Tachytelic.net

Windows Update

Reboot loop on Windows 2012 caused by KB4532920

by 13 Comments

There have been a number of reports that KB4532920 is causing endless reboots loops on Windows Server 2012. One of my customers experienced this today. This update was released on December 10th 2019.

This is a servicing stack update which improves the updates process on Windows, ironic that installing it puts the server into an endless reboot loop!

I was able to work around the problem by booting into safe mode with command prompt and then issuing the command:

shutdown /r /t 1

The problem was that I was unable to access safe mode because by default the F8 boot options are disabled on Windows Server 2012.

To access safe mode in Windows Server 2012

  • Boot from the Windows Server ISO.
  • Choose “Repair your computer” from the main installation dialog:
    Image showing Windows Server Setup Repair computer option
  • On the next screen choose “Troubleshoot”.
  • Then choose command prompt.
  • At the command prompt enter these commands:
    • bcdedit /set {bootmgr} displaybootmenu yes
    • bcdedit /set {bootmgr} timeout 10

Now reboot the machine and you should be able to access the boot options. Boot into safe mode and login as normal. At the command prompt you can just reboot the machine again. This particular machine required another reboot before it came up normally. But the update did show as having been installed:

Image showing KB4532920 installed successfully. The update which caused a reboot loop.

These unexpected problems really waste a lot of time, but thankfully it was not too difficult to fix.

How to use Group Policy to defer Windows Quality and Feature updates

by Leave a Comment

Sometimes feature updates can cause issues with the base operating system or third party applications. This post explains how to defer either Quality updates or Feature updates to Windows 10 or Windows Server 2016 in a domain environment.

Defer Updates with Group Policy

  1. Open Group Policy Editor.
  2. Create and link a new policy or edit an existing one if appropriate.
  3. Navigate to:
    • Computer Configuration
    • Polices
    • Administrative Templates
    • Windows Components
    • Windows Updates
    • Defer Windows Updates
      Image showing group policy settings to defer Windows Quality and Feature updates

Defer Feature Updates

Feature updates tend to cause more issues than quality updates. Microsoft have an update branch called “Current Branch for Business”. This branch is not deployed until Microsoft considers the feature update safe for enterprise deployment. You can choose this option only, or introduce a further delay if required.

Defer Feature updates as follows:

  1. Double click on “Select when Feature Updates are received”.
  2. Click on “Enabled”.
  3. In the Branch readiness drop down, select “Current Branch for Business”.
  4. Enter the period for which you want to delay the deployment of this update:Image showing how to defer Windows Feature updates
Feature updates can be deferred for up to 365 days.

Defer Quality Updates

Quality updates can be deferred for a maximum of 30 days.

Defer Quality updates as follows:

  1. Then double click “Select when Quality Updates are received”.
  2. Click on “Enabled”.
  3. Enter the amount of days that you want to defer for.

It might seem risky to defer quality updates, but there have been many occasions when these have also caused severe problems. I recommend that you have a subset of computers that receive updates first (which do not have these policy settings defined).

A customer using Cyberark EPM on Windows 10 had to defer update 1809, which at the time of writing has compatibility issues.

Windows 7 Unable to Access Network Shares

by Leave a Comment

A customer called me this morning unable to access network shares from Windows 7 machines that have been working for years. The error message was:

Windows Cannot Access \\COMPUTERNAME
Check the spelling of the name. Otherwise, there might be a problem with your network.

Image showing "Windows Cannot Access" network share after installing Windows update KB4480970
Windows 7 machines unable to access network after installing KB4480970

This error is caused by windows update KB4480970

As of right now, you can remove the update or workaround the problem by using an IP address instead of a machine name.

Uninstall KB4480970 to restore access to network shares

The quickest way to uninstall the update is from an elevated command prompt:

wusa /uninstall /kb:4480970 /quiet /warnrestart

Workaround network share problems caused by KB4480970

You can still access the shares with this update installed by using the IP address of the machine name, but this could be very inconvenient. Example:

Instead of \\Machinename\sharename you could use \\192.168.10.10\sharename

Hopefully Microsoft will correct the issue as quickly as possible as this will cause the same problem on Windows 7 and Windows 2008 r2.

 

Unable to Print to Epson Dot Matrix printers after Windows Updates

by 126 Comments

I received a call from a customer today who was suddenly unable to print to Epson Dot Matrix printers, after a LOT of troubleshooting I figured out that this is due to a Windows update.

Printers I can confirm that are not working after the updates are:

  • Epson LQ-300
  • Epson LQ-300+ II
  • Epson LQ310
  • Epson LX300
  • Epson LQ2180
  • Epson LQ2190
  • Epson LQ730K

Windows Updates have been issued for Windows 7, 8 and 10 and they are all having the same issue. The updates are:

There may be other updates which I am not aware of yet.

To get your printers working again, the quickest way is to remove the offending update. As you might not be sure which update you have installed. The quickest way is to run the following commands in an elevated command prompt:

wusa /uninstall /kb:4048952 /quiet /warnrestart
wusa /uninstall /kb:4048953 /quiet /warnrestart
wusa /uninstall /kb:4048954 /quiet /warnrestart
wusa /uninstall /kb:4048955 /quiet /warnrestart
wusa /uninstall /kb:4048957 /quiet /warnrestart
wusa /uninstall /kb:4048958 /quiet /warnrestart

Until Microsoft release an updated security patch you can temporarily block the patch using this tool from Microsoft:

Microsoft Patch Blocker

Or if you are using WSUS then you can block the patch from there. This is really a difficult problem to resolve if you don’t realise that the problem is being caused by an update, because you wouldn’t expect an old Dot Matrix printer that has been working fine for years to be impacted by a Microsoft Security Roll-up.

I don’t know if this is happening to other Dot Matrix Printers besides Epson at the moment.

Microsoft have updated the KB articles to acknowledge that these updates are the cause of the problem:

Microsoft confirmation of problems with Epson Printers after installing November 2017 security roll-up patches.

Update 21/11/2017 – Problem has been fixed by Microsoft

Microsoft have now issued an updated patch which will should download automatically via Windows Update, but if you want to grab it manually it can be found here:

https://support.microsoft.com/en-us/help/4055038/november-21-2017-kb4055038

Windows update automatic e-mail notification

by 53 Comments

This script, will examine the machine it is running on and send an email report of all the windows updates that are available for installation.

The script sends e-mail notifications providing details of which Windows Updates are available for installation.  You can choose which of the five patch levels will trigger an e-mail alert:

  • Critical
  • Important
  • Moderate
  • Low
  • Unclassified

I would suggest that you at least choose Critical, Important and Unclassified. For some reason Microsoft do not mark all updates with a severity, but the “Unclassified” category seems to contain a lot of what I would consider to be important updates. My thanks to one of the guys that commented for pointing this out.

If there are no outstanding patches at the appropriate alert levels to be installed then the script will quit without sending an e-mail.

The script can be run manually or as a scheduled task. The report includes links to the relevant KB articles and further information made available by Microsoft.

Image showing Windows Update Email Notification

Windows update email notification script configuration

The script is very quick to setup and the most complicated part will likely be your SMTP configuration. At the top of the script you will see a number of variables:

Windows Update Alert Levels

First of all you should configure what severity of Windows update will trigger an email alert. These range from critical to low. Setting each value to 1 or 0 will enable or disable alerts for that category. As mentioned above some updates do not have any severity assigned. These seem to be things like Windows Defender definitions or updates to the malicious software removal tool.

I would recommend at least having Critical, Import and and Unclassified set to 1.

Configure email settings

Next you need to configure your SMTP settings:
Image showing SMTP Configuration for Windows Update Notifications

If you leave the SMTP server empty, the script will attempt to use the local machine to send the email. I suspect most people will use an internal or external relay, so configure it as per your environment. You can use SMTP over SSL by setting the SMTP_UseSSL variable to 1.

Testing Windows Updates Notification Emails

  1. Download the Script:
    Windows Update Email Notification Script
  2. Extract the contents to a folder on your server and then setup the variables to suit your preferences and environment
  3. Test the script
    1. Go into a command prompt
    2. Change directory to the location where you saved the script.
    3. Run:
      cscript winupdates.vbs
    4. Check your email

Once you are happy that the script is reporting correctly, setup a Windows Scheduled Task to do this automatically. Assuming an installation directory of “c:\scripts” the scheduled task command should look something like this:

C:\WINDOWS\system32\cscript.exe c:\scripts\winupdates.vbs

The script uses the Windows Update Agent API Com interface, which is quite interesting in itself.

Sample Email Configurations

EmailFrom 		= "[email protected]"
EmailTo 		= "[email protected]"
'If SMTP Server is left empty it will try to use the local SMTP Server without auth
SMTP_Server		= "smtp.office365.com"
SMTP_Port		= "25"
SMTP_User		= "[email protected]"
SMTP_Pass		= "YourOffice365Password"
'Set this variable to 1 to enable SMTP over SSL
SMTP_UseSSL 	= "1"
EmailFrom 		= "[email protected]"
EmailTo 		= "[email protected]"
'If SMTP Server is left empty it will try to use the local SMTP Server without auth
SMTP_Server		= "smtp.gmail.com"
SMTP_Port		= "465"
SMTP_User		= "[email protected]"
SMTP_Pass		= "gmailPassword"
'Set this variable to 1 to enable SMTP over SSL
SMTP_UseSSL 	= "1"
EmailFrom 		= "[email protected]"
EmailTo 		= "[email protected]"
'If SMTP Server is left empty it will try to use the local SMTP Server without auth
SMTP_Server		= "192.168.250.249"
SMTP_Port		= "25"
SMTP_User		= ""
SMTP_Pass		= ""
'Set this variable to 1 to enable SMTP over SSL
SMTP_UseSSL 	= "0"

I originally wrote this script in 2007 and noticed a lot of people were still downloading and using it. So this evening (December 2019), while my wife was at her work Christmas party I decided to see if it still worked and address some of the points made in the comments. I didn’t have a huge amount of time to spend on it, but found time to clean up the code a bit, enhanced the email options and added the functionality to include updates that do not have any severity assigned. It was tested by me on Windows 2008, 2012, 2016 and 2019 and they all worked!

I am glad people are still fining it useful more than 10 years after I wrote the original version!