Windows Updates Thread - August 2019 - Patch Yo Shizzle

Discussion in 'Business & Enterprise Computing' started by PabloEscobar, Dec 11, 2014.

  1. Skitza

    Skitza Member

    Joined:
    Jun 28, 2001
    Messages:
    3,774
    Location:
    In your street
    Got hit by this, any fix yet?
     
  2. ITialise

    ITialise Member

    Joined:
    Aug 10, 2012
    Messages:
    2
    Location:
    Melbourne
    Yeah remove the offending update :thumbup:

    Microsoft has pulled the update
     
  3. Skitza

    Skitza Member

    Joined:
    Jun 28, 2001
    Messages:
    3,774
    Location:
    In your street
    Haha didn't even cross my mind ;)

    Only one person anyway... Thanks.
     
  4. Sphinx

    Sphinx Member

    Joined:
    Sep 16, 2001
    Messages:
    10,133
    Location:
    Brisbane
    Been dealing with this across a few of Outlook 2010 clients safe mode forced on yesterday and today. :thumbdn:

    Uninstall of the update is the only fix, or you can use an msiexec script:
    https://blog.brankovucinec.com/2015/12/09/outlook-2010-always-start-in-safe-mode/

    You would think they would release a new update to fix it instead. :rolleyes:
     
  5. OP
    OP
    PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    14,659
    So I've not seen anything indicating any problems with Jan 2016 patches, so the've got that going for them...

    BUT....

    GWX is being pushed to domain joined computers that aren't managed by WSUS.

    We've got a few road warriors configured to go direct to Microsoft for updates, because they aren't on the network enough for WSUS to be reliable. So it looks like I'll be shifting my WSUS to the DMZ, and letting computers on the wild internet suck on its bountiful teat.
     
  6. looktall

    looktall Working Class Doughnut

    Joined:
    Sep 17, 2001
    Messages:
    26,748
    you can still have them report to WSUS but download from MS can't you?
     
  7. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    18,473
    Location:
    Brisbane
    Fuck we're going to make a shitload of money out of this.

    I mean

    I don't want to. But goddammit.
     
  8. OP
    OP
    PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    14,659
    You can, but for road warriors, we still get the same issue.
    If a computer doesn't report into WSUS, it doesn't know that updates are available, which leaves our MOST vulnerable devices unpatched. So as a lesser of two evils approach, Microsoft managed updates it is.

    I'm interested to see what happens WRT some 3rd party RMM tools, and what updates they start presenting.

    Do you have your 'managed' desktops on any sort of central system? or as an MSP, do you make more money fixing the same problem at 80 clients, rather than fixing it once for all 80?
     
  9. qwertylesh

    qwertylesh Member

    Joined:
    Aug 21, 2007
    Messages:
    9,024
    yea GWX is horrid.

    all i could do is uninstall KB3035583 then apply a reg patch

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\GWX]
    "DisableGWX"=dword:1

    I had a doc that had a lot more 'long workarounds' to get rid of the shit, but the above just ensures the GUI of it and tray and stuff will not run.
     
  10. power

    power Member

    Joined:
    Apr 20, 2002
    Messages:
    67,551
    Location:
    brisbane
    *cough*

    December 2015 not 16
     
  11. OP
    OP
    PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    14,659
    January 2016 actually :)
     
  12. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    18,473
    Location:
    Brisbane
    The thing to remember is we *really* aren't an MSP by capital city standards.

    98% of our client base use us ad-hoc. Now they may talk to us multiple times per week - but its still ad-hoc. We don't have a support agreement in place with them (most of the time, they don't want one - because they get same day service anyway).

    We have Teamviewer (ugh - but cutting ~1100 endpoints across 200-odd clients just sounds/feels like a nightmare) on probably 65-70% of the endpoints we look at - but thats about it.

    Given that none of the clients are "interconnected", and pretty much most aren't "the same" - its quite difficult to roll out a fix to all.

    We're struggling hard with the combo of SBS/WSUS, Outlook 2010 and that stupid fucking Safe mode patch. Clients don't pay us to maintain their WSUS, as such the DB cleanup hasn't been run in months/years, as such for a lot of them it just never works. We can't clean up the DB to remove the offending broken KB - and thus WSUS thinks it still has the patch, and thus it doesn't download the fixed KB (that has the same number).

    So we're actually staring at about 5 clients who need a repair WSUS install. Its aids.


    At any rate - when Win10 was pushed out to our non-domain clients, we made a fair packet from fixing broken upgrades, or reverting upgrades that didn't have LOB app support.

    We send out client-wide emails saying "talk to us before you click yis upgrade", but that has probably a 20-30% penetration rate.
     
    Last edited: Jan 18, 2016
  13. OP
    OP
    PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    14,659
    What's stopping you just sticking a WSUS server in Azure, roll out the group policy (or regedit for those off-domain) to point clients to it, and handle update management that way for your clients?

    WSUS is honey-badger like in who it will serve updates to? You wouldn't be dealing with dodgy Outlook safe-mode patches, and none of your clients would be pestered to update to Win 10.

    The only downside is that its overhead for you, and you wouldn't see a return on it, because its mostly invisible plus, you'd miss all the sweet sweet break-fix cash that you get from dodgy patches.
     
  14. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    18,473
    Location:
    Brisbane
    Pretty much that they won't pay for it tbh - I mean I could host it with us with no issues either.

    What stops you from doing it with your road warriors?

    Sweet Sweet Break-fix dollary is nice - but tbh, I hate revenue that happens because $vendor pushed shit.

    I actually give a shit and want users to have a great experience where possible - and I want them to be spending their $ITBucks on stuff that improves things.
     
  15. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    18,473
    Location:
    Brisbane
    Eh?

    MS and Samba have generally always worked reasonably well. I mean that was the whole damned point of Samba.

    If you're doing something fancy like Samba4 "AD" domains, then well YMMV.

    But I'm running 10 connected to Samba using SMB3.1 - and at work we run 10 on a 2008r2 Functional domain connecting to FreeNAS 9.3-stable using SMB3.1

    So it probably works fine.
     
  16. IACSecurity

    IACSecurity Member

    Joined:
    Jul 11, 2008
    Messages:
    760
    Location:
    ork.sg
    Enterprise....
    Nope
    Business...
    Nope
    Relevance...
    Nope
     
  17. OP
    OP
    PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    14,659
    It was proposed as a solution when it was raised, The risks (exposing my WSUS to the world) outweighed the rewards.

    If WSUS looked anything like a mature, completed product, It would probably be out there, but as its not *normally* internet facing, I don't imagine it has been under the microscope as far as vulnerability testing goes. I know there are a number of attacks that involve getting untrusted software onto the WSUS server, and having it push those down to clients.

    But now, with MS delivering GWX from it's update service, the rewards (not having an unwanted Win10 upgrade) are starting to look a bit better when compared against the risks.


    But only VERY tangentially relevant to this thread, If you want to talk about Samba and Win10, go for it... but go for it somewhere else.
     
  18. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    18,473
    Location:
    Brisbane
    I think Windows Installer/Update runs as System.

    You aren't stopping it.

    You don't need admin rights to apply updates - and the 10 upgrade definitely runs through without elevation.

    As far as 10 and Businesses are concerned.

    It works fine. What doesn't work is that a whole bunch of traditional software vendors are shit and still can't get their crap to work on 10 yet.

    Yes MYOB. Thats you. Fix your shit.
     
  19. EvilGenius

    EvilGenius Member

    Joined:
    Apr 26, 2005
    Messages:
    10,883
    Location:
    elsewhere
    Sure you can. Create the folder yourself, set deny permissions for system and trusted installer. Same way I've killed the GWX thing on my system.
     
  20. scrantic

    scrantic Member

    Joined:
    Apr 8, 2002
    Messages:
    1,774
    Location:
    3350
    How's february looking for everyone? I'm just about to deploy to my pilot group.
     

Share This Page

Advertisement: