-
-
-
…but with how messy patches have been this first quarter of the year it does add to issues.”
Fair enough. What used to be a few minutes a month (checking for Patch Tuesday issues before installing on Friday) has this year become a non-trivial part of my work most weeks.
@GeekDiver, did patching your server(s) fix your issue?1 user thanked author for this post.
-
Short answer is that consumers can probably ignore it unless you need to connect to unpatched servers. The patch was included in a slew of updates in March: see the CVE article to locate your OS and the corresponding patch number:
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0886
-
I don’t know where the original @GeekDiver post is so don’t know the context. I suspect unpatched servers and/or clients.
This is a planned tightening of security over three months. As promised, the May update changed the default to Mitigated. You can use group policy or registry to change it back to Vulnerable until you get your systems patched. Susan gave a heads-up on this in March: https://www.askwoody.com/2018/patch-lady-tracking-some-post-release-issues/:
“Initially in March, they are rolling out the new protocol. Later in April they will make it so that an error message will occur when you attempt to remote from a patched machine to an unpatched machine, and then later in May (tentative at this time) the default will be to enforce that remoting from a patched machine to an unpatched machine will not work.”
I hate it when Microsoft releases bugs that affect millions. In this case, I think Microsoft deserves credit for FIXING a security bug with a careful, documented, multi-month rollout of a mitigation.
7 users thanked author for this post.
-
Susan et. al. – with 1803, once you have the group policy settings or the registry equivalents, do you see “Some settings are managed by your organization” and the link to “View configured update policies”?
I blogged in February about using group policy to manage Win10 updates, and posted the equivalent registry changes for a sample setup. Sure like being able to confirm the changes in the GUI, though.
https://www.mcbsys.com/blog/2018/02/managing-windows-10-updates-using-group-policy/
-
On Windows 7 machines, are you using any software, such as GWX Control Panel, to prevent Windows 10 installation?
I’d forgotten about that, but yes, all Win7 machines, including those that WSUS is offering to upgrade, include two registry values, created as follows:
REG ADD HKLM\SOFTWARE\Policies\Microsoft\Windows\Gwx /v DisableGwx /t REG_DWORD /d 1 /f
REG ADD HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate /v DisableOSUpgrade /t REG_DWORD /d 1 /f1 user thanked author for this post.
-
Whoa! Any indication that it’s free? In other words, that you’ll end up with a”genuine” copy?
No; in fact, there is a popup that requires me to agree to a license. See the screen shots in this post: https://www.askwoody.com/forums/topic/how-to-really-truly-block-the-pushed-upgrade-to-the-next-version-of-windows-10-version-1803/#post-183036. Still confusing–how can an upgrade to a genuine license, offered by Microsoft-supplied WSUS software, not be genuine?
1 user thanked author for this post.
-
In a small Windows 7-only environment, the upgrade to Win10 1803 was just offered through WSUS for four Win7 machines. Three are Win7 Enterprise with expired Software Assurance (I’ve seen this before). One is Win7 Pro. Another Win7 Pro machine shows that the upgrade is “not applicable.” I wonder how WSUS determines that a machine is eligible for the (free?) Win10 upgrade.
1 user thanked author for this post.
-
I think I managed to hide this on Win10 Home:
1. Run the Show or Hide Troubleshooter (https://support.microsoft.com/en-us/help/3183922). Choose to hide updates. The feature update does not appear.
2. Go to Settings > Update and Security > Windows Update. Click Check for updates. The feature update will appear and start preparation.
3. Run the Show or Hide Troubleshooter again. This time the feature update is listed. Hide it.
4. Turn off the network (I turned on Airplane Mode). The feature update continues “Preparing to install.” (I tried rebooting at this point but after the reboot, it just continued “Preparing to install”.) Eventually it changes to “Awaiting download.”
5. Turn on the network. Windows starts Checking for updates again. The feature update is no longer listed and does not download.
Bottom line: you can’t hide it until it detects that it should install, but after that, hiding it does seem to work. The feature update does not have a KB number but it does have an Update ID: {bd352700-9e34-4bed-9827-280d92737ef9}. It’s currently at Revision 1. If that is updated, you may have to re-hide it.
-
Extensive documentation on multiple methods here:
https://www.tenforums.com/tutorials/6815-set-network-location-private-public-windows-10-a.html
Seems like I used the “Make this PC Discoverable” option recently.
2 users thanked author for this post.
-
-
-
-
I only have one customer with Enterprise licenses, a small non-profit that gets those licenses through TechSoup. Wanted to post a screen shot but that’s confusing: when I create a WSUS view listing Windows 7 Upgrades, it actually looks like WSUS offered Windows 10 1607 and 1703 to both Pro and Enterprise, then 1709 was offered without being specific to the Windows edition.
I temporarily moved the last 3012973 upgrade from Declined to Not Approved and pushed through detection on three computers. On Windows 7 Home Premium and Windows 7 Pro, the Status is “Not Applicable,” so it wouldn’t install even if I approved it. On Windows 7 Enterprise, the status is “Not Installed,” indicating that it would install if I approved it. So it’s reproducible in this environment.
Will have to watch what happens when 1803 comes down the chute.
Author
