WMI Hotfixes to date 29.07.2015
During IE11 projects we have seen problems with some WMI and WUSA.EXE KB installations. It sometimes seems that the WMI provider
who offers that info hangs or is out of date. Even with some command to refresh it0s stuck. This is a list of Hotfixes we found in that direction
For Existing Windows 7 64BIT Deployments with SP1.
YES = Installs on W7 SP1 64BIT with all Updates from WSUS do date 29.07.2015
NO = Does not install on same system
003 (YES but choose 2617858)
Unexpectedly slow startup or logon process in Windows Server 2008 R2 or in Windows 7
2465990 > SUPERSEEDED > Replaced by > 2617858 (https://support.microsoft.com/en-us/kb/2617858)
2465990 > Windows6.1-KB2465990-v3-x64.msu (Older)
2617858 > Windows6.1-KB2617858-x64.msu (Newer, Superseeds the old one)
Client Management | Deployment | Hotfixes / Updates | Scripting | WSUS
Not only ET wants to phone home! Microsoft is bombing even corporate customers and small business customers with Updates they don't want and never agreed. KB3022345 seems to be a patch for Clients and servers which send a lot of Information encoded over SSL to Microsoft Servers. They must be in short time for their Windows 10 releases and catching every application on the world. As if we did not supply enough Information with tools like MACT (https://www.microsoft.com/en-us/download/details.aspx?id=7352) they now get the info unasked. Feel free to block on your private or corporate Firewall. And no nobody has pre-selected Windows 10 Download and testbunny mode.
Hosts which are connected:
Update for customer experience and diagnostic telemetry
This update has been replaced by the latest update for customer experience and diagnostic telemetry that was first released on June 2, 2015. To obtain the update, see 3068708 Update for customer experience and diagnostic telemetry.
Helping the overall application experience
The Diagnostics Tracking service collects diagnostics about functional issues on Windows systems that participate in the Customer Experience Improvement Program (CEIP). CEIP reports do not contain contact information, such as your name, address, or telephone number. This means CEIP will not ask you to participate in surveys or to read junk email, and you will not be contacted in any other way.
For any released product with an option to participate in CEIP, you can decide to start or stop participating at any time. Most programs make CEIP options available on the Help menu, although for some products, you might have to check settings, options, or preferences menus. Some prerelease products that are under development might require participation in CEIP to help ensure the final release of the product improves frequently used features and solves common problems that exist in the prerelease software.
Please also see Windows 10 NAG screen posting we made:
Mcafee EPO prevent exe RUNNING FROM %appdata% folders with an Access protection Policy
How to protect from most 0day Flash Exploits and malware like Ransom Cryptowall in summer 2015. You simply can't keep up with patching even with deployment or
Management solutions in place. Now you should have an IPS Filter like Fortigate with Fortiguard. Fortigate is most of the times involved in detection of Flash Exploits so a good choice in that direction.
But the problems are SSL/HTTPS Virus of you can't break the stream because of legal concerns.
Here is a solution to strip it down by Mcafee but as always not clear in their documentation.
Sure this covers 80% but it will take out some heat. Another tip would be to use Microsoft EMET from ou side. There is also a GPO to prevent such things but this will take more time to setup.
Mcafee EPO Server Logon
Go to Clients
Access Protection Policy
Choose your "Policy" > "My Default"
Now the trick was the PATH. I am not sure but ONE Mcafee KB was wrong or not sol effective here.
We are still unsure if it has to be \ or / if you read their docu.
Well here is how it worked for us. We don't want to catch %appdata%\temp because there is already an
Options in mcafee itself for that and it was not a good idea with some customers and special apps.
avtask.exe, cfgwiz.exe, csscan.exe, dainstall.exe, EngineServer.exe, fssm32.exe, giantantispywa*, ienrcore.exe, kavsvc.exe, KillWia64.exe, mcdatrep.exe, mcscript*, mcshield.exe, mcupdate.exe, mfeann.exe, mfehidin.exe, msi*.tmp, msiexec.exe, mue_inuse.exe, navw32.exe, ncdaemon.exe, nmain.exe, Patch.log, regsvc.exe, rtvscan.exe, sdat*.exe, svchost.exe, TrolleyExpress.exe, VirusScanAdvancedServer.exe, vmscan.exe, VSE88HF793781.exe, \:::mcadmin.exe, \:::mcconsol.exe, \:::mcupdate.exe, \:::restartVSE.exe, \:::scan32.exe, \:::scncfg32.exe, \:::shcfg32.exe, \:::shstat.exe, \:::VSCore\dainstall.exe, \:::VSCore\x64\dainstall.exe, \:::vstskmgr.exe, \:::x64\scan64.exe
Some sample search patterns:
Find unwanted Google chrome.exe under %appdata%\local everwyhere
Check left corner FOR "Workstation" and for "Server"
Client side TEST
EPO side view
Original Link from Mcafee:
Wildcard patterns mcafee:
Wie kann man eine DLL oder ein File Testweise auf einem Enteo Client ersetzen? Wir haben heute eine DLL fuer einen DEV fix von Frontrange erhalten. Dann nach nachfragen noch einen Link zu einer KB welche einen Key beschreibt. Sollte jemand verstehen wo man es nun ändern soll oder darf kann er uns dies schildern. Eventuell in einer Zeichnung oder Schema?
WARNING Frontrange is now an English company (KB Artikel 12492)
Never use / change this key on a Management Point Server. This key must always be set on a Management Point Server because the client binary update is performed during Management Point update automatically.
Ersetzen einzeln TEST DLL bei Enteo Agent
Fix.reg, Dieser key muss auf dem DSM/Enteo/Frontrange client gesetzt werden
Windows Registry Editor Version 5.00
Beispiel Files ersetzen welche Enteo Kunden vom Support bekommen:
KB Artikel 12492
ADAC = NOT Deutscher Pannendienst ;-)
Fine grained Password Policy in 2013 R2 Domain Active Directory, Error 4625 event
Sometimes you need accounts TO None expire or not getting Locked out. We all now it's stupid in security terms but if the software has a bug and locks the account you have to hurry. Search on ALL of the Domain Controller for event 4625. There you should see the client who does it. There also lockout/whoislocked scripts which does that. (Account locked)
The regular Domain password policy is here:
But we want a second one with different settings and only for a few users in a security group
New way with ADAC on 2012R2
Old way with ADSIEDT.MSC
Make a new ADS group: sg_gpo_password_policy_bsb_non_locked and make the accounts which should have special password policy member of that group "Only user accounts"
Go to SYSTEM
Go to PASSSWORD Settings Container
Choose "Directly applies to" and make sure you choose the correct Security Group you made for this.
Under cmd on DC do a:
Its finished and working
CROSS CHECK old Method with ADSIEDT
Butsch Informatik | CH-4147 Aesch/BL | www.ntfaq.ch | www.butsch.ch | info (at) ntfaq.ch