Once upon a time in technology, years ago Microsoft previewed server software to a big fanfare at a meeting of IT professionals. The company has proven how easy it is to use the software, which automatically installs the server, email server, and SharePoint server – all in less than 30 minutes.
There was one problem: every time Microsoft went to demo the server software, it crashed with an unclear error message.
Back then, I sometimes posted and answered questions in a Microsoft newsgroup. Just before Thanksgiving, I started seeing consultants trying to install software getting the same error. One person in the forum thread found the problem: a particular SharePoint dll file used during the installation has an expiration date of 11/23. If you have the server software installed prior to that day, you have no problem. If you try to do that afterwards, the installation will fail. Solution? Go into the server’s BIOS, set the date back to before November 23, install the software, then set the clock back to the correct time.
If you know anything about Active Directory domain controllers, you know that changing the date and time is generally not wise. Fortunately, the servers were not adversely affected and – except for the egg in their face for a less than ideal product release in Australia – Small Business Server 2003 continues to be even more acclaimed.
Why do I forward this story now? Because it shows that bugs released in new technology are nothing new. Microsoft uses a file code signing process to authenticate and verify that the file is legitimate. If the certificate is invalid or has expired, the operating system or specific files may not work. And that’s why reports started appearing last week about a certificate that unexpectedly expired, causing problems with applications in Windows 11. (The company has released a patch to fix the problem. tried on Friday; more on that below.)
Affected PCs running Windows 11 Home or Pro There is a problem with the following apps:
- Touchpad, Voice Input and Emoji Panel
- Input Method Editor User Interface (IME UI)
- Getting Started and Tips
- Cutting tool
Users running Windows 11 S mode (a specific version of Home that only allows you to install software from the Microsoft Store), may also experience issues with the Accounts and landing pages in the Settings app and later it’s the Start menu.
As Matt Graeber pointed out on Twitter: “The MinCryptVerifyCertificateWithPolicy2 function in ci.dll returns STATUS_IMAGE_CERT_EXPIRED when the build previewed file has an expired _and_ cert signed.”
Bottom line, Microsoft used the beta, or in this case the internal versioning code, in the final version of Windows 11 – and the certificate on the code expired on October 31st. Not only that, the code is also signed by the Microsoft Development Certification Authority. Graeber continued: “I’m more comfortable speculating now that not loading expired preview build code was intentional to render the Operating System inoperable for users attempting to use the preview version of the Operating System indefinitely.”
Code signing is very important. That’s one of the reasons Microsoft is able to break down security patches into chunks and use technology like delivery optimization that allows them to be delivered directly from Microsoft or from shared computers in your peer-to-peer network. The pieces are then recombined – and the code is validated to ensure it hasn’t been tampered with. You can download your patches from anywhere, and the platform will always confirm that the patch you install is valid Microsoft code and has not been tampered with.
Usually, when Microsoft releases the final product, it deletes the developer certificates and replaces them with a final signing process.
While a preview patch for Windows 11 is available that resolves most issues, Microsoft helpfully released an out-of-band patch on Friday to fix the problem. KB5008295 will “completely address a wide range of issues affecting the Snipping Tool, Touchpad, some built-in apps, and S Mode on Windows 11,” The company said on Twitter.
Than Details are available here.
In Askwoody.com we use the “MS-DEFCON process” to patch proposals. Using a scale of one to five, we tell people when it’s safe to install updates. (Question 1 means no updates should be installed; sentence 5 means it’s all clear.) I was recently asked when we will start bringing Windows 11 to the MS-DEFCON system. Although I keep an eye on updates for Windows 11 since it’s currently considered a “released product,” I still assume it’s in early beta; I don’t recommend installing it on production systems.
While Windows 11 will recover from this code signing problem, it still shows why Microsoft’s new operating system should only be considered for testing. Obviously, Windows 11 needs a little more time to fix the error.
The good news in this age of Windows updates is that Microsoft doesn’t have to produce a new installation CD to solve this problem. It’s a pretty quick and easy fix. But I still find it remarkable that even with the new code development processes and procedures of the past two decades, errors like these still appear.
Copyright © 2021 IDG Communications, Inc.
