IE11 IEAK 11 Setup 9 PRE Deployment Patches + 1 Hotfix

by butsch 11. March 2015 23:31

Internet Explorer 11 Setup with IEAK11 for Deployment

We have seen several posting on Social MSDN but also deployment blogs with people struggling with the IEAK Setup of IE11 or better the 9 PRE patches the IE setup 10/11 needs.

Technet describes the Updates that have to be installed before you can Install IE11 silent.

Error Source 1, Setup tries to fetch updates in the back and fails because of Proxy

If these are not on the machine the Setup will try to fetch them from internet. Because the "Computer account" (Not the user) mostly has no PROXY information this will fail. I will not show you how you change that here; Target would be to have all files ready from deployment.

Error Source 2, Reboot OR WMI Update for Patches after installing PRE Patches

If you install the 9 patches with a batch or script you should:

a) Reboot the client which makes it a Reboot and advance package which some deployment can't handle

b) Solution > Rebuild the Patch Inventory by "c:\windows\system32\wbem\wmic.exe qfe" (Does not work on 19.03.2015)


The IEAK 11 Version from March 2015 does actualy check the Version of the files AS they are in place. So no Patches are checked to decide if add. Updates are downloaded. Thus the Reboot may be needed IF in use FIles are present.

> THUS only working solution would be on march 2015 to do a 3 STEP package

1) Install PRE Deployment Patches (Reboot)

2) Install IEAK (Reboot)

3) Install Post Deployment Patches (may need Reboot)


00:01.841: INFO:    Version Check for (KB2834140) of C:\Windows\System32\d3d11.dll: 6.1.7601.17514 >= 6.2.9200.16570 (False)
00:01.841: WARNING: Checking version for C:\Windows\System32\api-ms-win-downlevel-user32-l1-1-0.dll.  The file does not exist.
00:01.841: INFO:    Version Check for (KB2639308) of C:\Windows\System32\Ntoskrnl.exe: 6.1.7601.17803 >= 6.1.7601.17727 (True)
00:01.841: INFO:    Version Check for (KB2533623) of C:\Windows\System32\api-ms-win-security-base-l1-1-0.dll: 6.1.7600.16385 >= 6.1.7601.17617 (False)
00:01.841: INFO:    Version Check for (KB2731771) of C:\Windows\System32\conhost.exe: 6.1.7601.17514 >= 6.1.7601.17888 (False)
00:01.841: INFO:    Checking for correct version of C:\Windows\Fonts\segoeui.ttf.
00:01.856: INFO:    Version Check for (KB2786081) of C:\Windows\System32\taskhost.exe: 6.1.7601.17514 >= 6.1.7601.18010 (False)
00:01.856: INFO:    Version Check for (KB2888049) of C:\Windows\System32\drivers\tcpip.sys: 6.1.7601.17514 >= 6.1.7601.18254 (False)
00:01.856: INFO:    Version Check for (KB2882822) of C:\Windows\System32\tdh.dll: 6.1.7600.16385 >= 6.1.7601.18247 (False)
00:02.621: INFO:    Download for KB2834140 initiated. Downloading -> KB2834140_amd64.MSU.
00:02.636: INFO:    Download for KB2533623 initiated. Downloading -> KB2533623_amd64.MSU.
00:02.636: INFO:    Download for KB2731771 initiated. Downloading -> KB2731771_amd64.CAB.
00:02.636: INFO:    Download for KB2786081 initiated. Downloading -> KB2786081_amd64.CAB.
00:02.652: INFO:    Download for KB2888049 initiated. Downloading -> KB2888049_amd64.MSU.
00:02.668: INFO:    Download for KB2882822 initiated. Downloading -> KB2882822_amd64.MSU.


Error Source 3

KB2670838, Blurry Fonts Patch

KB2898202, Hotfix for Blurry Fonts Patch


If you take a closer look at the patches in KB2847882 you will see that thy want to install the "blurry Fonts patch / KB2670838" which caused a lot of trouble a few months ago. On most WSUS this is denied. However the IE11 needs that Patch. Even worse if you UNINSTALL the Blurry Fonts patch IE will get uninstalled fully.

Solution is to install KB2670838 and then KB2898202 the HOTFIX.


Thanks to Karen HU from Pactera/china for pointing us in that direction.


Here is a list of Binaries:



Bei IE11 normal downlad link zu

Binary vorhanden









JA mit Hinwis bei UNINSTALL IE11 auch weg





JA HOTFIX zu Blurry Fonts Patch



































Uninstall described with IE10 but also valid for IE11




Mcafee DLP 9.3 missing option Removable Storage Protection in Agent Configuration

by butsch 4. March 2015 05:13

Mcafee DLP 9.3 missing option Removable Storage Protection in Agent Configuration.




You are unable to choose "Removable Storage Protection" as 4th option in Agent Configuration on the new DLP9.3

Migration from:

Existing EPO 4.6 and 9.1

Under Agent Configuration i can choose "Removable Storage Protection" as 4th option

NEW EPO 5.11 and 9.3.400.23 does not show the Option

- Settings 1:1 migrated

- Device Control Licence ACTIVE and entered


 Manuel says which MOST unclear in that point is.

Advanced configuration tab (agent configuration)

 DLP data access protection

When enabled, activates the DLP data access protection features. Default: enabled in both McAfee Device Control and full McAfee Data Loss

Prevention Endpoint. No longer requires restarting for version 9.3 clients.


  The option is no longer there UNDER Configuration > you can CHOOSE under File Tracking AND "DLP Operation MODE" if you just want to HAVE DEVICE Lock.


Also you may disable this Option for speed (If option above is select there is no impact anyway)



Exchange 2007/2010/2013 with SPLIT DNS and ONE single Certificate

by butsch 3. March 2015 23:59


You have to renew an Exchanger SAN/UC-Certificate and you can't do this anymore after 2015 because it contains a NON EXTERNAL First Level Extension like ".LOCAL".

  1. Rename the Full Windows Domain in a 1 year project and have fun
  2. Integrate a SPLIT DNS as below, Bend all Exchange URL to the same FQDN

Main Technet Link:


I personally don't like this solution since you may in most complex case end up in trouble with some special cases like "RPC-over-HTTP" (Outlook anywhere) and some Autodiscover functions.

On the other side don't like Wildcard Certs for this because if you have that the other departments want to use the same Certificate and at the end everyone uses it. Worst it lays around on laptops and Servers then if you don't Controll it strict.

Currently still March 2015 this is the only solution quick and fast if you customer has a First Level Windows Domain with .LOCAL. Most it's urgent because Cert has expired.


Just to mention that there is another way but this needs planning and time

Enterprise way:

Internal Domain: Cover these with your own internal Certificate Authority (Ask if you have one, make a project separate for that because it's sensitive and complex) .

External Domain: Use a Cert Provider SAN/UC-Certificate as we had before for all external FQDN

This enterprise mix however leads us to splitting the CAS/OWA Directories on separates SITES within the IIS (Because of only 1 Cert per IIS-Site) or we make single separate CAS Server for internal and external (Which Microsoft does not want us).

On the other side if we have Load Balancers for the CAS mostly those separate CAS are not in the Load Balancer HA team.



Timeline for SAN/UC Certs with Local ending or non-external First level (www.technet.local)

Such a SAN Certificate which includes LOCAL is not valid anymore after some date. And you can't reorder it. (Screenshot)

Powershell: Get-exchangecertificate | fl

In Green BOX there are the First Level Domains .LOCAL Domains that you can't COVERY anymore in ONE Cert in 2015.

INTERNAL DNS NAME:    customer.local (The Active Directory Domain)

EXTERNAL DNS NAME: (Your Webserver, FTP, MX-E-Mail Domain from external)

Third level DOMAIN:

Why can't I renew?


Because we can't make a UC/SAN-certificate after November 2015 anymore we have to convert the DNS into SPLIT DNS setup. That means we copy the Extern DNS into Internal DNS. Even if you CAN renew it WILL only run until November 2015 with some Cert Issuer.

Make the SPLIT DNS


See links at end for more help on the SPLIT DNS.

SPLIT DNS Copy External ZONE File to internal Active Directory DNS

  1. Get the info from External ZONE file from the Provider ISP like Ask them you need an extract (copy) of the ZONE file for your external Domain.
  2. Do a new Active Directory integrated Forward ZONE File with same name "" internal
  3. Make the A-Records internal so INTERNAL users can reach www and ftp also from internal (These are shown on the right side). Make "FTP", "WWW" point to same IP as the external. (If you don't do that your INTERNAL users will not be able to reach the External Website or Cloud Service you use with your ISP)
  4. The ASYNC in OUR sample POINTS to the IP of the Exchange 2010 CAS
  5. On the External DNS the ASYNC points to our Firewall and then to the Exchange 2010 CAS

This is how this may look.

Get the NEW SINGLE FQDN Certificate



We need to change all FQDN that Exchange uses for different Service now to the SAME FQDN the SINGLE Domain Cert runs on.

FQDN Single Domain Certificate was ordered for:

OLD Entry in Exchange somewhere:





Analyze the values you need to change by Powershell





get-ClientAccessServer | fl Identity,AutodiscoverServiceInternalUri


Identity : CAS1

AutoDiscoverServiceInternalUri : https://async.customer.local/Autodiscover/Autodiscover.xml


Set-ClientAccessServer -Identity CAS1 -AutodiscoverServiceInternalUri



get-WebServicesVirtualDirectory | fl Identity, InternalUrl , ExternalUrl


InternalUrl : https://cas1.customer.local/EWS/Exchange.asmx

ExternalUrl : https://mobile.customer.local/ews/exchange.asmx


Set-WebServicesVirtualDirectory -Identity "CAS1\EWS (Default Web Site)" -InternalUrl

Set-WebServicesVirtualDirectory -Identity "CAS1\EWS (Default Web Site)" -ExternalUrl



get-OABVirtualDirectory | fl Identity, InternalUrl, ExternalUrl


InternalUrl : http://cas1.customer.local/OAB

ExternalUrl : https://mobile.customer.local/OAB


Set-OABVirtualDirectory -Identity "CAS1\OAB (Default Web Site)" -InternalUrl

Set-OABVirtualDirectory -Identity "CAS1\OAB (Default Web Site)" -ExternalUrl


If you don't have UTM Service (Unified Messaging leave that)

Change Values in Exchange 2010 GUI


Change all other things in Exchange 2010 GUI on the tabs below to corresponding values.

Some you may have changed above already. Check them twice.




  • Do this for all possible location Web app/Activesync/Offline etc.
  • DO this for INTERNAL and EXTERNAL (Set the SAME value)
  • Do not change AYNTHING behind the FQDN name as example
  • AT the end Restart Exchange or do a CMD.exe then IISRESET






Activate the Certificate in Exchange 2010 GUI or Powershell and RESET IIS


Activate the new SINGLE Certificate in Exchange for IIS.


Get-exchangecertificate | fl

Get the GUID sample: 020564B683E9D540DA0DF20A

enable-exchangecertificate -identity 020562B683E5D540DA0DF20A -Services "IIS"


AT the end Restart Exchange:





SPLIT DNS, Windows Server 2008: The Definitive Guide


Exchange PRO

Main Technet Link



Exchange 2007 | Exchange 2010 | Microsoft Exchange | Server 2012 R2

WSUS: Windows Fonts Update February KB3013455 (MS15-010) FIXED with 3037639

by butsch 26. February 2015 04:07


After you install security update 3013455 you may notice some text quality degradation in certain scenarios.

This problem occurs on computers that are running the following operating systems:

  • Windows Server 2008 Service Pack 2 (SP2)
  • Windows Server 2003 SP2
  • Windows Vista SP2


Patch defect Fonts:                  KB3013455 (Patchday February 2015 / MS15-010)

Patch corrected Fonts:            KB3037639 (

You may have to get rid of Patch if you're Windows Update or WSUS-Client already downloaded it to your system.


Path: "C:\Windows\SoftwareDistribution\Download"

Find following file with:

dir *3013455*.* /s

dir /s


Just delete the Directory in which you find the File under C:\Windows\SoftwareDistribution\Download

To uninstall on 2008 if you did install already and made the Reboot:

wusa /uninstall /kb:3013455 /quiet /norestart

On 2003 and Vista use Software/ADD-Remove




Client Management | Deployment | Hotfixes / Updates | WSUS

VMWARE / VDI malware Protection Symantec, Trend and Mcafee

by butsch 24. February 2015 06:21

Symantec Endpoint Protection still has no Agentless Virus scan version like Trend or Mcafee with Move. Those use VSHIELD API from VMware and need no direct Software running in the VM. (

BUT test have shown that even with the Agent in the VM/VDI Symantec SEP 12.X is faster in daily tracking, stable status, scanning but only slow if the machine does Virus pattern updates once a day.

Keep in mind that most virus producers only update the main definitions once a day (mcafee 17:00 CET) and the rest is GTI/0-day releases on all three.

So even with the Agent in VDI machines you over the thumb get more or even performance.

Also keep in mind that Virus API like the one from Microsoft has been sources for a lot of trouble, false events and fights the last few years. You can decide if you want that between:

  1. your antivirus producer and MS


  2. Between your antivirus producer and VMWARE

To mention on that part would be a solution with Hypervisor which mixes up things again.

The problem in general may be not so actual since Netapp and all the new companies who come out with Flash/SSD Storage try to solve it on the other side.

Gartner Magic Quadrant

Mentioned products in terms of VM in those articles:


McAfee's Management for Optimized Virtual Environments (MOVE) has offered optimized anti-malware scanning in virtualized environments for two years, and now MOVE 2.5 offers agentless anti-malware scanning in VMware environments using native vShield API integration.


Symantec does not yet offer an "agentless" version for optimizing anti-malware scanning in virtualized environments (although its shared Insight cache feature can be used to improve performance).

2012 Symantec SEP 12.1 and Mcafee MOVE under VMware 5.X

2012 Symantec SEP 12.1 and Trend

Back in 2011 Trend was faster

2011 Symantec SEP 11, Trend and Mcafee



APP-V | Mcafee VSE, EPO, DLP | VMWare