Windows 10 NAG screen active, How to prevent (on W7/W8)

by butsch 10. June 2015 05:56

Microsoft macht vorwärts mit Windows 10 im Juli 2015 ist Launch. Galt es 8.0 und 8.1 zu verhindern sollte man hier am Ball bleiben. Die Systemhäuser setzen W10 ein und es wird migriert so bald wie dies möglich ist.

Dieses ICON ist wohl mit KB3035583 im Mai 2015 gekommen. An sich auf dem WSUS geblockt bei den kleinen Kunden ohne WSUS durchgerutscht

  • BlockWindows10.cmd deinstalliert 3 Patche (Und ruft das VBscript auf)
  • VBscript HideWindowsUpdates.vbs HIDE'd die 3 Patche vor dem Windows Update Client (wuapp.exe)


Derzeit kommen vier Patche in Frage, welches Teile davon auslösen. Workaround: Diese Deinstallieren und von Windows Update verstecken.



Compatibility update for upgrading Windows 7


Update that enables you to upgrade from Windows 7 to a later version of Windows


Update to enable the Diagnostics Tracking Service in Windows


Update enables additional capabilities for Windows Update notifications in W 8.1 and W7 SP1


Guter Haupt Link zum Problem:


User OPMET posted some script which we slightly modified:



FILE: BlockWindows10.cmd

@echo off


:: remember to invoke from ELEVATED command prompt!

:: or start the batch with context menu "run as admin".




echo uninstalling updates ...

echo - 2952664

start "title" /b /wait wusa.exe /kb:2952664 /uninstall /quiet /norestart

echo - 2990214

start "title" /b /wait wusa.exe /kb:2990214 /uninstall /quiet /norestart

echo - 3022345

start "title" /b /wait wusa.exe /kb:3022345 /uninstall /quiet /norestart

echo - 3035583

start "title" /b /wait wusa.exe /kb:3035583 /uninstall /quiet /norestart

echo - done.

timeout 10


:: Update WMI Information betreffend Patche

echo - Update WMI Info der Patche fuer Windows Update

C:\Windows\System32\wbem\wmic.exe qfe > nul


echo hiding updates ...

start "title" /b /wait cscript.exe HideWindowsUpdates.vbs 2952664 2990214 3022345 3035583


FILE: HideWindowsUpdates.vbs

'Inspired by Colin Bowern:

If Wscript.Arguments.Count < 1 Then

WScript.Echo "Syntax: HideWindowsUpdate.vbs [Hotfix Article ID]" & vbCRLF & _

" - Examples: HideWindowsUpdate.vbs 2990214" & vbCRLF & _

" - Examples: HideWindowsUpdate.vbs 3022345 3035583"

WScript.Quit 1

End If


Dim objArgs

Set objArgs = Wscript.Arguments

Dim updateSession, updateSearcher

Set updateSession = CreateObject("Microsoft.Update.Session")

Set updateSearcher = updateSession.CreateUpdateSearcher()


Wscript.Stdout.Write "Searching for pending updates..."

Dim searchResult

Set searchResult = updateSearcher.Search("IsInstalled=0")


Dim update, kbArticleId, index, index2

WScript.Echo CStr(searchResult.Updates.Count) & " found."

For index = 0 To searchResult.Updates.Count - 1

Set update = searchResult.Updates.Item(index)

For index2 = 0 To update.KBArticleIDs.Count - 1

kbArticleId = update.KBArticleIDs(index2)


For Each hotfixId in objArgs

If kbArticleId = hotfixId Then

If update.IsHidden = False Then

WScript.Echo "Hiding update: " & update.Title

update.IsHidden = True


WScript.Echo "Already hiddn: " & update.Title

End If

End If




Next (743.00 bytes) (751.00 bytes)


Microsoft enables Strict Transport Security in Windows 7 and 8.1 with Internet Explorer 11

by butsch 10. June 2015 01:21

Microsoft enables Strict Transport Security in Windows 7 and 8.1 with Internet Explorer 11

Patch: Update KB3058515 (MS15-056)

For: Internet Explorer 11 ONLY

What for: Will make a pseudo SSL connection if Website supports and ONLY on second visit.

With the Microsoft July Update KB3058515 (MS15-056) Microsoft finally activates HSTS under IE11. This was planned for Window 10 now on Window 7 and 8.1. Since 2013 this was a wish from certain customers.

Some points to know.

  • Die Site muss auf der anderen Seite HSTS aktiviert sein / Die website has to activated for HSTS Server side (See the secure net paper on how to do that)
  • Erst beim zweiten Besuch der Site nützt es was / Only after the second contact to the website this will be active
  • Keep in mind that Browser performance MAY be hit. See the First presentation in the Link for related info to that.
  • Alle US-Behörden ab sofort nur noch https (Nach den Hacks von Ende 2014)




See our IE11 Deployment Links:




VEEAM, Make sure Replicas do NOT connect/Startup by accident

by butsch 27. May 2015 05:04


First seeing VEEAM Replicas i asked the people what happens if the VMware ESX Crashes and someone's just starts all machines he finds on the ESX. (Like maybe IT told you in remote affiliates). The problem is that also the REPLICAS from VEEAM could be started.

This would be a Disaster because an old Exchange and Domain Controller would have contact to the sharp network together with an old one.

Solution Since Veeam 7.0

Veeam calls it Network mapping. On the Replica you can choose which ESX Network will be connected and this can be different then on the source machine.

ON ESX Server: Create a new Switch and dummy network in ESX. Maybe also change the VLAN ID to something you never use. Make sure on the right side there is no adapter connected.


VLAN ID: 233


This is the target solution we want. The Replicas should land connected in the VM_VEEAM_DUMMY. So if someone or something starts them UP by accident / error they have no connection to productive network.


Now change the Veeam Replica Job.


Select "Separate Virtual Networks"

SOURCE: Select the source network AS it is on the source server you get the machine from

TARGET: Select the Server you want the replicas (or have them) and then choose the new generated VM_VEEAM_DUMMY

Click through and FINISH (Don't change existing settings)

Now the replicas will automatic LAND in the empty network.


Internet Explorer 10 / 11 IE Warnung, GPO, Gruppenrichtlinien, Group Policy

by butsch 26. May 2015 23:35

Internet Explorer 10 / 11 IE Warnung, GPO, Gruppenrichtlinien, Group Policy

Error or PUP UP in IE10/IE11


Sie sind im Begriff, sich Seiten über eine sichere Verbindung anzeigen zu lassen. Keine Information, die Sie mit dieser Seite austauschen, kann von anderen Personen im Web gesehen werden.


You are about to view pages over a secure connection.


This seems not be possible with GPO or within an ADM/X from MS. You need to deploy a HKCU key.

Change this key from 1 > 0 per USER (HKCU)

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings









Integrate that into a GPO




Make sure you have a WMI filter so you only catch IE11 on clients:


See our Blog for infos on how to do that







Exchange 2010 SP3 RU9 / 2013 CU8, ROLLUP and Android problems

by butsch 26. May 2015 02:16

A remote mailbox user receives the following error message when he or she tries to configure Exchange Active Sync account on an Android device:

Setup could not finish

Failed to search Exchange server automatically. Enter settings manually


If the MobileSyncRedirectBypass feature is causing the problem, you can turn it off by editing the web.config file for the Autodiscover protocol:

  1. Locate the web.config file for the Autodiscover protocol:
    1. For Exchange Server 2013 MBX, the file is in the following location:


    2. For Exchange Server 2010 CAS, the file is in the following location:


  2. Open the web.config in Notepad, and then change the existing string from "true" to "false."
  3. Save the file.
  4. Run IISRESET /Norecycle.

Follow these steps on all CAS servers that will receive Autodiscover queries from devices.


Exchange 2010 | Exchange 2013 | Microsoft Exchange | WSUS