Introduction:

Every month, the Readiness team at Readiness conducts a thorough analysis of Microsoft’s Patch Tuesday updates. Based on their assessment of a diverse application portfolio and a detailed examination of the patches, they provide comprehensive testing guidance to help organizations take appropriate action. In light of the significant system-level changes included in the May patch cycle, the testing scenarios have been categorized into standard and high-risk profiles.

High-Risk Testing Scenarios:

  1. TPM Module Changes:
    • Verify target systems boot successfully with both Secure Boot and BitLocker enabled.
    • Ensure systems boot successfully with BitLocker enabled and Secure Boot turned off.
    • Test different boot scenarios, including USB, DVD, and ISO boot.
    • Validate backups and confirm they function correctly after applying the secure boot update.
    • Assess the validity of recovery media after applying the May Patch Tuesday update. Note that boot recovery media created on systems prior to this update may fail.

Standard-Risk Testing Scenarios:

  1. Microsoft LDAP Connect/Bind Command:
    • Exercise applications using Microsoft LDAP Connect/Bind Command, both with and without SSL.
  2. Update to WIN32K.SYS:
    • Assess the impact on application menus due to the updated key system file, WIN32K.SYS.
  3. Monitor Setup Configuration:
    • Test applications responsible for setting up or configuring monitor setups.
  4. Defender Application Guard in VMs:
    • Test virtual machines with Defender Application Guard installed and enabled.
  5. Microsoft QUIC Connectivity:
    • Verify connectivity over a VPN to edge servers if Microsoft QUIC has been deployed. Test internet surfing, email, file uploads, and video streaming.

Additional Tests before General Deployment:

Considering the nature of changes in this month’s patches, the Readiness team recommends performing the following tests before a general deployment:

  1. Remote Desktop and VPN Connections:
    • Test remote desktop and VPN connections using SSTP.
  2. Bluetooth Device Compatibility:
    • Verify compatibility and functionality of Bluetooth devices, including audio and mice.
  3. NFS Share Operations:
    • Create, read, update, and delete files on an NFS share.
  4. Printing Jobs:
    • Test local and remote printing jobs.

Automated testing is highly recommended, particularly using a testing platform that offers build comparison or delta functionality. However, it remains crucial to involve application owners in User Acceptance Testing (UAT) to ensure their line of business applications are thoroughly tested and approved.

Conclusion:

The May Patch Tuesday updates from Microsoft introduce significant system-level changes, necessitating careful and comprehensive testing. By following the testing guidance provided by the Readiness team, organizations can mitigate risks, ensure compatibility, and minimize unexpected outcomes before deploying the patches to their environments.

Greg Lambert