Block Patch KB3002657 from installing/being available via Windows Update via Group Policy

Similar Messages

• IE 10 installed via Windows Updates

  We have SCCM 2012 SP1 in our environment. We configured a number of Windows 7 computers manually with IE 9. Over the course of the night the computers might have pulled IE10 via windows update. The workstations are all pointing to the Sccm, but no upgrades
  were authorized.
  On the Windows 7 machines reviewed the following log files in C:\Windows.
  1. IE10_main.log file in the Windows folder.
  2.Reviewed C:\Windows\WindowsUpdate.log
  Q1. From where did the IE 10 get installed on these machines?
  Q2. Can we have the workstations stop AU and still receive patches via Sccm?
  Q3. If we request a GPO to disable AU on all agency workstations patches will still get to the agency desktops w/o any issues?
  IE10_main.log and WindowsUpdate have been uploaded to onedrive:
  https://onedrive.live.com/redir?resid=F3743C55DC76B1EE!1099&authkey=!AL40dKaAzl-_trc&ithint=folder%2c.log

  1. Don't know, you'd have to do some investigation. There is no process called "authorization" in ConfigMgr for updates though but assuming that the systems are correctly set to use ConfigMgr (and the WSUS instance that your SUP is installed on), then there
  are two possibilities -- approval directly within WSUS or added to a deployed software update group -- in addition to someone manually doing it. It could also have been pushed as a package or application from within ConfigMgr.
  2. No. ConfigMgr uses the Windows Update Agent which is contained in the Windows Update service, this service must not be disabled.
  3. Yes, this is recommended for multiple reasons. This may or may not have anything to do with IE10 being installed though.
  Jason | http://blog.configmgrftw.com

• Trouble Deploying Windows updates via SCCM 2012

  Hello
  I'm testing Windows updates via SCCM 2012 - I have successfully deployed updates to 4 test PC's.
  I then added another 15 Test PC's into the same group - Not one of them receive updates (they're all within the same Domain and even in the same room)
  I reviewed "UpdatesDeployment.log -
  1. I highlighted some points that stood out to me
  2. I have the Maintenance window set to 24hours for this test
  From the Server side and Clients side - What are the best .logs to look at.
  CUpdateAssignmentsManager received a SERVICEWINDOWEVENT START Event    UpdatesDeploymentAgent    22/08/2014 10:00:00 PM    4604 (0x11FC)
  Suspend activity in presentation mode is selected    UpdatesDeploymentAgent    22/08/2014 10:00:00 PM    4604 (0x11FC)
  At least one user has elected to suspend non-business hours activity when in presentation mode. Checking for presentation mode.    UpdatesDeploymentAgent    22/08/2014 10:00:00 PM    4604 (0x11FC)
  Proceeding to non-business hours activites as presentation mode is off.    UpdatesDeploymentAgent    22/08/2014 10:00:00 PM    4604 (0x11FC)
  Auto install during non-business hours is disabled or never set, selecting only scheduled updates.    UpdatesDeploymentAgent    22/08/2014 10:00:00 PM    4604 (0x11FC)
  A user-defined service window(non-business hours) is available. We will attempt to install any scheduled updates.    UpdatesDeploymentAgent    22/08/2014 10:00:00 PM    4604 (0x11FC)
  Attempting to install 0 updates    UpdatesDeploymentAgent    22/08/2014 10:00:00 PM    4604 (0x11FC)
  No actionable updates for install task. No attempt required.    UpdatesDeploymentAgent    22/08/2014 10:00:00 PM    4604 (0x11FC)
  Updates could not be installed at this time. Waiting for the next maintenance window.    UpdatesDeploymentAgent    22/08/2014 10:00:00 PM    4604 (0x11FC)

  Hi,
  You could also check Windowsupdate.log on the client.
  Best Regards,
  Joyce
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• HP Deskjet 3745 driver not downloadab​le via Windows Update in Windows 7.

  Dear sir / madam,
  I am using a HP Deskjet 3745 now for several years at home. Recently I received a new laptop from my employer with Windows 7. I like to install the driver for my printeron this laptop, so I can also print at home. Unfortunately the windows update is managed by my employer, so I cannot download the software via Windows update.
  Is there another way to receive this driver?
  With kind regards,
  Martin
  This question was solved.
  View Solution.

  The driver can be downloaded from the Microsoft Catalog Site, but the site is not very user friendly.  The catalog site only supports Internet Explorer, other browsers will not work.  Copy this link and paste it into IE:  http://catalog.update.microsoft.com/v7/site/Search​.aspx?q=deskjet%203740 
  Do you have a 32 bit or 64 bit version of Windows 7?  The 32 bit driver is the one that is 11.4Mb in size, the 64 bit version is 11.6Mb in size. The 13.9Mb system is for IA64 server systems.  Once the file has been downloaded open a DOS prompt and change directory to the place where the file was downloaded.  Next insert your USB drive (I will assume it is drive X: in the following) and in the DOS box type the following:
  expand   *.cab   -F:*   x:\
  This will extract the files and expand them onto your X: drive.  You can then take the USB drive to your work machine and click Start, Devices and Printers, Add a Printer, Have a Disk and point to the inf file on the X: drive.
  Bob Headrick,  HP Expert
  I am not an employee of HP, I am a volunteer posting here on my own time.
  If your problem is solved please click the "Accept as Solution" button ------------V
  If my answer was helpful please click the "Thumbs Up" to say "Thank You"--V

• SCCM 2012: hotfixes via Windows updates?

  Hi,i
  Is this still the proper way to deploy hotfixes via Windows updates in SCCM 2012 R2 (the article is more then a year old, maybe SCCM has other built in features to do this)?
  http://blogs.technet.com/b/michaelgriswold/archive/2013/03/13/kb2775511-deployment-for-the-sccm-admin.aspx
  Please advise.
  J.
  Jan Hoedt

  Hi,
  As long as the hotfix is available in the Microsoft Update Catalog which not all hotfixes are, then it will work. It is not really supported to deploy it that way. Otherwise it is possible to deploy them using a package/program which is the way I normally
  does it.
  Here is an example of a script to use.
  http://ccmexec.com/2012/02/installing-multiple-windows-7-hotfixes-msu-with-sccm/
  Regards,
  Jörgen
  -- My System Center blog ccmexec.com -- Twitter
  @ccmexec

• Got Display driver via Windows Update for Windows 8.1 and try to use it for Windows Server 2012 R2

  Hi Everyone,
  the following driver cab is from Windows Update:
  https://onedrive.live.com/?cid=5be01620eea95d8c&id=5BE01620EEA95D8C!138&ithint=file,.cab&authkey=!APDi54-R1Ob5IWQ
  It includes this display driver:
  Intel(R) Q45/Q43 Express Chipset (Microsoft Corporation - WDDM 1.1)
  My problem is: I can't install this driver on Windows Server 2012 R2.
  I tried the following, nothing worked:
  a) pnputil -i -a intel.cab
  b) Extract cab, update the device's driver in device manager, select "search for driver software in this location"
  c) copy the files in system32/, system32/drivers, syswow64/ from a Windows 8.1 system to a Windows Server 2012 R2 system
  Isn't it true that any Windows 8.1 driver should also work for Windows Server 2012 R2 (same os version)?
  Thanks for your replies.
  PS: I first posted my question here:
  http://answers.microsoft.com/en-us/windows/forum/windows8_1-hardware/got-display-driver-via-windows-update-for-windows/31c287c8-ef84-4c81-8530-8c51412376b7

  Hi,
  Additionally, did you check this article?
  http://www.driveridentifier.com/scan/download.php?item_id=90475670&scanid=9B44546E3BB9410D877D9A90D1439AF8&hardware_id=PCI%5CVEN_8086%26DEV_2E12
  Regards.
  Vivian Wang

• Set Word 2013 Track Changes settings via Registry edits or Group Policy?

  Hi
  Would anyone know if there is a way of changing Track Changes settings via registry edits or Group Policy (e.g. changing Simple Markup All Markup)? I've had a look in Group Policy Admin Templates and the Registry but cant see relevant
  Thanks!

  Hi,
  The All Markup/Simple Markup selection is controlled by the RevModeShowSimpleMarkup value within the following registry key:
  HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Options
  The value is 0 (zero) for All Markup or 1 (one) for Simple Markup.
  If we close all Word instances, and change the value to 1, then start Word, the All Markup option should be selected.
  In addition, some track change settings can also be controlled by the GPO settings in the following location:
  Administrative Templates > Microsoft Word 2013 > Word Options > Track changes and compare
  If you still need further assistance on this issue, please feel free to let me know.
  Regards,
  Steve Fan
  TechNet Community Support
  It's recommended to download and install
  Configuration Analyzer Tool (OffCAT), which is developed by Microsoft Support teams. Once the tool is installed, you can run it at any time to scan for hundreds of known issues in Office
  programs.

• Export Available Important Windows updates to Excel File

  Hi,
  I want to export List of Important Windows updates available in Windows Updates to excel or csv file by using CMD. I don't have any WSUS server deployed. I want to do this by using CMD command. Anyone can help?
  Regards,
  Riaz Javed

  So you admit that it does not answer the question that was asked. Why is it marked as answer then?
  No, that's not what I said at all. It's marked as an answer because it
  is an answer. Just because it doesn't answer your question (even though you're attempting to hijack someone else's thread) doesn't make it not an answer.
  As I said half a year ago, start your own thread if you have questions.
  Don't retire TechNet! -
  (Don't give up yet - 12,950+ strong and growing)

• Servers where patches will not install automatically or manually, Live updates are broken and when checking installed updates shows "NO UPDATES ARE INSTALLED ON THIS COMPUTER" SFC \SCANNOW will not run

  Hello, (Bit of a long one but please read)
  We have 3 servers in same physical location and server OU etc that are exhibiting the exact same behaviors (we have server servers in this location that are not), as above theyt are all W2008 R2 SP1 and all built from the same standard
  image we use on hundreds of other computers, they have also been in production for different amounts of time and we started to see this behavior at different times with them: (Its odd they are all in the same site where there are also several other servers
  that are not effected, there must be a link ? )
  These servers are all missing several patches when checking our internal tool that reports from IBM endpoint management that we use to deliver patches (they are not all missing the exact same patches some ore or less than other), although
  SCCM (we used SCCM to deliver patches until around 6 months ago) and IBM EM are both running (some ptches hark back to the SCCM Delievry days) they are not patching and when attempting to patch manually by downloading the exact patch coresponding to the fixlet
  ID and the KB , the stanbdalone installer starts and after some time you receive an error message “The update is not applicable to yoru computer”. Windows update returns error 80070006 for all of the servers.
  it is worth noting that other applications and products also using the .MSU extension will insatll so it is not a problem with the installer service.
  The above led me to think a corrupt patch may have stopped the sequence of patching so I then looked in “Programs and Features” => “Installed updates” and this is blank for all of them returening the message:
  “NO UPDATES ARE INSTALLED ON THIS COMPUTER”.  (this I believe is a part of the fundamental issues and resolving this may resolve the patching)
  Another issue is that if you run  “SFC /SCANNOW” It starts the scan and then returns: “Windows Resource Protection could not perform the requested operation” (Also in safe mode and both from an elevated CMD and WMI is started as a service)
  The all three are probably related so I think fixing the “SFC and NO UPDATES SHOWN” issues will resolve the first.
  The things I have tried so far are:
  Running : wmic qfe list full /format:htable > c:\updates.htm             Should produce a list of updates but instead returns :  No Instance(s) Available (this is not hopeful)
  Fix: Ran the “SYSTEM UPDATE REDINESS TOOL” from  http://support.microsoft.com/kb/947821
  Result : Update Ran successfully but NO CHANGE
  Fix: Ran the automated and manual fix “RESET WINDOWS UPDATE COMPONENTS” here :
  http://support.microsoft.com/kb/971058/en then undated windows update agent.
  Result : All ran successfully and NO CHANGE
  Fix: Ran MBSA
  Result : Runs successfully and then stays at “Done downloading security update information” (Log gives no obvious information)
  Fix: Renamed the software distribution folder/restarted services (Various variations of this fix online, tried a few)
  Result: Runs as described in article with new Software distribution folder being created,
  NO CHANGE
  Fix: Create/Correct the  reg key for windows trusted installer located here HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Version (several articles relating to this and the above issues)
  Result: the existing key was correct as should be from internal system information gathered , required in article.
  Fix: Ran the “Windows update trouble-shooter”
  as here :
  http://windows.microsoft.com/en-us/windows/troubleshoot-problems-installing-updates#1TC=windows-7
  Result:  It detected and fixed error’s but still no change.
  The WMI Repository checks out on them all for both of the methods I know to verify “Get-wmiobject –list |measure” and ensure count is over 900 and also “C:\>winmgmt /verifyrepository” and the repository came back as “WMI Repository is consistent”. I guess
  this is not hard evidence the WMI is OK, but these are the only methods I know.
  I have also tried removing the server from its OU , running a GP Update and then rebooting and testing but to no avail (Bit of a longshot but tried to link the distinction between the three servers and the OU GP is one of them)
  I have tried a few other articles registering .Dll’s etc , but I did not take a note of links as I was at the start of this and didn’t expect it to go so long so please reply with anything you see not above im happy to try again.
  I have thought about removing SP1 and reinstalling it but this will require a major downtime and only possible if the backup files of SP1 have not been removed.
  Any help is apreciated !

  Hi,
  Please try to rebuil the WMI repository.
  For detailed information, please refer to the blog below,
  http://blogs.technet.com/b/askperf/archive/2009/04/13/wmi-rebuilding-the-wmi-repository.aspx
  If issue persists, due to sfc doesn't work, could you try to repair your system with the installation disk?
  Best Regards.
  Steven Lee
  TechNet Community Support

• Manage SCCM 2012 clients in DMZ (OS Deploy, Windows updates) via DP/MP

  Hi,
  We ’d like to manage (=OS Deploy, Packages,Windows updates) Windows clients (Windows 2008/2012 R2 servers for now, about 20 of them) in a DMZ (= different domain).
  There is this article
  https://nikifoster.wordpress.com/2011/01/31/installing-configmgr-clients-on-servers-in-a-dmz/ which explains what to do … in 2011. Since then lots of things are changed I guess
  Before I dive in, I’d need to have an overview + do some administrative tasks (like asking for firewall accesses).
  Current setup DMZ:
  Our SCCM 2012 R2 server is on a Windows 2008 R2 OS
  Client communication is done via HTTP (not HTTPS)
  An extra physical Distribution point is setup (only DP, nothing more) in our current domain
  A new Windows 2012 server is setup in the DMZ which should host the DP and probably management point (since it should manage the clients over there)
  There are clients in DMZ that are currenlty managed by SCCM 2007 but 
  this server will be phased out, these client have:
  Correct sccm functionality
  Correct DNS resolution
  My steps/questions, please comment:
  Add the DMZ ip range to SCCM 2012 boundary as “DMZ”
  Add the network access account to be able to deploy as well clients as distribution point in DMZ
  In the DMZ accesses on firewall for server VLAN have to be asked
  When we have a distribution point and communication is “HTTP only” then http (port 80) from DMZ to sccm server should suffice, correct? Or are
   extra firewall openings needed for management point access/packages and windows updates sync?
  Now the sccm clients will be deployed to the servers in DMZ: deploy SCCM clients to hosts in DMZ, how this should be done: we connect a console to the SCCM-server in the DMZ then deploy the discovered clients?
  OS Deploy should be made available, but no dhcp is available in DMZ and it is not an option either, therefore we would boot from an ISO then enter an ip (or pre-enter it so there is already filled in an ip?). So tasksequences/deployments
  for servers in DMZ, where are they configured/deployed then? Via console access on DMZ management point or can we deploy on our domain SCCM management point (not in DMZ) and it will be synced to the DMZ management point? Not clear
  Selective sync of software to this distribution point (howto? not sure), we don’t need any Windows 8 software/drivers to be synced.
  Thanks for your input!
  J.
  Jan Hoedt

  No comment;
  I think you mean the client push installation account and the site system installation account;
  More ports are required, see site server > distribution point and distribution point > management point from the provided link;
  The console will always be connected to your primary site server. The client will be pushed from the primary site server and it will provide the initial files. The other files will be downloaded from the local distribution point;
  The task sequence deployment will be just like a normal taks sequence deployment. The only difference is the location of the server;
  Only the content that's distributed to the distribution point in the DMZ will be available on that distribution point.
  My Blog: http://www.petervanderwoude.nl/
  Follow me on twitter: pvanderwoude

• Windows Server 2012 Group Policy Block USB Storage devices @ User Level Not getting applied on a Domain Client machine with Windows Server 2008 R2. Why?

  Hello,
  I have a Windows Server 2012 R2.
  I have configured the Group Policy on it to block the usage of USB - Storage Devices @ user level on the client machines. It works properly for my Windows 7 client machines but it's not working on one of the machine having Windows Server 2008 R2 installed
  on it (this machine is also a domain client in the same domain).
  I will really be thankful if anyone can suggest some solution to this issue.
  Please feel free to write back in-case I have missed anything obvious to be shared.
  Thanks!
  -Vinay Pugalia
  If a post answers your question, please click "Mark As Answer" on that post or
  "Vote as Helpful".
  Web : Inkey Solutions
  Blog : My Blog
  Email : Vinay Pugalia

  Hi,
  Any update?
  Just checking in to see if the suggestions were helpful. Please let us know if you would like further assistance.
  Best Regards,
  Andy Qi
  TechNet
  Subscriber Support
  If you are TechNet
  Subscription user and have any feedback on our support quality, please send your feedbackhere.
  Andy Qi
  TechNet Community Support

• Windows Server 2008 - Group policy for domain client to start/stop services installed on it

  Hello Experts
  I am a newbie to windows server administration , though did a Google  , but ended up with these question with my requirements
  I have created a new domain and 2 client/computer (A & B namely) to domain . Now A & B has tomcat server running with port 8080 , 9090 which i have installed
  domain ADMIN account .
  && now i am want to start/stop/restart services enabled for domain users  !! How do i achieve this !!
  basic question : How can i access A & B tomcat services on DOMAIN CONTROLLER server to create a GPO and that are on (A & B)
  what is the easiest way to achieve the same , (if not using GPO)???
  similarly I am looking for many features : where I want to control the permission to user on (A & B ) like : If the binaries of tomcat is available on machine say : A , if the user can install (now
  it ask for ADMIN credentials) 
  Thanks
  Mike~Ed

  Controlling services with Group Policy is done under Computer Configuration\Policies\Windows Settings\Security Settings\System Services.
  The limitation is that system services can only see the services the computer running the Group Policy management console. To access other services, you will either need to create the services on your computer (install the software the adds the service)
  or install the remote server administration toolkit (RSAT) on the computer with the service already on it.
  If my answer helped you, check out my blog:
  Deploy Happiness

• Profiles being reset after windows updates?

  Hi All
  I'm having issues with Outlook 2013 SP1 resetting our users profiles after Windows Updates have been applied. Their profiles are being reset whilst their previous profiles are being renamed to "BACKUP of <profile name>".
  Office 2013 x86 has been deployed via VL Media onto Win7 x64 machines and we are distributing the ImportPRF registry key via GPO (set to Update) in order to customise the profiles on first run. (basic email account and attaching a default PST file)
  It appears that after windows updates are applied outlook is triggering the first run process again and therefore resetting the users profiles back to the standard set in our PRF.
  We used this method to configure Outlook 2010 and for the years of deploying Office 2010 we never had any issues. Can anyone suggest what might be going on here or what might have changed in Office 2013?
  Thanks

  Hi,
  I'm marking the reply as answer as there has been no update for a couple of days.
  If you come back to find it doesn't work for you, please reply to us and unmark the answer.
  Thanks,
  Melon Chen
  Forum Support
  Come back and mark the replies as answers if they help and unmark them if they provide no help.
  If you have any feedback on our support, please click
  here

• Delete only 1 Auto-Complete email address for everyone's email accounts - perhaps via Exchange 2010 or Group Policy?

  Hello
  I have an exchange 2010 server and clients use outlook 2007 or 2010 for emails.
  I recently deleted an account with the Exchange 2010 server and created another with the same name but a different address.
  Now people can't send mail to this new email address because it's cached on their outlook profiles... but it does work after they cleared the cache and send their requests then.
  Is there a way that I can clear this one email address from everyone's cached auto-complete list on exhcange or via Group Policy so that it works for all of them? I don't want to clear all of their auto-complete lists.
  Thanks,

  As far as I know, there isn't any way to clear only one auto-complete cache from Exchange side or Group policy.
  Thanks,
  Evan
  Evan Liu
  TechNet Community Support

• Lenovo G560 cannot get Windows 7 SP1 via Windows Update

  My Lenovo G560 laptop running Windows 7 Home Basic is not getting the option to download Windows 7 SP1 from Windows Update. What could be the problem? Has anyone else experienced this? What is the solution? I have had the laptop for almost two years.

  hi SipoKapumba,
  Do you get any error code(s) after a failed installation of Windows 7 SP1? Chances are, the prequisite to install Windows 7 SP1 are not installed.
  Can you try to:
  1. Follow this article from Microsoft and this guide in installing Windows 7 SP1 thru Windows Update
  2. If it still fails, try to run Windows 7 SP1 Standalone Installer. (use the windows6.1-KB976932-X64.exe for 64bit machines)
  Hope this helps