Each month, the team at Readiness analyses the latest Patch Tuesday updates from Microsoft and provides detailed, actionable testing guidance. This guidance is based on assessing a large application portfolio and a detailed analysis of the Microsoft patches and their potential impact on the Windows platforms and application installations.

Given the large number of system level changes included in this June patch cycle, I have broken down the testing scenarios into standard and high-risk profiles.

High Risk:
Very much like the core security changes made to how SQL queries are handled on desktop systems, Microsoft has made a fundamental update to how certain rendering API’s are handled with a new set of security restrictions. This is a key requirement to separate user mode and kernel printer driver requests. These are not new API’s or new features but a hardening of existing API callback routines. This is a big change and will require a full printer testing regime for this June update including:

  • Test all of your printers – with your full production testing regime (sorry about this).
  • Enable different advanced printer features (e.g., watermarking) and run printing tests.
  • Test your printing over RDP and VPN connections.

Standard Risk:
The following changes have been included in this month’s update and have not been raised as either high risk (of unexpected outcomes) and do not include functional changes.

  • Create, modify, delete folders and files in Group Policy preferences.
  • Test voice typing (in Windows 11) or dictation (in Windows 10). Spoken text should render as expected.
  • Install the Kerberos update on one of your test domain controllers. Once updated, Kerberos authentication should still be successful.
  • Play an MPEG4 video or use Windows Explorer to open a directory containing an mpeg4 file. No exit code errors should be reported.
  • Once the remote desktop update has been applied to your target workstations; create a Remote Desktop connection between a client and server. And, then repeat this process with an RD Gateway.
  • Test your network/internet connection and internet connection using applications such as browsers, messaging (Teams/Slack), file transfer (FTP), and video streaming (but don’t share your password).

Microsoft is now  disallowing avoidlowmemory and truncatememory BCD options when Secureboot is ON. In addition to this change Microsoft is blocking boot loaders that have NOT been updated with the May 2023 update.

Please note: Your recovery options will be severely limited unless your recovery images have this vital May 2023 update applied as well. For this specific boot process change, the Readiness team recommends the following testing regime.

  • The updated target machine should boot as expected with both Secure Boot and BitLocker enabled. You should not get a boot error or BitLocker recovery screen.
  • The updated target machine should boot as expected and not hit BitLLocker recovery when BitLocker is enabled on an OS drive, but Secure Boot is off.

Please update all of your recovery media as soon your testing regime is complete.

All these (both standard and high-risk) testing scenarios will require significant application-level testing before a general deployment. Given the nature of changes included in this month’s patches, the Readiness team recommends that the followings tests are also performed before general deployment:

  • Install, update, and uninstall your core line of business applications.
  • Check your printer drivers and validate their certificates.
  • Test your backups and recovery media.

Automated testing will help with these scenarios (especially a testing platform that offers a “delta” or comparison between builds). However, for your line of business applications getting the application owner (doing UAT) to test and approve the testing results is still absolutely essential.

Greg Lambert