Gordon Kelly of Forbes is at it again, pushing his unique blend of scary words about Windows 10, mixed with an absolutely overwhelming lack of knowledge about the underlying technologies.
I thought we had seen the last of Gordon three years ago, when he slinked away after credulously hyping some gibberish about Windows 10 telemetry and then writing the most incomprehensible retraction ever. (For a trip down memory lane, see "When it comes to Windows 10 privacy, don't trust amateur analysts" and "Microsoft has no plans to change Windows 10 consumer privacy settings.")
But he was only laying low, apparently. Over the weekend, a reader sent me a link to a story he had found on the front page of Google News, and when I saw the headline I knew it could only have sprung from Mr. Kelly's keyboard: "Microsoft Issues Warning For 50M Windows 10 Users."*
Oh dear, that sounds awful. And according to Forbes more than 100,000 innocent souls have already clicked on this article. [Update: As of July 8, that article has now been viewed more than 497,000 times, according to the Forbes ticker.] Let's check out what has Gordon so worried:
Microsoft has told tens of millions of Windows 10 users that the latest KB4501375 update may break the platform's Remote Access Connection Manager (RASMAN). And this can have serious repercussions.
Strangely, Gordon doesn't link to the actual Microsoft article documenting the KB4501375 update, preferring to quote a fourth-rate tech site instead. But I looked it up for myself ("June 27, 2019—KB4501375 [OS Build 18362.207]") and you will I am sure be shocked, shocked to learn that once again our Mr. Kelly has gotten his facts spectacularly wrong.
(Oh, and let's stick a pin in the "Microsoft has told tens of millions of Windows 10 users" part because that's especially hilarious when you realize how he calculated that 50 million number. More on that part later.)
Anyway, here's the tl;dr: Microsoft, as part of its normal update schedule, published a cumulative update for Windows 10 version 1903. As part of the update, it published an article documenting the quality fixes in that update as well as one "known issue" that affects a small number of corporate customers with nonstandard client configurations.
That known issue occurs on a Windows 10 PC running version 1903 when two conditions are present:
First, the diagnostic data level setting is manually configured to the non-default setting of 0. For those who don't understand how unusual that configuration is, note that it applies only to Windows 10 Enterprise and that it can be set only using Group Policy on corporate networks or by manually editing the registry.
You can't accidentally enable this setting. And you can't deliberately set it on a system running Windows 10 Home or Pro, because it is for Enterprise edition only.
Second, the bug occurs only when a VPN profile is configured as an Always On VPN (AOVPN) connection. That's a specific form of virtual private network (VPN) access that was introduced with Windows Server 2016 and requires a tremendous amount of network configuration to enable. You can read the gory details here: Remote Access Always On VPN.
But unless you're a Windows Server 2016 sysadmin, it might not make sense. And as one commenter observed below, "I think I'd rather be beaten to death by my own keyboard than have to set up AOVPN."
(As an aside, the caption on the generic art illustrating the Forbes post reads, "Windows 10 users have been exposed to a worrying new vulnerability." This is not a vulnerability. It's a bug.)
Anyway, all that is prelude to Gordon's threatdown:
The big one is VPNs. RASMAN handles how Windows 10 connects to the internet and it is a core background task for VPN services to function normally. Given the astonishing growth in VPN usage for everything from online privacy and important work tasks to unlocking Netflix and YouTube libraries, this has the potential to impact heavily on how you use your computer.
Oh my oh my oh my. Where do we even begin?
First things first: Rasman is not "how Windows 10 connects to the internet" unless you are trapped in a Stranger Things episode and forced to use a dial-up modem (because it's 1985) or you are, as I mentioned earlier, a sysadmin deploying a pretty unusual new VPN configuration as you migrate from DirectAccess.
For the other 99.785% of us, Rasman represents Windows code that never gets used. Ever.
An AOVPN connection exists to connect remote offices to the main Windows 2016 server at HQ, directly and securely, without using the public Internet. And it has nothing to do with consumer VPN configurations you're likely to use for (looking once again at Gordon's post) "unlocking Netflix and YouTube libraries."
That's, uh, not normally the sort of thing you do over the corporate network.
We mortals who connect to the Internet by plugging in an Ethernet cable or connecting to a Wi-Fi access point are totally in the clear here, even if we're among the early adopters running Windows 10 version 1903.
Of course, if you are a Windows sysadmin, you can always work around this by setting the VPN connections to manual. But, as a sysadmin, you are months away from actually deploying Windows 10 version 1903, because that version was released only about six weeks ago and Microsoft advises enterprises to go slowly: "We recommend that you begin deployment of each Semi-Annual Channel release immediately as a targeted deployment to devices selected for early adoption and ramp up to full deployment at your discretion."
I don't know of any enterprise customers that widely deploy new releases within weeks of their release. Because of bugs like this, in fact.
And what about that "50 million users" part? This one is especially precious. Gordon writes, in a voice that is practically a conspiratorial whisper:
Interestingly, in detailing the issue Microsoft states that it only affects Windows 10 1903 - the latest version of the platform. The problem is Windows 10 1903 accounts for a conservative total of at least 50M users.
Here is where we ignore the parts about the diagnostic data setting being manually configured to 0 and also the AOVPN part and how that affects a tiny proportion of Windows 10 users and we just run with Gordon Kelly's fearmongering.
Why conservative? Because Microsoft states Windows 10 has been installed on 800M computers worldwide, but that figure is four months old. Meanwhile, the ever-reliable AdDuplex reports Windows 10 1903 accounted for 6.3% of all Windows 10 computers in June (50.4M), but that percentage was achieved in just over a month and their report is 10 days old.
The ever-reliable AdDuplex? Uh, no.
The Internet is filled with small-time players who want to pretend that they have a deep understanding of the global Internet. AdDuplex is one of them, sadly.
I dealt with this canard a year ago. AdDuplex is the very definition of "garbage in, garbage out." Seriously. For the details, see "Has Microsoft accelerated its latest Windows 10 rollout? Not so fast." And then read "Is speedy rollout of Windows 10 version 1803 causing quality problems?"
But the best part of Mr. Kelly's post, by far, was this excerpt, which made me laugh so loud I think I scared my dog.
Microsoft has listed a complex workaround, but no timeframe has been announced for an actual fix.
Ladies and gentlemen, the article that Gordon Kelly was TOO AFRAID TO LINK TO says this:
We are working on a resolution and estimate a solution will be available in late July.
That's, uh, a couple weeks from today.
It might also be worth noting at this point that this is an optional update. It's not installed automatically. It is literally a preview of the July cumulative update, released at the end of the previous month for corporate customers to test. Those tests by enterprise customers involve configurations like these on targeted devices, and until those issues are resolved no enterprise will consider the current release ready for widespread deployment.
You would know that if you were an IT pro responsible for corporate PC deployments. But you wouldn't know that if you read Forbes.
The moral of this story is clear: Friends don't let friends read Forbes stories about Windows 10.
* As usual, I am loathe to link directly to Mr. Kelly's particular brand of claptrap, but if you insist on reading the article in question, click the asterisk at the beginning of this footnote.
Approximately 18 hours after I published this post, Mr. Kelly added an update to his post. He didn't change the misleading headline or any of the numerous factual errors in it, nor was there any expression of regret to the half-million or so poor souls who read his inaccurate and fear-mongering post. Here's what he wrote:
Update: my thanks to Microsoft which clarified to me that the RASMAN issue will only impact Windows 10 Enterprise. The problem also stems from a non-default setting when used in conjunction with a VPN profile being configured as Always On. As such, the potential fallout from it will be significantly smaller than I originally understood. If you think you may still be affected, please click the existing link to the Microsoft report in the paragraph below.
Weird that he had to ask Microsoft to "clarify" something that anyone who understands Windows 10 could have easily found in the original support article. Normally, one asks for comment before publishing an article like this. And, hilariously, the part at the end about clicking "the existing link to the Microsoft report"? There's no such link.