Each month, the team at Readiness analyses the latest Patch Tuesday updates from Microsoft and provides detailed, actionable testing guidance. This guidance is based on assessing a large application portfolio and a detailed analysis of the Microsoft patches and their potential impact on the Windows platforms and application installations.
Given the large number of system level changes included in this May patch cycle, I have broken down the testing scenarios into standard and high risk profiles.
High Risk:
Microsoft has made significant changes to the TPM Module and in particular Secure Boot and BitLocker this month. The Readiness teams suggests the following basic tests for this TPM update:
- Target systems should boot as expected with both Secure Boot and BitLocker enabled.
- Systems should boot (successfully) with BitLocker enabled, and Secure Boot turned off.
- Try the following boot scenarios: USB Boot, DVD Boot, ISO Boot.
- Test your backups after you have updated the secure boot system.
- Ensure that your ”restores” operate as expected once the update has been applied.
We are unsure about the validity of recovery media once this May Patch Tuesday update has been applied. Your boot recovery media may/will fail if made on systems prior to this update. Once you have performed this update – you will need to ensure full backups are completed and tested. This scenario affects both Windows 11 (22H2) desktops and Windows Server 2022.
Standard Risk:
The following changes have been included in this month’s update and have not been raised as either high risk (of unexpected outcomes) and do not include functional changes:
- Exercise your applications using Microsoft LDAP Connect/Bind Command. Try this using SLL and without.
- The key system file WIN32K.SYS has been updated which may affect application menus.
- Test your applications that setup or configure monitor setups.
- Test your VM’s with Defender Application Guard installed and enabled.
- If you have deployed Microsoft QUIC, test your connectivity over a VPN to your edge servers. This should include internet surfing, email, file uploads and video streaming.
All these (both standard and high-risk) testing scenarios will require significant application-level testing before a general deployment. Given the nature of changes included in this month’s patches, the Readiness team recommends that the followings tests are also performed before general deployment:
- Test your remote desktop and VPN Connections using SSTP,
- Test Bluetooth devices (audio and mice).
- Create, read, update, and delete files on an NFS share.
- Test printing jobs (both local and remote).
Automated testing will help with these scenarios (especially a testing platform that offers a “delta” or comparison between builds). However, for your line of business applications getting the application owner (doing UAT) to test and approve the testing results is still absolutely essential.