New Microsoft Zero-Day Internet Explorer Vulnerability

It looks like there’s a pretty serious zero day vulnerability that’s currently being exploited.

No word if Microsoft is planning on releasing an out of band patch or waiting until patch Tuesday next week.

Some details and links (including the planned “OpsUSA” attack)

Microsoft FIX IT Utility –

FBI Flash DDOS Scripts

Krebs on Security

Attack information: (adult language)

Publicized Target list:

Posted in Patch Management | Tagged , , , , | Leave a comment

Managing Third Party Updates with System Center Configuration Manager

Patch Management

If you missed Kent Agerlund’s MMS 2013 session, or didn’t make it all … I strongly encourage everyone to check out this webinar scheduled for May 13.

Kent Agerlund is a Microsoft MVP working with Coretech, and widely known as one of the best System Center guys around. 

From the invitation:

Whether you attended MMS 2013 or not, this is a must attend webinar! Get the chance to gain some of the knowledge from MMS 2013, as well as get your questions answered by Kent Agerlund from Coretech, a Microsoft Configuration Manager MVP.During this 45 minute webinar, Kent Agerlund will provide you with tips and tricks to solve the daily challenges around patching your environment with Microsoft and non-Microsoft updates. You will learn how to design and configure a software update solution that will be easy to manage, yet powerful enough to maintain your server and desktop environment. Lastly, he will go through how you can patch 3rd party applications in SCCM and his key learning’s on how to manage common challenges in this area.

About Kent Agerlund, Coretech
Configuration Manager MVP. Microsoft Certified Trainer and Senior Consultant. Kent has been working with SMS since 1997 and as a trainer / consultant since 1992. In addition, he is Co-founder of System Center User Group Denmark in 2009.

Certified MCITP: Enterprise Administrator, MCSA + Messaging, MCT and Technology Specialist in Configuration Manager, MDOP and Windows 2008 R2 and much more.

Member of:
Microsoft Denmark System Center Partner Expert Team , The Danish Technet Influencers program , System Center Influencers Program.

Sign up here
May 13 2013 1:00 pm (CDT)
Posted in Patch Management, SCCM 2012, SCUP 2011 | Tagged , , , | Leave a comment

The countdown: Less Than One Year for XP End of Support!

During MMS 2013 – a theme was reiterated over and over… we’re now down to 1 year of XP support. 

Microsoft will end Extended Support on April 8, 2014.

If you are a Windows 7 migration engineer – that means you will be very busy in the next 12 months converting remaining systems to Windows 7. 

Here’s a few key points from a Microsoft blog that I saw last week at MMS 2013.


  • On April 8, 2014, we will end the extended support for our commercial customers and we will no longer provide security updates for commercial or consumer customers.
  • Simply, it means you should take action to move off of Windows XP. After April 8, 2014, there will be no new security updates, non-security hotfixes, free or paid assisted support options or online technical content updates. Running Windows XP SP3 and Office 2003 in your environment after their end of support date may expose your company to potential risks, such as:
    • Security & Compliance Risks: Unsupported and unpatched environments are vulnerable to security risks. This may result in an officially recognized control failure by an internal or external audit body, leading to suspension of certifications, and/or public notification of the organization’s inability to maintain its systems and customer information.
    • Lack of Independent Software Vendor (ISV) & Hardware Manufacturers support: Back in 2011, many independent software vendors (ISVs) were already unlikely to support new versions of applications on Windows XP.

Yes, that’s correct.  NO NEW SECURITY PATCHES AFTER APRIL 2014

Talk about a hackers paradise!

Posted in Patch Management, Windows OS | Leave a comment

Problem Microsoft Security Patch MS13-036

Well, I am back from MMS 2013 just in time to remediate an April Microsoft security patch that’s caused mutiple problems.  The symptons are systems basically failing to boot after loading the patch to random applications not opening and/or crashing.

Right now it looks like Microsoft has pulled the patch until a fix is completed.  In the meantime – you’ll want to disable or remove this patch from SCCM or your software distribution product. 

Here’s the details

Removal Steps for Windows 7

Although the problem only seems to affect Windows 7 – its also available for XP.  Not sure if XP is affected or not. 


Posted in Patch Management, Windows OS | Leave a comment

Enterprise hotfix rollup is available for Windows 7 SP1 and Server 2008 R2 SP1

Some good news in the OSD world – Microsoft has released a 90 patch Windows 7 SP1 rollup update.  This should save some time in deployments if added to your image process.  Some of the things updated are:  From

This hotfix rollup includes the following improvements:

  • Improves the Windows Client Remote File System components. These components include the following:
    • Web-based Distributed Authoring and Versioning (WebDAV)
    • DFSN client
    • Folder Redirection
    • Offline Files and Folders (CSC)
    • SMB client
    • Redirected Drive Buffering Subsystem (RDB)
    • Multiple UNC Provider (MUP)

Also found a good article on rolling this out with SCCM 2012.


Not sure if this is available for SCCM 2007 yet – looking into it.

Posted in Patch Management, SCCM 2007, SCCM 2012, Windows OS | Leave a comment

Java 1.7 Auto-Update Deployment with SCCM/MDT

10/18/2013 Update – From a comment below.  I haven’t tested this as I’ve given up on Java completely. 

I just wanted to leave a note with how i got this working (there was lots of info in this thread but it was hard to find a clear step by step with success).

– Run the Java exe on a test machine, digg out the MSI + files from the %userprofile%\Appdata\…. area
– Create an MST using ORCA, set the update settings to not update etc.
– Create a blank “” file and have the “deployment.expiration.check.enabled=false” inside it.
– Install the MSI + MST
– Copy the to C:\Windows\Sun\Java\deployment
– Launch IE, browse to
– Test the version with the button on the site
– Accept the security prompt (in our org. we are leaving this security level HIGH)
– Wait for any pop-up about an out of date version?
– Open up REGEDIT
– Browse to HKCU\Software\AppDataLow\Software\JavaSoft\DeploymentProperties
– You should see “deployment.expiration.check.enabled” REG_SZ false
– Retest by re-loading the website
– Retest by closing / reopening browser and hitting again
– Log off and on as a new user, repeat test to make sure the HKCU is being populated under the new user.
– Package up
– Have a beer


**Update 7/25/2013**  Sorry all, haven’t been as active with this as I’d like.  Unfortuntely we had to bite the bullet and get everyone upgraded to the latest and greatest.  It does seem that Oracle FINALLY sees this is massive issue and has released some patched versions for this.  Check all of the comments for the download link.  I personally haven’t even looked at the patches yet, so use at your own risk.  Please also look thru all the comments.  There any many different ways to look at resolving this at least temporarily.

 **Update 6/19/2013**  JAVA 7 UPDATE 25 RELEASED.   It appears a path was released for update 21, nothing that I can see for 25 yet.  From the comments

**Update 5/16/2013 **** PLEASE read all comments before implementing this.  Java has yet again changed the game and made the expiration date unavoidable.  There’s a lot of good info for temporary workarounds in the comments.  Key word … TEMPORARY. 


Unfortunately, you need a login on My Oracle Support (MSO). As I don’t have a login I cannot provide you a deep link to this particular patch.

If you have a login, you can sign-in on, click “Patches and Updates”, then search for patch ID 16758419.

BTW: I have applied this interim patch on my PC today and changed the system date to August 10 (which is beyond the expiration date for the official public JRE 1.7.0_21). The infamous update popup did not occur, so the patch seems to work.

Oracle released an interim patch, 16758419, for JRE and JDK 1.7.0_21 (32bit only) with Auto-update Off and Insecure Java Version Message suppressed:

README for 16758419

Patch Details

Bug Number: 16758419

Product Name: Oracle JDK and JRE 1.7.0_21-fcs-b14
with Auto-update Off and Insecure Java Version Message suppressed
– Interim Patch

Platform: Windows-i586


some notes from Joe in the comments …

Got some bad news. If you start messing with your system date and set it to 5/16/13, even if you use the suggestions here of baseline.versions folder instead of files, you’ll get prompted. This all appears to be due to the JRE_EXPIRATION_DATE value that is hard coded to that date in 7.17. I tested it with 7.21 which has the variable set to 7/18/13 and it starts prompting you on 7/18 as expected (I mispoke in my post above 7/18 is correct). So I don’t know of any way to beat this.

I’m using this to push anyone with a JRE related app to demand from the vendor to move away from it. What a joke. 3 billion devices and counting … we’ll see about that Oracle.

Java, I do not like you!


Well, I am sure almost everyone is aware of the (in)famous Java updating mechanism within Java 1.7. 

Here’s the scenario if you haven’t already witnessed the madness with Java 1.7.x.  At the time of this writing, Java 1.7 update 15 was the latest version.  We package it up just like any other version, disabling auto-updates, and everything looks fine.  Then, we fast forward a few months and update 17 comes out.  No big deal, right?  Our package was set to turn Java auto-update off.  I wish it were so.  Once a user hits a webpage that uses Java, they will most likely see the following prompt.  The scary part – you’d never even know this was a problem until it’s too late.  If you deployed the latest version you wouldn’t see any error messages at all.  It’s only when a new version of Java is released that the messages start arriving. 

Your Java version is insecure.  Click Update to install the recommended secure version.  Click Block to stop Java content in your browser or Later to continue and be reminded again later.




Unreal.  So let’s go thru the options here. 

Update:  Since 90% of corporate users are not local admins – that won’t work.  Result:  Service Desk Call

Block:  Block the app from running?  That’s why they are at this webpage to start with.  Result:  Service Desk Call

Later:  Well, this one kind of works.  This will at least get rid of the warning but only bring you to another!  Result:  Service Desk Call

Let’s assume a user clicks “later”  They will then see this additional popup message.  

Do you want to run this application?  Your version of Java is insecure and an application from the location below is requesting permission to run. 

 This particular site is just a Java tester site



 So here’s our new options.

Run:  This will actually run the Java app.  Result:  No Service Desk Call (hopefully)

Update:  Another attempt to update Java to the latest version (remember, Java auto-update is turned off, right??)  Again, no local admin on most corporate machines.  Result:  Service Desk Call

Cancel:  Stops the app from running.  Result:  Service Desk Call


As you can see, sending this to an enterprise-wide distribution is not an option.  This would generate enormous amounts of Service Desk calls and very unhappy users.  This completely blows my mind.  I thought Adobe Flash was bad but now Oracle has topped the list.  I could go on for hours on why Oracle should disable this “feature”.  Until they do, we need a workaround.  Here’s my solution.  Not perfect by any means.  It seems to get rid of *most* of the popups.

You may have to tweak some things depending on your corporate policy/application requirements/etc. 

Remove all older versions of Java (at least 1.7 versions).  My testing with 1.6.x version has been a little strange but I realize application requirement may prevent this from happening. 

  • Verify C:\WINDOWS\sun\java\deployment directory is empty.  If not, have your install script delete this full directory.
  • You need to now create 2 text files, deployment.config and  These files basically replace the command line switches in the java install.  Here are the contents of deployment.config


The top line basically tells the system where your file is located.  For simplicity I just stuck it in the default location but could also reside on the network.  The second line tells the system if this is mandatory.  I don’t know much more about this setting.  Just set it to “true”.

Here are the contents to put into


The key settings above are: 



These settings suppresses the “Later” button so you are never prompted.

This is a big one also.  Still not 100% on this one yet.  The default in the Java install is “HIGH” so I hate to set this lower.  The MEDIUM setting seems to get rid of most of the popups.  The only setting I could find that completely suppresses all warning popup is “LOW” but I can’t imagine security departments allowing this.  May as well stick with the older versions of Java.


This setting suppresses the second popup that warns about running the Java application.  Set to ALWAYS

These 2 files need to be copied to the C:\WINDOWS\sun\java\deployment directory.  Have your script create the directory after you delete it. 

Update 3/8/2013 – NEW STEP

  • Create the folder C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\security before installing Java
  • Create 2 files – baseline.timestamp and baseline.versions

Contents of baseline.timestamp is just a period ( . )

Contents of baseline.versions shows up like this.  I believe this is telling Java what the current version is for each (1.8, 1.7, 1.6, etc).  I figured out that when you are prompted it creates this file and the registry shown below.  It defaults to 1.7.0_17.  I changed that setting to 1.7.0_13 to trick it into thinking its current.   Another option to get this file is to break it intentionally and go edit this file.  Crossing my fingers…. seems to work! 


It also shows up in the registy like this.



To automate this, you’ll need to create a script to walk the directory tree and add this to each users profile.   You can also use group policy which may be a bit easier. 


**Make sure these 2 files are present before installing Java. **

  • Install Java 1.7 with only a /qb or /qn switch.  No need to add any other switches since your files are now in the correct place. 
  • TEST TEST TEST!  Again, this is a far from perfect solution and differences will apply between corporations.  I am not a Java expert by any means – so let’s discuss any other options or repercussions! 

Also, a tip on locking the Java settings after deployment from the comments of Rafal below

Just a comment about config and properties file
if you want to prevent users from changing Java control properties you will need to place .locked on property you are changing in the properties mark
will effectivelly lockout/greyout the setting for the user

Hope this helps!


**Update 4/24***

Well, I managed to blow up my environment when Update 21 was released.  My group policy workaround for the files was set to update, not replace.  So if the files were already there and Java overwrote them, group policy didn’t care and saw it as compliant.  TONS of calls.  Ugh Java.

Read thru all the comments below as there are some other ideas that may work.  I think I may have thrown the white flag up and may just do some extensive end user training.  Just don’t hit the “update” button!!!

This is obviously a HUGE issue.  The blog has seen 25K hits just on this page since written.  Hopefully we can still figure it out eventually


Possible workaround – from Morgan in comments.  Worth trying.  Update 5/17

I created the following until Oracle gets there act together. It’s an AutoIT script that looks for the update window and then selects the ideal combination for the user. You can deploy it in the startup folder for users and there is very little CPU impact. Feel free to use and modify as you like.


CODE HERE—- javafix.txt


Posted in Application Packaging, MDT, Patch Management, SCCM 2007, SCCM 2012 | Tagged , , | 220 Comments

New out of band Microsoft patch for January 2013?

On December 29,  a new zero day vulnerability was announced that exploited IE 6, 7, and 8.  While Windows 7 machines should be safe (unless they’ve downgraded to IE 8) , almost all XP machines will be vulnerable.

Microsoft released a “fix it” tool today that can immediately patch the system.  No word on an out of band patch yet – but it’s definitely possible.



CNET article

Official Microsoft release

I’ll update the post as new information becomes available…..


Posted in Patch Management, Windows OS | Leave a comment