IE11 IEAK 11 Setup 9 PRE Deployment Patches + 1 Hotfix

by butsch 11. March 2015 23:31

Internet Explorer 11 Setup with IEAK11 for Deployment

We have seen several posting on Social MSDN but also deployment blogs with people struggling with the IEAK Setup of IE11 or better the 9 PRE patches the IE setup 10/11 needs.

Technet http://support.microsoft.com/kb/2847882 describes the Updates that have to be installed before you can Install IE11 silent.

Error Source 1, Setup tries to fetch updates in the back and fails because of Proxy

If these are not on the machine the Setup will try to fetch them from internet. Because the "Computer account" (Not the user) mostly has no PROXY information this will fail. I will not show you how you change that here; Target would be to have all files ready from deployment.

Error Source 2, Reboot OR WMI Update for Patches after installing PRE Patches

If you install the 9 patches with a batch or script you should:

a) Reboot the client which makes it a Reboot and advance package which some deployment can't handle

b) Solution > Rebuild the Patch Inventory by "c:\windows\system32\wbem\wmic.exe qfe" (Does not work on 19.03.2015)

 

The IEAK 11 Version from March 2015 does actualy check the Version of the files AS they are in place. So no Patches are checked to decide if add. Updates are downloaded. Thus the Reboot may be needed IF in use FIles are present.

> THUS only working solution would be on march 2015 to do a 3 STEP package

1) Install PRE Deployment Patches (Reboot)

2) Install IEAK (Reboot)

3) Install Post Deployment Patches (may need Reboot)

 

00:01.841: INFO:    Version Check for (KB2834140) of C:\Windows\System32\d3d11.dll: 6.1.7601.17514 >= 6.2.9200.16570 (False)
00:01.841: WARNING: Checking version for C:\Windows\System32\api-ms-win-downlevel-user32-l1-1-0.dll.  The file does not exist.
00:01.841: INFO:    Version Check for (KB2639308) of C:\Windows\System32\Ntoskrnl.exe: 6.1.7601.17803 >= 6.1.7601.17727 (True)
00:01.841: INFO:    Version Check for (KB2533623) of C:\Windows\System32\api-ms-win-security-base-l1-1-0.dll: 6.1.7600.16385 >= 6.1.7601.17617 (False)
00:01.841: INFO:    Version Check for (KB2731771) of C:\Windows\System32\conhost.exe: 6.1.7601.17514 >= 6.1.7601.17888 (False)
00:01.841: INFO:    Checking for correct version of C:\Windows\Fonts\segoeui.ttf.
00:01.856: INFO:    Version Check for (KB2786081) of C:\Windows\System32\taskhost.exe: 6.1.7601.17514 >= 6.1.7601.18010 (False)
00:01.856: INFO:    Version Check for (KB2888049) of C:\Windows\System32\drivers\tcpip.sys: 6.1.7601.17514 >= 6.1.7601.18254 (False)
00:01.856: INFO:    Version Check for (KB2882822) of C:\Windows\System32\tdh.dll: 6.1.7600.16385 >= 6.1.7601.18247 (False)
00:02.621: INFO:    Download for KB2834140 initiated. Downloading http://go.microsoft.com/fwlink/?LinkID=303935 -> KB2834140_amd64.MSU.
00:02.636: INFO:    Download for KB2533623 initiated. Downloading http://go.microsoft.com/fwlink/?LinkID=254722 -> KB2533623_amd64.MSU.
00:02.636: INFO:    Download for KB2731771 initiated. Downloading http://go.microsoft.com/fwlink/?LinkID=258387 -> KB2731771_amd64.CAB.
00:02.636: INFO:    Download for KB2786081 initiated. Downloading http://go.microsoft.com/fwlink/?LinkID=273751 -> KB2786081_amd64.CAB.
00:02.652: INFO:    Download for KB2888049 initiated. Downloading http://go.microsoft.com/fwlink/?LinkID=324542 -> KB2888049_amd64.MSU.
00:02.668: INFO:    Download for KB2882822 initiated. Downloading http://go.microsoft.com/fwlink/?LinkID=324541 -> KB2882822_amd64.MSU.

 

Error Source 3

KB2670838, Blurry Fonts Patch

KB2898202, Hotfix for Blurry Fonts Patch

 

If you take a closer look at the patches in KB2847882 you will see that thy want to install the "blurry Fonts patch / KB2670838" which caused a lot of trouble a few months ago. On most WSUS this is denied. However the IE11 needs that Patch. Even worse if you UNINSTALL the Blurry Fonts patch IE will get uninstalled fully.

Solution is to install KB2670838 and then KB2898202 the HOTFIX.

 

Thanks to Karen HU from Pactera/china for pointing us in that direction.

https://social.technet.microsoft.com/Forums/de-DE/0bb37a16-f8a3-4648-897e-6a1a5986a437/not-wanted-fonts-patch-kb2670838-and-ieak11-silent-last-status?forum=ieitprocurrentver

 

Here is a list of Binaries:

  

KB

Bei IE11 normal downlad link zu

Binary vorhanden

 

1

KB2834140

JA ZWINGEND

Windows6.1-KB2834140-v2-x64.msu

 

2

KB2670838

JA mit Hinwis bei UNINSTALL IE11 auch weg

Windows6.1-KB2670838-x64.msu

http://support.microsoft.com/kb/2670838/en-us

LOESUNG zweiter HOTFIX: http://support.microsoft.com/kb/2898202

HOT

KB2898202

JA HOTFIX zu Blurry Fonts Patch

Windows6.1-KB2898202-x64.msu

http://support.microsoft.com/kb/2898202

3

KB2639308

JA ABER OPTIONAL

Windows6.1-KB2639308-x64.msu

http://www.microsoft.com/de-de/download/confirmation.aspx?id=28902

4

KB2533623

JA ZWINGEND

Windows6.1-KB2533623-x64.msu

  

5

KB2731771

JA ZWINGEND

Windows6.1-KB2731771-x64.msu

  

6

KB2729094

JA ZWINGEND

Windows6.1-KB2729094-v2-x64.msu

  

7

KB2786081

JA ZWINGEND

Windows6.1-KB2786081-x64.msu

  

8

KB2888049

JA ABER OPTIONAL

Windows6.1-KB2888049-x64.msu

http://www.microsoft.com/de-de/download/confirmation.aspx?id=40611

9

KB2882822

JA ABER OPTIONAL

Windows6.1-KB2882822-x64.msu

http://www.microsoft.com/de-de/download/details.aspx?id=40500

 

Uninstall described with IE10 but also valid for IE11

 

 

Tags:

Mcafee DLP 9.3 missing option Removable Storage Protection in Agent Configuration

by butsch 4. March 2015 05:13

Mcafee DLP 9.3 missing option Removable Storage Protection in Agent Configuration.

 

   

Problem:

You are unable to choose "Removable Storage Protection" as 4th option in Agent Configuration on the new DLP9.3

Migration from:

Existing EPO 4.6 and 9.1

Under Agent Configuration i can choose "Removable Storage Protection" as 4th option

NEW EPO 5.11 and 9.3.400.23 does not show the Option

- Settings 1:1 migrated

- Device Control Licence ACTIVE and entered

   

 Manuel says which MOST unclear in that point is.

Advanced configuration tab (agent configuration)

 DLP data access protection

When enabled, activates the DLP data access protection features. Default: enabled in both McAfee Device Control and full McAfee Data Loss

Prevention Endpoint. No longer requires restarting for version 9.3 clients.

  Solution:

  The option is no longer there UNDER Configuration > you can CHOOSE under File Tracking AND "DLP Operation MODE" if you just want to HAVE DEVICE Lock.

 

Also you may disable this Option for speed (If option above is select there is no impact anyway)

 

Tags:

Exchange 2007/2010/2013 with SPLIT DNS and ONE single Certificate

by butsch 3. March 2015 23:59

Problem:

You have to renew an Exchanger SAN/UC-Certificate and you can't do this anymore after 2015 because it contains a NON EXTERNAL First Level Extension like ".LOCAL".

  1. Rename the Full Windows Domain in a 1 year project and have fun
  2. Integrate a SPLIT DNS as below, Bend all Exchange URL to the same FQDN

Main Technet Link:

http://support.microsoft.com/kb/940726/en-us

 

I personally don't like this solution since you may in most complex case end up in trouble with some special cases like "RPC-over-HTTP" (Outlook anywhere) and some Autodiscover functions.

On the other side don't like Wildcard Certs for this because if you have that the other departments want to use the same Certificate and at the end everyone uses it. Worst it lays around on laptops and Servers then if you don't Controll it strict.

Currently still March 2015 this is the only solution quick and fast if you customer has a First Level Windows Domain with .LOCAL. Most it's urgent because Cert has expired.

 

Just to mention that there is another way but this needs planning and time

Enterprise way:

Internal Domain: Cover these with your own internal Certificate Authority (Ask if you have one, make a project separate for that because it's sensitive and complex) .

External Domain: Use a Cert Provider SAN/UC-Certificate as we had before for all external FQDN

This enterprise mix however leads us to splitting the CAS/OWA Directories on separates SITES within the IIS (Because of only 1 Cert per IIS-Site) or we make single separate CAS Server for internal and external (Which Microsoft does not want us).

On the other side if we have Load Balancers for the CAS mostly those separate CAS are not in the Load Balancer HA team.

 

 

Timeline for SAN/UC Certs with Local ending or non-external First level (www.technet.local)

http://www.butsch.ch/post/Exchange-Certificates-Aenderung-CAS-Outlook-mit-local-Domain.aspx

Such a SAN Certificate which includes LOCAL is not valid anymore after some date. And you can't reorder it. (Screenshot)

Powershell: Get-exchangecertificate | fl

In Green BOX there are the First Level Domains .LOCAL Domains that you can't COVERY anymore in ONE Cert in 2015.

INTERNAL DNS NAME:    customer.local (The Active Directory Domain)

EXTERNAL DNS NAME:    customer.ch (Your Webserver, FTP, MX-E-Mail Domain from external)

Third level DOMAIN: async.customer.ch

Why can't I renew?

 

Because we can't make a UC/SAN-certificate after November 2015 anymore we have to convert the DNS into SPLIT DNS setup. That means we copy the Extern DNS into Internal DNS. Even if you CAN renew it WILL only run until November 2015 with some Cert Issuer.

http://www.butsch.ch/post/Exchange-Certificates-Aenderung-CAS-Outlook-mit-local-Domain.aspx

Make the SPLIT DNS

 

See links at end for more help on the SPLIT DNS.

SPLIT DNS Copy External ZONE File to internal Active Directory DNS

  1. Get the info from External ZONE file from the Provider ISP like customer.ch. Ask them you need an extract (copy) of the ZONE file for your external Domain.
  2. Do a new Active Directory integrated Forward ZONE File with same name "customer.ch" internal
  3. Make the A-Records internal so INTERNAL users can reach www and ftp also from internal (These are shown on the right side). Make "FTP", "WWW" point to same IP as the external. (If you don't do that your INTERNAL users will not be able to reach the External Website or Cloud Service you use with your ISP)
  4. The ASYNC in OUR sample POINTS to the IP of the Exchange 2010 CAS
  5. On the External DNS the ASYNC points to our Firewall and then to the Exchange 2010 CAS

This is how this may look.

Get the NEW SINGLE FQDN Certificate

 

 

We need to change all FQDN that Exchange uses for different Service now to the SAME FQDN the SINGLE Domain Cert runs on.

FQDN Single Domain Certificate was ordered for: async.customer.ch

OLD Entry in Exchange somewhere:

https://async.cutsomer.local/OAB

 

NEW:

https://async.cutsomer.ch/OAB

 

Analyze the values you need to change by Powershell

 

 

-------------------------------------------------------------------------------------------------------------------------------------

CHANGE1

get-ClientAccessServer | fl Identity,AutodiscoverServiceInternalUri

WAS:

Identity : CAS1

AutoDiscoverServiceInternalUri : https://async.customer.local/Autodiscover/Autodiscover.xml

SET NEW:

Set-ClientAccessServer -Identity CAS1 -AutodiscoverServiceInternalUri

-------------------------------------------------------------------------------------------------------------------------------------

CHANGE2

get-WebServicesVirtualDirectory | fl Identity, InternalUrl , ExternalUrl

WAS:

InternalUrl : https://cas1.customer.local/EWS/Exchange.asmx

ExternalUrl : https://mobile.customer.local/ews/exchange.asmx

SET NEW:

Set-WebServicesVirtualDirectory -Identity "CAS1\EWS (Default Web Site)" -InternalUrl https://async.customer.ch/EWS/Exchange.asmx

Set-WebServicesVirtualDirectory -Identity "CAS1\EWS (Default Web Site)" -ExternalUrl https://async.customer.ch/EWS/Exchange.asmx

-------------------------------------------------------------------------------------------------------------------------------------

CHANGE3

get-OABVirtualDirectory | fl Identity, InternalUrl, ExternalUrl

WAS:

InternalUrl : http://cas1.customer.local/OAB

ExternalUrl : https://mobile.customer.local/OAB

SET NEW:

Set-OABVirtualDirectory -Identity "CAS1\OAB (Default Web Site)" -InternalUrl http://async.customer.ch/OAB

Set-OABVirtualDirectory -Identity "CAS1\OAB (Default Web Site)" -ExternalUrl http://async.customer.ch/OAB

-------------------------------------------------------------------------------------------------------------------------------------

If you don't have UTM Service (Unified Messaging leave that)

Change Values in Exchange 2010 GUI

 

Change all other things in Exchange 2010 GUI on the tabs below to corresponding values.

Some you may have changed above already. Check them twice.

 

 

 

  • Do this for all possible location Web app/Activesync/Offline etc.
  • DO this for INTERNAL and EXTERNAL (Set the SAME value)
  • Do not change AYNTHING behind the FQDN name as example
  • AT the end Restart Exchange or do a CMD.exe then IISRESET

 

OLD:

https://async.cutsomer.local/OAB

NEW:

https://async.cutsomer.ch/OAB

 

Activate the Certificate in Exchange 2010 GUI or Powershell and RESET IIS

 

Activate the new SINGLE Certificate in Exchange for IIS.

 

Get-exchangecertificate | fl

Get the GUID sample: 020564B683E9D540DA0DF20A

enable-exchangecertificate -identity 020562B683E5D540DA0DF20A -Services "IIS"

 

AT the end Restart Exchange:

CMD.exe then IISRESET

 

References:

 

SPLIT DNS, Windows Server 2008: The Definitive Guide

https://books.google.de/books?id=H7RgtZEgUvsC&pg=PA137&dq=split+dns&hl=de&sa=X&ei=a9H2VMrNJ4TXyQPBkoFg&ved=0CCcQ6AEwAQ#v=onepage&q=split%20dns&f=false

SPLIT DNS with ISA

http://www.isaserver.org/img/upl/isabokit/9dnssupport/9dnssupport.htm#_Toc63649957

Exchange PRO

http://exchangeserverpro.com/ssl-requirements-for-exchange-when-certificate-authorities-wont-issue-certificate/

Main Technet Link

http://support.microsoft.com/kb/940726/en-us

 

Tags:

Exchange 2007 | Exchange 2010 | Microsoft Exchange | Server 2012 R2

WSUS: Windows Fonts Update February KB3013455 (MS15-010) FIXED with 3037639

by butsch 26. February 2015 04:07

 

After you install security update 3013455 you may notice some text quality degradation in certain scenarios.

This problem occurs on computers that are running the following operating systems:

  • Windows Server 2008 Service Pack 2 (SP2)
  • Windows Server 2003 SP2
  • Windows Vista SP2

 

Patch defect Fonts:                  KB3013455 (Patchday February 2015 / MS15-010)

Patch corrected Fonts:            KB3037639 (https://support.microsoft.com/kb/3037639/en)

 

http://answers.microsoft.com/en-us/windows/forum/windows_vista-windows_update/kb3013455-ms15-010-causes-font-corruption/8640d38d-19bd-46b6-9af0-6213c05107d3

You may have to get rid of Patch if you're Windows Update or WSUS-Client already downloaded it to your system.

 

Path: "C:\Windows\SoftwareDistribution\Download"

Find following file with:

dir *3013455*.* /s

dir windows6.1-kb3013455-x64-express.cab /s

 

Just delete the Directory in which you find the File under C:\Windows\SoftwareDistribution\Download

To uninstall on 2008 if you did install already and made the Reboot:

wusa /uninstall /kb:3013455 /quiet /norestart

On 2003 and Vista use Software/ADD-Remove

 

 

Tags:

Client Management | Deployment | Hotfixes / Updates | WSUS

VMWARE / VDI malware Protection Symantec, Trend and Mcafee

by butsch 24. February 2015 06:21

Symantec Endpoint Protection still has no Agentless Virus scan version like Trend or Mcafee with Move. Those use VSHIELD API from VMware and need no direct Software running in the VM. (http://www.vmware.com/pdf/vshield_55_admin.pdf)

BUT test have shown that even with the Agent in the VM/VDI Symantec SEP 12.X is faster in daily tracking, stable status, scanning but only slow if the machine does Virus pattern updates once a day.

Keep in mind that most virus producers only update the main definitions once a day (mcafee 17:00 CET) and the rest is GTI/0-day releases on all three.

So even with the Agent in VDI machines you over the thumb get more or even performance.

Also keep in mind that Virus API like the one from Microsoft has been sources for a lot of trouble, false events and fights the last few years. You can decide if you want that between:

  1. your antivirus producer and MS

    OR

  2. Between your antivirus producer and VMWARE

To mention on that part would be a solution with Hypervisor which mixes up things again.

The problem in general may be not so actual since Netapp and all the new companies who come out with Flash/SSD Storage try to solve it on the other side.

Gartner Magic Quadrant

http://blogs.antivirussales.ca/en/blog/gartner-magic-quadrant-for-endpoint-protection-platforms/

Mentioned products in terms of VM in those articles:

MCAFEE:

McAfee's Management for Optimized Virtual Environments (MOVE) has offered optimized anti-malware scanning in virtualized environments for two years, and now MOVE 2.5 offers agentless anti-malware scanning in VMware environments using native vShield API integration.

Symantec:

Symantec does not yet offer an "agentless" version for optimizing anti-malware scanning in virtualized environments (although its shared Insight cache feature can be used to improve performance).

2012 Symantec SEP 12.1 and Mcafee MOVE under VMware 5.X

http://www.acmehk.net/report_download/Tolly212130SymantecSEP12dot1VMwareAVPerformance.pdf

2012 Symantec SEP 12.1 and Trend

http://www.symantec.com/connect/sites/default/files/Tolly212117SymantecSEP12_TRendDS8_VMwareAVPerformance.pdf

Back in 2011 Trend was faster

2011 Symantec SEP 11, Trend and Mcafee

http://www.trendmicro.com/cloud-content/us/pdfs/business/reports/rpt_test_deep-security-7.5-vs-mcafee-and-symantec_tolly.pdf

 

Tags:

APP-V | Mcafee VSE, EPO, DLP | VMWare