More info on Windows ESUs

Is it just me or does Microsoft continue to confuse the masses of exactly how the “extended security update” program works.  Perhaps the confusion is a vital part in that they want you to have upgraded to Windows 10 four to five years ago.

However, there are many institutions that need to keep their legacy Windows 7 / Server 2008 (R2) machines up to date.  For details on how to keep the update coming, Kurt Mackie gives a thorough breakdown here of what needs to be done as well as what is required to accomplish this task.

Big update release out of nowhere

So is reporting that Microsoft has released over 50 security updates out of the blue aimed that fixing the numerous issues stemming from the previous update cycles.  Needless to say that the last couple of months has been disastrous from a patching perspective.

Check out the details here and let us know what you have been experiencing in the environments you’re managing.

Microsoft Exchange 2010

Interesting announcement from Microsoft in that they stated they will extend the end of support date for Exchange Server 2010 from the original January 14, 2020 date to October 13, 2020.

Microsoft provides this as a reason for extending support for this Server product:

Our commitment to meeting the evolving needs of our customers is as strong as ever, and we recognize discontinuing support for a product that has been as popular and reliable as Exchange Server 2010 can be an adjustment.  We also know that some of you are in the midst of upgrades to a newer version of Exchange Server on-premises, or more transformative migrations to the cloud with Office 365 and Exchange Online. With this in mind, we are extending end of support to October 13th 2020 to give Exchange Server 2010 customers more time to complete their migrations. This extension also aligns with the end of support for Office 2010 and SharePoint Server 2010.

Check out the full Tech Community post on Microsoft’s website here for all the details.

Path to using in-place upgrades for Windows Server OSs

So I believe its safe to assume that all of you Sysadmins out there are as busy as I am with upgrading all of those legacy servers still running 2008 / 2008 R2 in anticipation of the “end of life” (January 14, 2020 to be exact) date soon approaching.

It’s been a heck of a ride thus far but there’s a question that came to mind: Which version of Windows Server are you upgrading to?  2012?  2012 R2?  2016?  2019?

Believe it or not…if you have the time or if it needs to be done out of necessity, Microsoft has published a road map of how to perform in place upgrades (3 to be exact) to get from 2008 (R2 or not) to 2019.

Obviously in a perfect world, you may not want to take this route but if you have no other choice, it may be worth giving this road map (found here) a look!

Also, don’t forget to let us know which version of Windows Server is your final destination… 🙂

New Windows XP and Server 2003 Updates?!?!

So it appears that Microsoft has discovered a “wormable flaw” that could possibly “fuel a fast-moving malware threat” similar to the WannaCry ransomware attacks from a couple years ago.

Apparently the vulnerability directly affects the Remote Desktop Services component that’s part of all of Microsoft’s client and server OSs so needless to say that it’s very important you get the patch in place as soon as possible!

For more details, check out the breakdown here.

How to Generate a Group Policy Report

Depending on the size of your organization, you could have a few Group Policy Objects (GPO) or you could have many.  Sometimes it is very hard to find out why a workstation or server is acting the way it is.  I would say that GPOs are the heart of security in a Windows domain environment.

A nice way to view which policies are being applied to the target Workstation/Server is by generating an .html file that shows all GPOs applied.  The GPRESULT command displays the Resultant Set of Policy (RSoP) information for a remote user and computer.

Open a Command Prompt and type the following:

cd Desktop
GPRESULT /H GPReport.html /f

Now open the file GPReport.html that is present on the desktop.  It should look similar to the image below.

I used to only run this command minus creating the report but realized quickly that it was hard to read and find the relevant info I was looking for.  Ever since finding this a few years back, I can’t imagine going back to the old way!

Step By Step Guide to Enabling “Disk Cleanup Utility”

While the vast majority of the servers present in the environment I work in are running 2012 R2 and 2016, we still have some 2008 R2’s lingering.  One of the features that is noticeably missing is the fact that the Disk Cleanup utility is not present on anything running 2012 or 2008 R2.  Since our local C: drives are reaching capacity and need some cleanup, it was imperative that this feature be installed.  Here’s a simple step by step guide provided by Microsoft on how to get this accomplished…

1. Open The Roles and Features Wizard

To open the Roles and Features Wizard, launch the “Server Manager”:

2. Click on “Add Roles and Features”

3.  Choose installation Type

Choose “Role-based or feature-based installation” to install to the local machine:

4. Click Next all the way to features

Locate “User Interface and Infrastructure”.  Click on “Desktop Experience” and install additional required features:

5.  Proceed with the installation and Reboot

6.  Verify that the Utility is indeed installed

See screen shot below:

7.  Disk Cleanup in Action

Below is a sample snapshot of disk cleanup in action:

Heads up Server Admins…watch out for these updates!

After three years of using System Center Configuration Manager, we are finally leveraging it to manage the security updates for our server collection and a significant part of that task is to ensure that we research as to whether there are any known issues with the updates that may potentially cause issues with our servers.  While browsing online for any problems that may have been documented with the October release of updates, I came across this post from Microsoft regarding three updates to look out for…

Other than that…good luck and Happy Patching!

Security update for Microsoft Exchange Server 2013 and 2016: October 9, 2018
When you try to manually install this security update in “normal mode” (not running the update as an administrator) by double-clicking the update file (.msp), some files are not correctly updated. When this issue occurs, you do not receive an error message or any indication that the security update was not correctly installed. Also, Outlook Web Access (OWA) and the Exchange Control Panel (ECP) may stop working. This issue occurs on servers that are using user account control (UAC). The issue occurs because the security update does not correctly stop certain Exchange-related services.
To avoid this issue, run the security update in elevated mode, as an administrator. To do this, right-click the update file, and then click Run as administrator.
This issue does not occur when you install the update from Microsoft Update.

October 9, 2018—KB4462917 (OS Build 14393.2551) – Windows 10, version 1607; Windows Server 2016
After installing this update, installing Window Server 2019 Key Management Service (KMS) host keys (CSVLK) on Window Server 2016 KMS hosts does not work as expected. Microsoft is working on a resolution and will provide an update in an upcoming release.

October 9, 2018—KB4462923 (Monthly Rollup) – Windows 7 Service Pack 1; Windows Server 2008 R2 Service Pack 1
After you apply this update, the network interface controller may stop working on some client software configurations. This occurs because of an issue related to a missing file, oem<number>.inf. The exact problematic configurations are currently unknown.
[1] To locate the network device, launch devmgmt.msc. It may appear under Other Devices.
[2] To automatically rediscover the NIC and install drivers, select Scan for Hardware Changes from the Action menu.
Alternatively, install the drivers for the network device by right-clicking the device and choosing Update. Then choose Search automatically for updated driver software or Browse my computer for driver software.