Gateway and ensure you see the correct level of certificate warnings (or not, if already ignored).
- (For IT Administrators) Test your Windows Error logs (focus on service hangs) with a Create/Read/Update/Delete/Extend (CRUDE) test.
- Test your encryption and crypto configuration scenarios. Especially Kerberos on your domain controllers and key isolation.
- Test your backups. You don’t have to worry about your recovery media this time.
If you have employed internal web or application servers, it will be worth testing out the HTTP3 protocol. Especially using Microsoft Edge. In addition to this protocol handling update, Microsoft has made a significant number of changes and updates to the networking stack requiring the following testing:
- Test your RRAS router with UDP, pingback and traceroute commands while adding and deleting routing table entries.
- Ensure that your domain servers behave as expected with full enforcement mode enabled.
All these (both standard and high-risk) testing scenarios will require significant application-level testing before a general deployment. Given the nature of changes included in this month’s patches, the Readiness team recommends that the followings tests are also performed before general deployment:
- Install, update, and uninstall your core line of business applications.
- Check your (local) printer drivers.
- Validate your VBScripts and UI automation tools (as OLE was updated this month, see CComClassFactorySingleton‘).
- Test audio/video streaming and then Microsoft Teams (due to its uploads/downloads and message queuing requirements).
Automated testing will help with these scenarios (especially a testing platform that offers a “delta” or comparison between builds). However, for your line of business applications getting the application owner (doing UAT) to test and approve the testing results is still absolutely essential.