And it's not often that people follow-up on suggestions and assistance when they're the ones who ultimately caused the boo-boo.
Kudos. *ASB **http://XeeMe.com/AndrewBaker* <http://xeeme.com/AndrewBaker> *Providing Virtual CIO Services (IT Operations & Information Security) for the SMB market...* On Thu, Jan 30, 2014 at 4:16 PM, Heaton, Joseph@Wildlife < [email protected]> wrote: > I've actually figured out what happened. > > > > The setting we use is under: Computer Config - Policies - Adminstrative > Templates - System - Internet Communication Management - Internet > Communication Settings. > > > > We enable the setting: Turn off access to all Windows Update features. > > > > That setting makes it so they can't get to the website in any way, and > when they look at Windows Update, the link to Check online for updates > (paraphrasing) is not there. > > What we found here, was that the machines that were affected were getting > their settings from a policy that did NOT have the above configured > (important info...) > > > > > > What happened here: > > > > I'm in the middle of setting up a test domain. Completely separate from > our production environment, no touching. Yesterday, I was configuring > roles in the test domain's SCCM. I was setting up the SUP, and having some > issues getting it to work. So, I opened up the production SCCM and was > comparing settings. I decided to remove the role in test, then remove > WSUS, and start from scratch. Well, you can guess which SCCM console I was > actually in when I removed the SUP role. (Production, in case anyone didn't > catch it). I realized it within seconds, and reinstalled the role, but the > damage was done. SCCM had already sent out the message to everyone that it > was no longer in charge of Windows Updates. So, all the PC's in my > environment (desktops and laptops) went out to Microsoft for updates. The > laptops' GPO had the above setting correct. The workstation GPO did not. > So, a bunch of my workstations had the opportunity to download and install > about 12-15 updates, including IE10 and IE11. > > > > I found a command line, using wusa.exe, that we have thrown into a batch > file, that will quietly uninstall both IE11 and IE10, so that the user is > back to IE9. Only downside is that it does require a reboot, which will > need to be done manually, so that the user doesn't lose anything they're > working on. > > > > So, that's my one major screw up allowed for the year. I still have a > couple minor ones left to use though, lol. Thanks to everyone for the tips > and advice. It's good to know that I was looking where I should have been > for solutions. > > > > Thanks, > > > > Joe > > > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *James Rankin > *Sent:* Thursday, January 30, 2014 10:29 AM > *To:* [email protected] > *Subject:* Re: [NTSysADM] Windows Updates went crazy last night > > > > I had a small business client recently that suddenly jumped to IE11 even > though updates are supposed to be notification only. And then one of their > LOB apps wouldn't work. We had to leverage in a guy from Microsoft who I > got in contact with via Twitter to get them back up and running - it wasn't > a trivial thing. > > > > I'm still trying to work out how the IE11 install was triggered - they > said they didn't do it, but I was starting to doubt them, until your email > came in. > > > > > > On 30 January 2014 18:19, Heaton, Joseph@Wildlife < > [email protected]> wrote: > > They do now, that IE 10 or IE11 has been installed. > > > > Working on creating a package in SCCM to uninstall to get them back to > IE9, which is our standard. > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *James Rankin > *Sent:* Thursday, January 30, 2014 9:42 AM > *To:* [email protected] > *Subject:* Re: [NTSysADM] Windows Updates went crazy last night > > > > They haven't got the "Install Updates automatically" box ticked in IE have > they? > > > > [image: Inline images 1] > > > > On 30 January 2014 17:38, Heaton, Joseph@Wildlife < > [email protected]> wrote: > > We're running SCCM 2012, which manages all updates for our workstations. > It's been working great for well over a year. Users have not been able to > manually install updates, etc. > > > > This morning, I come into the office, and within the space of 15 minutes, > 3 different people contact me saying they were updated to IE 10 or 11 > overnight. Looking at their update history, they actually received quite a > few updates overnight. > > > > I'm the only one here that packages and pushes updates through SCCM. I > did nothing of the sort within the last couple of weeks. I'm trying to > figure out why a large portion of my workstations suddenly decided last > night to go out, download and install Windows Updates. > > > > SCCM - 2012 SP1 CU3 on the server, but most clients are still at base SP1. > > > > Anyone have any ideas? Did anyone else see this type of behavior last > night? > > > > Thanks, > > > > Joe Heaton > > > > > > > -- > > *James Rankin* > --------------------- > RCL - Senior Technical Consultant (ACA, CCA, MCTS) | The Virtualization > Practice Analyst - Desktop Virtualization > http://appsensebigot.blogspot.co.uk > > > > > -- > > *James Rankin* > --------------------- > RCL - Senior Technical Consultant (ACA, CCA, MCTS) | The Virtualization > Practice Analyst - Desktop Virtualization > http://appsensebigot.blogspot.co.uk >
<<inline: image001.png>>
