Internet Explorer 10 / 11 IE Warnung, GPO, Gruppenrichtlinien, Group Policy

Error or PUP UP in IE10/IE11

Deutsch:

Sie sind im Begriff, sich Seiten über eine sichere Verbindung anzeigen zu lassen. Keine Information, die Sie mit dieser Seite austauschen, kann von anderen Personen im Web gesehen werden.

English:

You are about to view pages over a secure connection.

https://social.technet.microsoft.com/Forums/en-US/65e8f915-6300-4367-8aa5-626539a62240/disable-ie-10-11-security-alert-popup-w-group-policy?forum=winserverGP

This seems not be possible with GPO or within an ADM/X from MS. You need to deploy a HKCU key.

Change this key from 1 > 0 per USER (HKCU)

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings

WarnOnIntranet

REG_DWORD

0

WarnonZoneCrossing

REG_DWORD

0

0 = ZERO = DO NOT SHOW WARNING

Integrate that into a GPO

Make sure you have a WMI filter so you only catch IE11 on clients:

See our Blog for infos on how to do that

You can't do this file based often anymore like in XP. Except you know what files or Keys have changed but then you would have to capture an install and review it. You need a little

knowledge of WMI and the rigth classes (Just the name of it) to do this.

http://msdn.microsoft.com/en-us/library/aa394391(v=vs.85).aspx

The Win32_QuickFixEngineeringWMI class represents a small system-wide update, commonly referred to as a quick-fix engineering (QFE) update, applied to the current operating system. Starting with Windows Vista, this class returns only the updates supplied by Component Based Servicing (CBS). These updates are not listed in the registry. Updates supplied by Microsoft Windows Installer (MSI) or the Windows update site (http://update.microsoft.com) are not returned by

Win32_QuickFixEngineering.

Here are some tools we use to get the info we need

How to find a WMI class in WMI when you find it on Technet (How to browse it):

Download WMI Explorer 2.0

You can SEARCH for Classes and see where they are located and how to query them

SELECT * FROM Win32_QuickFixEngineering

SELECT * FROM Win32_QuickFixEngineering where HotFixID = 'KB2729094'

Test the Query with Paessler WMI Tester

Selection from Deployment that uses WMI Querys (Like Frontrange) or Windows GPO:

1. You could make a WMI GPO Filter that selects the computers which have the patch
2. Then Uninstall the patch with GPO

SELECT * FROM Win32_QuickFixEngineering where HotFixID = 'KB2984972'

Or use the Query in Enteo FrontRange Script.

Search the Patch in Batch

c:\windows\system32\wbem\wmic.exe qfe | find "kb2559392"
c:\windows\system32\wbem\wmic.exe qfe | find "KB2860142"
c:\windows\system32\wbem\wmic.exe qfe | find "kb2871803"

Gets all the info

c:\windows\system32\wbem\wmic.exe qfe GET HOTFIXID | find "KB2984972"

Only shows the KB

Uninstall the Patch:

wusa /uninstall /kb:2949927 /quiet /norestart

Please see our Post for a list of WMI Hotfixes for Windows 7 (Delay, Slow boot because of WMI, Slow GPO because of WMI, WMI request crash or timeout etc.)

http://www.butsch.ch/post/W7-64BIT-WMI-Hotfixes-do-date-post-SP1.aspx

Internet Explorer 11 Setup with IEAK11 for Deployment

We have seen several posting on Social MSDN but also deployment blogs with people struggling with the IEAK Setup of IE11 or better the 9 PRE patches the IE setup 10/11 needs.

Technet http://support.microsoft.com/kb/2847882 describes the Updates that have to be installed before you can Install IE11 silent.

Error Source 1, Setup tries to fetch updates in the back and fails because of Proxy

If these are not on the machine the Setup will try to fetch them from internet. Because the "Computer account" (Not the user) mostly has no PROXY information this will fail. I will not show you how you change that here; Target would be to have all files ready from deployment.

Error Source 2, Reboot OR WMI Update for Patches after installing PRE Patches

If you install the 9 patches with a batch or script you should:

a) Reboot the client which makes it a Reboot and advance package which some deployment can't handle

b) Solution> Rebuild the Patch Inventory by "c:\windows\system32\wbem\wmic.exe qfe" (Does not work on 19.03.2015)

The IEAK 11 Version from March 2015 does actualy check the Version of the files AS they are in place. So no Patches are checked to decide if add. Updates are downloaded. Thus the Reboot may be needed IF in use FIles are present.

> THUS only working solution would be on march 2015 to do a 3 STEP package

1) Install PRE Deployment Patches (Reboot)

2) Install IEAK (Reboot)

3) Install Post Deployment Patches (may need Reboot)

00:01.841: INFO:    Version Check for (KB2834140) of C:\Windows\System32\d3d11.dll: 6.1.7601.17514 >= 6.2.9200.16570 (False)
00:01.841: WARNING: Checking version for C:\Windows\System32\api-ms-win-downlevel-user32-l1-1-0.dll.  The file does not exist.
00:01.841: INFO:    Version Check for (KB2639308) of C:\Windows\System32\Ntoskrnl.exe: 6.1.7601.17803 >= 6.1.7601.17727 (True)
00:01.841: INFO:    Version Check for (KB2533623) of C:\Windows\System32\api-ms-win-security-base-l1-1-0.dll: 6.1.7600.16385 >= 6.1.7601.17617 (False)
00:01.841: INFO:    Version Check for (KB2731771) of C:\Windows\System32\conhost.exe: 6.1.7601.17514 >= 6.1.7601.17888 (False)
00:01.841: INFO:    Checking for correct version of C:\Windows\Fonts\segoeui.ttf.
00:01.856: INFO:    Version Check for (KB2786081) of C:\Windows\System32\taskhost.exe: 6.1.7601.17514 >= 6.1.7601.18010 (False)
00:01.856: INFO:    Version Check for (KB2888049) of C:\Windows\System32\drivers\tcpip.sys: 6.1.7601.17514 >= 6.1.7601.18254 (False)
00:01.856: INFO:    Version Check for (KB2882822) of C:\Windows\System32\tdh.dll: 6.1.7600.16385 >= 6.1.7601.18247 (False)
00:02.621: INFO:    Download for KB2834140 initiated. Downloading http://go.microsoft.com/fwlink/?LinkID=303935 -> KB2834140_amd64.MSU.
00:02.636: INFO:    Download for KB2533623 initiated. Downloading http://go.microsoft.com/fwlink/?LinkID=254722 -> KB2533623_amd64.MSU.
00:02.636: INFO:    Download for KB2731771 initiated. Downloading http://go.microsoft.com/fwlink/?LinkID=258387 -> KB2731771_amd64.CAB.
00:02.636: INFO:    Download for KB2786081 initiated. Downloading http://go.microsoft.com/fwlink/?LinkID=273751 -> KB2786081_amd64.CAB.
00:02.652: INFO:    Download for KB2888049 initiated. Downloading http://go.microsoft.com/fwlink/?LinkID=324542 -> KB2888049_amd64.MSU.
00:02.668: INFO:    Download for KB2882822 initiated. Downloading http://go.microsoft.com/fwlink/?LinkID=324541 -> KB2882822_amd64.MSU.

Error Source 3

KB2670838, Blurry Fonts Patch

KB2898202, Hotfix for Blurry Fonts Patch

If you take a closer look at the patches in KB2847882 you will see that thy want to install the "blurry Fonts patch / KB2670838" which caused a lot of trouble a few months ago. On most WSUS this is denied. However the IE11 needs that Patch. Even worse if you UNINSTALL the Blurry Fonts patch IE will get uninstalled fully.

Solution is to install KB2670838 and then KB2898202 the HOTFIX.

• FIX: Font smoothing and antialiasing for some fonts do not occur after hotfix 2670838 is installed in Windows 7 Service Pack 1 or Windows Server 2008 R2

  http://support.microsoft.com/kb/2898202

Thanks to Karen HU from Pactera/china for pointing us in that direction.

https://social.technet.microsoft.com/Forums/de-DE/0bb37a16-f8a3-4648-897e-6a1a5986a437/not-wanted-fonts-patch-kb2670838-and-ieak11-silent-last-status?forum=ieitprocurrentver

Here is how a Failed Logfile will look for the IE11 Setup c:\windows\IE11_main.log

01:52.679: ERROR:   WMI query for Hotfixes timed out. Query string: 'Select HotFixID from Win32_QuickFixEngineering WHERE HotFixID="KB2729094"'  Error: 0x00040004 (262148).
01:52.711: INFO:    Download for KB2729094 initiated. Downloading http://go.microsoft.com/fwlink/?LinkID=258385 -> KB2729094_amd64.MSU.
01:52.726: INFO:    Waiting for 1 prerequisite downloads.
02:23.880: INFO:    Prerequisite download processes have completed. Starting Installation of 1 prerequisites.
02:23.880: ERROR:   Error downloading prerequisite file (KB2729094): 0x800b0109 (2148204809)
02:24.098: INFO:    PauseOrResumeAUThread: Successfully resumed Automatic Updates.
02:24.114: INFO:    Setup exit code: 0x00009C47 (40007) - Required updates failed to download.

Here is a list of Binaries:

Uninstall described with IE10 but also valid for IE11

----------

WMI Hotfixes to date 29.07.2015

During IE11 projects we have seen problems with some WMI and WUSA.EXE KB installations. It sometimes seems that the WMI provider

who offers that info hangs or is out of date. Even with some command to refresh it0s stuck. This is a list of Hotfixes we found in that direction

For Existing Windows 7 64BIT Deployments with SP1.

YES = Installs on W7 SP1 64BIT with all Updates from WSUS do date 29.07.2015

NO  = Does not install on same system

001 (YES)

https://support.microsoft.com/en-us/kb/2705357

2705357

Windows6.1-KB2705357-v2-x64.msu

002 (YES)

http://support.microsoft.com/kb/2692929

2692929

Windows6.1-KB2692929-x64.msu

003 (YES but choose 2617858)

Unexpectedly slow startup or logon process in Windows Server 2008 R2 or in Windows 7

http://support.microsoft.com/kb/2465990

2465990 > SUPERSEEDED > Replaced by > 2617858 (https://support.microsoft.com/en-us/kb/2617858)

2465990 > Windows6.1-KB2465990-v3-x64.msu (Older)

2617858 > Windows6.1-KB2617858-x64.msu (Newer, Superseeds the old one)

004 (YES)

https://support.microsoft.com/en-us/kb/2492536

2492536

Windows6.1-KB2492536-x64.msu

005 (NO)

https://support.microsoft.com/en-us/kb/982293

982293

Windows6.1-KB982293-x64.msu

Check this LINK:

http://www.butsch.ch/post/IE11-IEAK-11-Setup-9-PRE-Deployment-Patches-2b-1-Hotfix.aspx

WMI Hotfixes to date 29.07.2015

During IE11 projects we have seen problems with some WMI and WUSA.EXE KB installations. It sometimes seems that the WMI provider

who offers that info hangs or is out of date. Even with some command to refresh it0s stuck. This is a list of Hotfixes we found in that direction

For Existing Windows 7 64BIT Deployments with SP1.

IE11patch Infos:

http://www.butsch.ch/post/IE11-IEAK-11-Setup-9-PRE-Deployment-Patches-2b-1-Hotfix.aspx

YES = Installs on W7 SP1 64BIT with all Updates from WSUS do date 29.07.2015

NO = Does not install on same system

001 (YES)

https://support.microsoft.com/en-us/kb/2705357

2705357

Windows6.1-KB2705357-v2-x64.msu

002 (YES)

http://support.microsoft.com/kb/2692929

2692929

Windows6.1-KB2692929-x64.msu

003 (YES but choose 2617858)

Unexpectedly slow startup or logon process in Windows Server 2008 R2 or in Windows 7

http://support.microsoft.com/kb/2465990

2465990 > SUPERSEEDED > Replaced by > 2617858 (https://support.microsoft.com/en-us/kb/2617858)

2465990 > Windows6.1-KB2465990-v3-x64.msu (Older)

2617858 > Windows6.1-KB2617858-x64.msu (Newer, Superseeds the old one)

004 (YES)

https://support.microsoft.com/en-us/kb/2492536

2492536

Windows6.1-KB2492536-x64.msu

005 (NO)

https://support.microsoft.com/en-us/kb/982293

982293

Windows6.1-KB982293-x64.msu

Windows 10, WSUS Integration

If you support Server 2012R2 and 8.1 then you have the Updates on the WSUS you will see the new Categorys straight away.

Windows 10, Mcafee VSE 8.8 with Patch 6 which should be released 26. August 2015

https://kc.mcafee.com/corporate/index?page=content&id=KB51111

https://community.mcafee.com/community/business/blog/2015/08/02/windows-10-support-updates

Microsoft February 2016 Patchday, Upgrade to Windows 10 Patches

• Ein RDP Patch wird zwei Reboots machen (Dies ist normal)
• DENY KB3114717 Office 2013 macht WinWord 2013 langsam (Problem patch)
• Die Windows 10 Updates Packages sind jetzt im WSUS erschienen (W7 product)

   

   

These updates have come to WSUS-customer even when to W10 product was chosen. They appear under W7 Product category.

Ransomware Schweiz, Switzerland, Suisse. Lösungen/Solutions.

Intelligente "Black/White-Listing" Technologie z.B. Mcafee TIE ist die derzeit einzige Lösung nebst ATD-Sandboxen um Ransomware/Epressungstrojaner in den Griff zu bekommen. (http://www.mcafee.com/de/products/threat-intelligence-exchange.aspx). Alles andere ist ein Gebastel und man rennt nur den Problemen nach statt diese zu lösen.

Proof of Concept soll zeigen wie Mcafee TIE unbekannte Dateien erkennt und soll zeigen, dass Directory welche wir im Virenschutz Modul VSE 8.X ausschliessen nicht vom TIE tangiert sind. Diese Ausnahmen gelten AUCH fuer TIE-Modul.

Proof of concept mit Test Datei welche wir anpassen

Anpassen der Reputation

Weitere Links von uns:

http://www.butsch.ch/post/RansomwareDeutschlandSchweiz-Healthcare-Deutscher-Bund-warnt-und-reagiert.aspx

http://www.butsch.ch/post/Ransomware-Versions-who-spread-in-network-and-attack-locked-files-from-SQL-Servers-coming-up.aspx

Important change for all GPO-Admin | Change in way GPO's are applied and filtered.

The Windows Updates JUNE 2016 bring up a change in how POLICY GPO (Gruppenrichtlinien) should be filtered to Active Directory Security Groups. You can't anymore JUST remove "Authenticated users" and add a security group under Security Filtering. The Policy will not pull because Microsoft has changed the concept.

German:

GPO welche auf Usergruppen gefiltertsind gehen nach dem Update der Patche nicht mehr wenn Authenticatedusers oder Domaincomputers KEIN read unter Delegation hat.

June 2016 Patches:

https://social.technet.microsoft.com/Forums/en-US/e2ebead9-b30d-4789-a151-5c7783dbbe34/patch-tuesday-kb3159398?forum=winserverGP

http://www.gruppenrichtlinien.de/artikel/sicherheitsfilterung-neu-erfunden-ms16-072-patchday-14062016/

This is a normal policy which is not affected by the patches:

Please make a backup of your GPO before changing anything:

Here so see one where we removed the "Authenticated Users" or "Authentifizierte Benutzer" and this needs to get corrected. Leave it as IT IS under security filtering. The place to change it would be under Delegation.

First How NOT to do it (> This would make the POLICY PULL for all!)

Correct way to make it June 2016 Patchday compatible

Make a backup of the GPO before you even think about changing it!

Above Version which will only LIST / Report / Nur lesen

Below Version which will Change / Correct / Aenderung

MalwareFortiguard: JS/Nemucod.ARH!tr

We have seen a high rate of 50-100 Attachments per customer with correct E-Mail address with Ransomware sent out from:

no-reply@dropbox.com

Fortiguard and Mcafee did find it around 12:30 to clock 24.08.2016 BUT not before.

The URL's which were listed in the E-Mail content where listed at that time. The E-Mail contains a Link

From a Commerzbank hosted on a Dropbox account.

Second wave contains an attachment rechnung.zip

Migration Mcafee VSE 8.8 auf Endpoint 10.X Migration First Look

Put together by Butsch from all the presentation online, Channel presentations and first lab dives with 10.X

Current Release is Mcafee Endpoint Security 10.2

Most of the things we be cleaner (Some things will be merged)

HIPS

As example 4 OLD VSE 8.8 POLICY Merged in 1 "ON ACCESS SCAN Policy"

New here:

NEU: Workstation und Server NICHT mehr möglich in gleicher Policy (Dropdown)

1. Migration Workstation Automatic
2. After that, the Servers MANUALLY )OR both manually)
3. You will have to separate "Workstation" and "Server" in the GUI under an OU (I hope you anyway doo above 100+ endpoints!) (Or use TAG for Policies)

NEW: You will have do a separate POLICY for "Workstation" and "Servers"

Some does not work anymore: Exclusion alt **\WILDCARDS ohne DRIVE LETTER > GEHT nicht mehr in EPS 10.X

There is a Remark in Migration Wizard who will tell you again!

What you need before you think to start

• Basis fuer Update für bestehende Umgebungen
• Base your nee das existing customer running EPO

There is a special Migration Help tool which you can install

You can select which Policy's to migrate and change Policy's during Migration

Quiz Questions from Butsch

When can i do what?

Is there any risk for my environment?

Is the Migration safe?

Before the 10.1 PACKAGE is deployed NOTHING will happen to the CLIENTS. You can migrate POLICYS BEFORE and THAN at the end deploy the VSE 10.

As soon as YOU deploy the VSE 10.1 package the Migration CLIENT side begins. As with a regular PATCH 8 for VSE or 7.5 to 8 migrations you TEST DEPLOY

a few client s for a week or days and THEN you can deploy (Migrate) the other clients. All other clients will KEEEP pulling the VSE 8.x POLICYS.

$

Question: We just want Virus Protection; we don't want HIPS or Site Advisor because we have other clients like Fort client or Windows Firewall.

• There are still 3 parts and modules
• You can DEPLOY them with separate Deployment Jobs
• Only what you deploy of that gets on the client and like with other endpoints you don't have 75% Parts of the clients which you don't use because integrated with other brands already

See more Infos:

https://www.youtube.com/watch?v=H4vUFnhaHro

https://community.mcafee.com/docs/DOC-8364

https://community.mcafee.com/docs/DOC-8364#jive_content_id_VIDEO__Migrating_from_McAfee_VirusScan_Enterprise_88_to_McAfee_Endpoint_Security