Be careful of the KB932596 "update" it stops the "bcdedit -set load options DDISABLE_INTEGRITY_CHECKS" option working, that a lot of vista x64 users were using to load unsigned drivers, and the associated MS KB article doesn't see fit to mention the fact that this is probably the only thing this ""update" does.
32bit OS users don't have to worry of course as MS never dared to put "kernel patch protection" in 32bit OSs anyway, because it knew the howls of outrage that would have happened. I suppose MS figured there were so few 64bit OS users anyway and they were having so many driver issues already one more thing to put up with wasn't going to make much difference :(
Yes, if this "feature" was at all critical for the users security MS would have rolled it out to 32bit Vista as well.
I 'm getting the feeling that when MS says Vista has much improved security what they mean is that they've improved security for all their DRM, at the expense of functionallity for all their paying customers who definately don't like it or want it.
Rather ironic that MS has just spent so much time and effort jumping on the DRM/activation bandwagon just as everyone else, even the record industry, is finally realising it's counter productive and only succeeds in alianating all your paying customers.
> You are correct. KB932596 definitely breaks unsigned drivers. For me, it > killed VMWare Server on Vista X64. If it killed anything else, I don't > know > because I rolled back to a restore point and installed all the new updates > except KB932596.
> I hope Microsoft undoes this undocumented feature change disguised as a > critical security patch. When critical patches are used for marketing > advantage, it wrecks confidence in the entire Windows Update model.
> Dale
> -- > Dale Preston > MCAD C# > MCSE, MCDBA
> "Peter Lawton" wrote:
>> Be careful of the KB932596 "update" it stops the "bcdedit -set load >> options >> DDISABLE_INTEGRITY_CHECKS" option working, that a lot of vista x64 users >> were using to load unsigned drivers, and the associated MS KB article >> doesn't see fit to mention the fact that this is probably the only thing >> this ""update" does.
>> 32bit OS users don't have to worry of course as MS never dared to put >> "kernel patch protection" in 32bit OSs anyway, because it knew the howls >> of >> outrage that would have happened. I suppose MS figured there were so few >> 64bit OS users anyway and they were having so many driver issues already >> one >> more thing to put up with wasn't going to make much difference :(
And if it were really a security patch it would be described clearly in the KB article rather than disguised as an update to kernel patching protection.
They didn't fully disable the use of unsigned drivers but they did remove the ability to persist that setting in boot configuration using the bcdedit tool. Now you have to press F8 to get the boot menu and choose Disable Driver Signature Enforcement.
So that change has nothing at all to do with kernel patching protection but is simply a feature change disguised as a "critical update".
"Peter Lawton" wrote: > Yes, if this "feature" was at all critical for the users security MS would > have rolled it out to 32bit Vista as well.
> I 'm getting the feeling that when MS says Vista has much improved security > what they mean is that they've improved security for all their DRM, at the > expense of functionallity for all their paying customers who definately > don't like it or want it.
> Rather ironic that MS has just spent so much time and effort jumping on the > DRM/activation bandwagon just as everyone else, even the record industry, is > finally realising it's counter productive and only succeeds in alianating > all your paying customers.
> Peter Lawton
> "Dale" <dale0...@nospam.nospam> wrote in message > news:37F65297-F83F-457D-AFDC-50280BD133DE@microsoft.com... > > You are correct. KB932596 definitely breaks unsigned drivers. For me, it > > killed VMWare Server on Vista X64. If it killed anything else, I don't > > know > > because I rolled back to a restore point and installed all the new updates > > except KB932596.
> > I hope Microsoft undoes this undocumented feature change disguised as a > > critical security patch. When critical patches are used for marketing > > advantage, it wrecks confidence in the entire Windows Update model.
> >> Be careful of the KB932596 "update" it stops the "bcdedit -set load > >> options > >> DDISABLE_INTEGRITY_CHECKS" option working, that a lot of vista x64 users > >> were using to load unsigned drivers, and the associated MS KB article > >> doesn't see fit to mention the fact that this is probably the only thing > >> this ""update" does.
> >> 32bit OS users don't have to worry of course as MS never dared to put > >> "kernel patch protection" in 32bit OSs anyway, because it knew the howls > >> of > >> outrage that would have happened. I suppose MS figured there were so few > >> 64bit OS users anyway and they were having so many driver issues already > >> one > >> more thing to put up with wasn't going to make much difference :(
> Because there has been no word from Microsoft on this issue, and no patch to > the patch, I am quickly coming to the conclusion that what was earlier just > an assumption is, in fact, a fact: that this feature change poorly disguised > as a security patch was an intentional ploy by Microsoft to force driver > makers to update and sign their drivers.
I think one of the recent Vista "performance" patches also stops the kernel patch protection workaround.
Despite all the helpful references people are giving to MS documents about kernel patch protection I can't find any that inform us that any of the recent updates stop the "bcdedit -set load options DDISABLE_INTEGRITY_CHECKS" working, when at least two, possibly three of the recent patches do exactly that.
My suspicion is that stopping "bcdedit -set load options DDISABLE_INTEGRITY_CHECKS" working is the only thing that KB932596 does, at least MS has published nothing at all about what it does to say any different
Also if kernel patch protection is so vital for users security that the option to disable it has to be removed without warning, then why does MS think it's only the few users of x64 versions that need this "protection", who are mostly very technically aware anyway, rather than the multitude of 32bit version users who largely aren't as technically savvy and would presumeably need the "protection and stability" far more?
> Because there has been no word from Microsoft on this issue, and no patch > to > the patch, I am quickly coming to the conclusion that what was earlier > just > an assumption is, in fact, a fact: that this feature change poorly > disguised > as a security patch was an intentional ploy by Microsoft to force driver > makers to update and sign their drivers.
> Before this change, users could get around unsigned drivers so they > probably > did not exert much pressure on the driver creators to update those > drivers.
> The behavior of this patch is such that users still have a way around the > unsigned drivers but now that work-around becomes a real nuisance. Could > it > be that Microsoft is doing this to shanghai their customers into the fight > against unsigned drivers?
>> I tried uninstalling the patch, but even after uninstalling, it forces >> me to use the F8 option. I checked that the DDISABLE_INTEGRITY_CHECKS >> loadoption was set.
>> Hooray, now I have to buy a new TV tuner card... for no reason.
>> Does anyone know of a way to recover from this patch?
"andrew.harw...@gmail.com" wrote: > I tried uninstalling the patch, but even after uninstalling, it forces > me to use the F8 option. I checked that the DDISABLE_INTEGRITY_CHECKS > loadoption was set.
> Hooray, now I have to buy a new TV tuner card... for no reason.
> Does anyone know of a way to recover from this patch?
