Windows Update

How to use Group Policy to defer Windows Quality and Feature updates

January 21, 2019 by Paulie Leave a Comment

Sometimes feature updates can cause issues with the base operating system or third party applications. This post explains how to defer either Quality updates or Feature updates to Windows 10 or Windows Server 2016 in a domain environment.

Defer Updates with Group Policy

Open Group Policy Editor.
Create and link a new policy or edit an existing one if appropriate.
Navigate to:
- Computer Configuration
- Polices
- Administrative Templates
- Windows Components
- Windows Updates
- Defer Windows Updates

Defer Feature Updates

Feature updates tend to cause more issues than quality updates. Microsoft have an update branch called “Current Branch for Business”. This branch is not deployed until Microsoft considers the feature update safe for enterprise deployment. You can choose this option only, or introduce a further delay if required.

Defer Feature updates as follows:

Double click on “Select when Feature Updates are received”.
Click on “Enabled”.
In the Branch readiness drop down, select “Current Branch for Business”.
Enter the period for which you want to delay the deployment of this update:

Feature updates can be deferred for up to 365 days.

Defer Quality Updates

Quality updates can be deferred for a maximum of 30 days.

Defer Quality updates as follows:

Then double click “Select when Quality Updates are received”.
Click on “Enabled”.
Enter the amount of days that you want to defer for.

It might seem risky to defer quality updates, but there have been many occasions when these have also caused severe problems. I recommend that you have a subset of computers that receive updates first (which do not have these policy settings defined).

A customer using Cyberark EPM on Windows 10 had to defer update 1809, which at the time of writing has compatibility issues.

If you found this post helpful, I’d really appreciate it if you left a rating.

Windows 7 Unable to Access Network Shares

January 10, 2019 by Paulie Leave a Comment

A customer called me this morning unable to access network shares from Windows 7 machines that have been working for years. The error message was:

Windows Cannot Access \\COMPUTERNAME
Check the spelling of the name. Otherwise, there might be a problem with your network.

Image showing "Windows Cannot Access" network share after installing Windows update KB4480970 — Windows 7 machines unable to access network after installing KB4480970

This error is caused by windows update KB4480970

As of right now, you can remove the update or workaround the problem by using an IP address instead of a machine name.

Uninstall KB4480970 to restore access to network shares

The quickest way to uninstall the update is from an elevated command prompt:

wusa /uninstall /kb:4480970 /quiet /warnrestart

Workaround network share problems caused by KB4480970

You can still access the shares with this update installed by using the IP address of the machine name, but this could be very inconvenient. Example:

Instead of \\Machinename\sharename you could use \\192.168.10.10\sharename

Hopefully Microsoft will correct the issue as quickly as possible as this will cause the same problem on Windows 7 and Windows 2008 r2.

Unable to Print to Epson Dot Matrix printers after Windows Updates

November 16, 2017 by Paulie 125 Comments

I received a call from a customer today who was suddenly unable to print to Epson Dot Matrix printers, after a LOT of troubleshooting I figured out that this is due to a Windows update.

Printers I can confirm that are not working after the updates are:

Epson LQ-300
Epson LQ-300+ II
Epson LQ310
Epson LX300
Epson LQ2180
Epson LQ2190
Epson LQ730K

Windows Updates have been issued for Windows 7, 8 and 10 and they are all having the same issue. The updates are:

Windows 7 – KB4048957
Windows 8 – KB4048958
Windows 10 – KB4048952 KB4048953 KB4048954 KB4048955

There may be other updates which I am not aware of yet.

To get your printers working again, the quickest way is to remove the offending update. As you might not be sure which update you have installed. The quickest way is to run the following commands in an elevated command prompt:

wusa /uninstall /kb:4048952 /quiet /warnrestart
wusa /uninstall /kb:4048953 /quiet /warnrestart
wusa /uninstall /kb:4048954 /quiet /warnrestart
wusa /uninstall /kb:4048955 /quiet /warnrestart
wusa /uninstall /kb:4048957 /quiet /warnrestart
wusa /uninstall /kb:4048958 /quiet /warnrestart

Until Microsoft release an updated security patch you can temporarily block the patch using this tool from Microsoft:

Microsoft Patch Blocker

Or if you are using WSUS then you can block the patch from there. This is really a difficult problem to resolve if you don’t realise that the problem is being caused by an update, because you would’t expect an old Dot Matrix printer that has been working fine for years to be impacted by a Microsoft Security Roll-up.

I don’t know if this is happening to other Dot Matrix Printers besides Epson at the moment.

Microsoft have updated the KB articles to acknowledge that these updates are the cause of the problem:

Update 21/11/2017 – Problem has been fixed by Microsoft

Microsoft have now issued an updated patch which will should download automatically via Windows Update, but if you want to grab it manually it can be found here:

https://support.microsoft.com/en-us/help/4055038/november-21-2017-kb4055038

Extremely long delay trying to install msi installer packages

March 18, 2012 by Paulie 10 Comments

A few months back I had a problem with a customers Terminal Server that was caused by the installation of a crappy HP Printer Driver. It actually totally killed the server but after we found the cause and apparently got rid of the suspect driver the server went almost back to normal. I don’t remember the exact details now, it has worked since, but never been quite the same.

A lingering problem with the server has been that installing any program that uses an msi installer would take many hours to make any progress at all, appearing to hang altogether – although task manager still showed the process as active and eventually it would finish (around 12 hours!). Quite a problem as most of the updates from Windows Updates are in MSI format.

I spent many hours trying all sorts of other solutions which made no difference at all. Eventually, by using Process Monitor I was able to figure out what was going on.

It turns out that the HP Print Driver put literally thousands of entries in the windows registry under the Key:

HKEY_CURRENT_USER\Software\Hewlett-Packard

I decided to delete the registry key, but I exported it first. This resulted in the creation of a huge .reg file of 190Mb!

I was initially hopeful that this would solve the problem completely, but soon realised that because this machine is a terminal server that these registry entries also existed in other user profiles. So I went through each profile that also has these entries and deleted them from there also.

Once these horrible registry entries from the HP driver had been completely deleted, MSI installations went back to normal and I was able to install patches normally.

I really hope this helps someone else out there someday, I have pulled my hair out for you, keep yours. 🙂

Windows update automatic e-mail notification

August 27, 2007 by Paulie 44 Comments

This script, will examine the machine it is running on and send an email report of all the windows updates that are available for installation.

The script sends e-mail notifications providing details of which Windows Updates are available for installation. You can choose which of the five patch levels will trigger an e-mail alert:

Critical
Important
Moderate
Low
Unclassified

I would suggest that you at least choose Critical, Important and Unclassified. For some reason Microsoft do not mark all updates with a severity, but the “Unclassified” category seems to contain a lot of what I would consider to be important updates. My thanks to one of the guys that commented for pointing this out.

If there are no outstanding patches at the appropriate alert levels to be installed then the script will quit without sending an e-mail.

The script can be run manually or as a scheduled task. The report includes links to the relevant KB articles and further information made available by Microsoft.

Windows update email notification script configuration

The script is very quick to setup and the most complicated part will likely be your SMTP configuration. At the top of the script you will see a number of variables:

Windows Update Alert Levels

First of all you should configure what severity of Windows update will trigger an email alert. These range from critical to low. Setting each value to 1 or 0 will enable or disable alerts for that category. As mentioned above some updates do not have any severity assigned. These seem to be things like Windows Defender definitions or updates to the malicious software removal tool.

I would recommend at least having Critical, Import and and Unclassified set to 1.

Configure email settings

Next you need to configure your SMTP settings:

If you leave the SMTP server empty, the script will attempt to use the local machine to send the email. I suspect most people will use an internal or external relay, so configure it as per your environment. You can use SMTP over SSL by setting the SMTP_UseSSL variable to 1.

Testing Windows Updates Notification Emails

Download the Script:
Windows Update Email Notification Script
Extract the contents to a folder on your server and then setup the variables to suit your preferences and environment
Test the script
1. Go into a command prompt
2. Change directory to the location where you saved the script.
3. Run:
  cscript winupdates.vbs
4. Check your email

Once you are happy that the script is reporting correctly, setup a Windows Scheduled Task to do this automatically. Assuming an installation directory of “c:\scripts” the scheduled task command should look something like this:

C:\WINDOWS\system32\cscript.exe c:\scripts\winupdates.vbs

The script uses the Windows Update Agent API Com interface, which is quite interesting in itself.

Sample Email Configurations

EmailFrom 		= "[email protected]"
EmailTo 		= "[email protected]"
'If SMTP Server is left empty it will try to use the local SMTP Server without auth
SMTP_Server		= "smtp.office365.com"
SMTP_Port		= "25"
SMTP_User		= "[email protected]"
SMTP_Pass		= "YourOffice365Password"
'Set this variable to 1 to enable SMTP over SSL
SMTP_UseSSL 	= "1"

EmailFrom 		= "[email protected]"
EmailTo 		= "[email protected]"
'If SMTP Server is left empty it will try to use the local SMTP Server without auth
SMTP_Server		= "smtp.gmail.com"
SMTP_Port		= "465"
SMTP_User		= "[email protected]"
SMTP_Pass		= "gmailPassword"
'Set this variable to 1 to enable SMTP over SSL
SMTP_UseSSL 	= "1"

EmailFrom 		= "[email protected]"
EmailTo 		= "[email protected]"
'If SMTP Server is left empty it will try to use the local SMTP Server without auth
SMTP_Server		= "192.168.250.249"
SMTP_Port		= "25"
SMTP_User		= ""
SMTP_Pass		= ""
'Set this variable to 1 to enable SMTP over SSL
SMTP_UseSSL 	= "0"

I originally wrote this script in 2007 and noticed a lot of people were still downloading and using it. So this evening (December 2019), while my wife was at her work Christmas party I decided to see if it still worked and address some of the points made in the comments. I didn’t have a huge amount of time to spend on it, but found time to clean up the code a bit, enhanced the email options and added the functionality to include updates that do not have any severity assigned. It was tested by me on Windows 2008, 2012, 2016 and 2019 and they all worked!

I am glad people are still fining it useful more than 10 years after I wrote the original version!