Windows 10 NAG screen active, How to prevent (on W7/W8)

by butsch 10. June 2015 05:56

Microsoft macht vorwärts mit Windows 10 im Juli 2015 ist Launch. Galt es 8.0 und 8.1 zu verhindern sollte man hier am Ball bleiben. Die Systemhäuser setzen W10 ein und es wird migriert so bald wie dies möglich ist.

Dieses ICON ist wohl mit KB3035583 im Mai 2015 gekommen. An sich auf dem WSUS geblockt bei den kleinen Kunden ohne WSUS durchgerutscht

  • BlockWindows10.cmd deinstalliert 3 Patche (Und ruft das VBscript auf)
  • VBscript HideWindowsUpdates.vbs HIDE'd die 3 Patche vor dem Windows Update Client (wuapp.exe)

 

Derzeit kommen vier Patche in Frage, welches Teile davon auslösen. Workaround: Diese Deinstallieren und von Windows Update verstecken.

 

KB2952664

Compatibility update for upgrading Windows 7

KB2990214

Update that enables you to upgrade from Windows 7 to a later version of Windows

KB3022345

Update to enable the Diagnostics Tracking Service in Windows

KB3035583

Update enables additional capabilities for Windows Update notifications in W 8.1 and W7 SP1

 

Guter Haupt Link zum Problem:

http://superuser.com/questions/922068/how-to-disable-the-get-windows-10-icon-shown-in-the-notification-area-tray

 

User OPMET posted some script which we slightly modified:

 

 

FILE: BlockWindows10.cmd

@echo off

cls

:: remember to invoke from ELEVATED command prompt!

:: or start the batch with context menu "run as admin".

 

SETLOCAL

 

echo uninstalling updates ...

echo - 2952664

start "title" /b /wait wusa.exe /kb:2952664 /uninstall /quiet /norestart

echo - 2990214

start "title" /b /wait wusa.exe /kb:2990214 /uninstall /quiet /norestart

echo - 3022345

start "title" /b /wait wusa.exe /kb:3022345 /uninstall /quiet /norestart

echo - 3035583

start "title" /b /wait wusa.exe /kb:3035583 /uninstall /quiet /norestart

echo - done.

timeout 10

 

:: Update WMI Information betreffend Patche

echo - Update WMI Info der Patche fuer Windows Update

C:\Windows\System32\wbem\wmic.exe qfe > nul

 

echo hiding updates ...

start "title" /b /wait cscript.exe HideWindowsUpdates.vbs 2952664 2990214 3022345 3035583

 

FILE: HideWindowsUpdates.vbs

'Inspired by Colin Bowern: http://serverfault.com/a/341318

If Wscript.Arguments.Count < 1 Then

WScript.Echo "Syntax: HideWindowsUpdate.vbs [Hotfix Article ID]" & vbCRLF & _

" - Examples: HideWindowsUpdate.vbs 2990214" & vbCRLF & _

" - Examples: HideWindowsUpdate.vbs 3022345 3035583"

WScript.Quit 1

End If

 

Dim objArgs

Set objArgs = Wscript.Arguments

Dim updateSession, updateSearcher

Set updateSession = CreateObject("Microsoft.Update.Session")

Set updateSearcher = updateSession.CreateUpdateSearcher()

 

Wscript.Stdout.Write "Searching for pending updates..."

Dim searchResult

Set searchResult = updateSearcher.Search("IsInstalled=0")

 

Dim update, kbArticleId, index, index2

WScript.Echo CStr(searchResult.Updates.Count) & " found."

For index = 0 To searchResult.Updates.Count - 1

Set update = searchResult.Updates.Item(index)

For index2 = 0 To update.KBArticleIDs.Count - 1

kbArticleId = update.KBArticleIDs(index2)

 

For Each hotfixId in objArgs

If kbArticleId = hotfixId Then

If update.IsHidden = False Then

WScript.Echo "Hiding update: " & update.Title

update.IsHidden = True

Else

WScript.Echo "Already hiddn: " & update.Title

End If

End If

Next

 

Next

Next

 

 

BlockWindows10.zip (743.00 bytes)

HideWindowsUpdates.zip (751.00 bytes)

Tags:

Microsoft enables Strict Transport Security in Windows 7 and 8.1 with Internet Explorer 11

by butsch 10. June 2015 01:21

Microsoft enables Strict Transport Security in Windows 7 and 8.1 with Internet Explorer 11

Patch: Update KB3058515 (MS15-056)

For: Internet Explorer 11 ONLY

What for: Will make a pseudo SSL connection if Website supports and ONLY on second visit.

With the Microsoft July Update KB3058515 (MS15-056) Microsoft finally activates HSTS under IE11. This was planned for Window 10 now on Window 7 and 8.1. Since 2013 this was a wish from certain customers.

https://connect.microsoft.com/IE/feedback/details/793747/ie11-feature-request-support-for-the-strict-transport-security-header

Some points to know.

  • Die Site muss auf der anderen Seite HSTS aktiviert sein / Die website has to activated for HSTS Server side (See the secure net paper on how to do that)
  • Erst beim zweiten Besuch der Site nützt es was / Only after the second contact to the website this will be active
  • Keep in mind that Browser performance MAY be hit. See the First presentation in the Link for related info to that.
  • Alle US-Behörden ab sofort nur noch https (Nach den Hacks von Ende 2014)

 

http://www.internet2.edu/presentations/fall11/20111004-stsauver-hsts-performance.pdf

http://tech.slashdot.org/story/15/06/09/2219211/internet-explorer-11-gains-http-strict-transport-security-in-windows-7-and-81

https://www.securenet.de/fileadmin/papers/HTTP_Strict_Transport_Security_HSTS_Whitepaper.pdf

http://caniuse.com/#feat=stricttransportsecurity

https://status.modern.ie/httpstricttransportsecurityhsts

https://support.microsoft.com/de-de/kb/3058515

 

 

 

See our IE11 Deployment Links:

http://www.butsch.ch/post/IE11-IEAK-11-Setup-9-PRE-Deployment-Patches-2b-1-Hotfix.aspx

http://www.butsch.ch/post/Internet-Explorer-911-GPO-old-IE9-not-visible-WMI-checks.aspx

 

 

Tags:

VEEAM, Make sure Replicas do NOT connect/Startup by accident

by butsch 27. May 2015 05:04

 

First seeing VEEAM Replicas i asked the people what happens if the VMware ESX Crashes and someone's just starts all machines he finds on the ESX. (Like maybe IT told you in remote affiliates). The problem is that also the REPLICAS from VEEAM could be started.

This would be a Disaster because an old Exchange and Domain Controller would have contact to the sharp network together with an old one.

Solution Since Veeam 7.0

Veeam calls it Network mapping. On the Replica you can choose which ESX Network will be connected and this can be different then on the source machine.

ON ESX Server: Create a new Switch and dummy network in ESX. Maybe also change the VLAN ID to something you never use. Make sure on the right side there is no adapter connected.

VM_VEEAM_DUMMY

VLAN ID: 233

 

This is the target solution we want. The Replicas should land connected in the VM_VEEAM_DUMMY. So if someone or something starts them UP by accident / error they have no connection to productive network.

 

Now change the Veeam Replica Job.

EDIT

Select "Separate Virtual Networks"

SOURCE: Select the source network AS it is on the source server you get the machine from

TARGET: Select the Server you want the replicas (or have them) and then choose the new generated VM_VEEAM_DUMMY

Click through and FINISH (Don't change existing settings)

Now the replicas will automatic LAND in the empty network.

Tags:

Internet Explorer 10 / 11 IE Warnung, GPO, Gruppenrichtlinien, Group Policy

by butsch 26. May 2015 23:35

Internet Explorer 10 / 11 IE Warnung, GPO, Gruppenrichtlinien, Group Policy

Error or PUP UP in IE10/IE11

Deutsch:

Sie sind im Begriff, sich Seiten über eine sichere Verbindung anzeigen zu lassen. Keine Information, die Sie mit dieser Seite austauschen, kann von anderen Personen im Web gesehen werden.

English:

You are about to view pages over a secure connection.

https://social.technet.microsoft.com/Forums/en-US/65e8f915-6300-4367-8aa5-626539a62240/disable-ie-10-11-security-alert-popup-w-group-policy?forum=winserverGP

 

This seems not be possible with GPO or within an ADM/X from MS. You need to deploy a HKCU key.

Change this key from 1 > 0 per USER (HKCU)

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings

WarnOnIntranet

REG_DWORD

0

WarnonZoneCrossing

REG_DWORD

0

0 = ZERO = DO NOT SHOW WARNING

 

Integrate that into a GPO

 

 

 

Make sure you have a WMI filter so you only catch IE11 on clients:

 

See our Blog for infos on how to do that

 

 

 

 

 

Tags:

Exchange 2010 SP3 RU9 / 2013 CU8, ROLLUP and Android problems

by butsch 26. May 2015 02:16

A remote mailbox user receives the following error message when he or she tries to configure Exchange Active Sync account on an Android device:

Setup could not finish

Failed to search Exchange server automatically. Enter settings manually

https://support.microsoft.com/en-us/kb/3035227?wa=wsignin1.0

http://blogs.technet.com/b/exchange/archive/2015/03/17/announcing-update-rollup-9-for-exchange-server-2010-service-pack-3.aspx

http://www.microsoft.com/en-us/download/details.aspx?id=46372

Solution:

If the MobileSyncRedirectBypass feature is causing the problem, you can turn it off by editing the web.config file for the Autodiscover protocol:

  1. Locate the web.config file for the Autodiscover protocol:
    1. For Exchange Server 2013 MBX, the file is in the following location:

      %ExchangeInstallPath%\ClientAccess\Autodiscover

    2. For Exchange Server 2010 CAS, the file is in the following location:

      %ExchangeInstallPath%\ClientAccess\Autodiscover

  2. Open the web.config in Notepad, and then change the existing string from "true" to "false."
  3. Save the file.
  4. Run IISRESET /Norecycle.

Follow these steps on all CAS servers that will receive Autodiscover queries from devices.

Tags:

Exchange 2010 | Exchange 2013 | Microsoft Exchange | WSUS