Kaseya Community

Windows 10 - the "patch" is out. Block KB3012973 now!

  • Hi All,

    The full upgrade installer for Windows 10 appears to have been released, and it's coming out as a Windows patch - KB3012973 - and it's a whopping 2.08Gb in size, and is flagged as "Internet Only" meaning every machine will try to download the whole 2Gb over the Internet. Ouch.

    If you don't want Kaseya patch management to upgrade everything to Win10 automatically, you'll need to add this to your KB Override NOW.

    NB: This update is categorized as Software - Optional, so you only need to act swiftly if you auto-approve optional updates....

    Upgrade to Windows 10 Pro
    Update Classification: Update (Optional - Software)
    Knowledge Base Article ID: 3012973
    Product: Windows 7
    Language: Language Neutral
    Patch Name: Internet-based Install Only
    Switches: Not Applicable
    Release Date: 23-Jul-15
    Max Download Size: 2085.1 MB  (2,186,383,612)
    Location ID: 1073250
    Data Source: Microsoft Update Catalog
    Update Identifier: {727bd1f9-92a4-486a-b131-62294c1220bf} - 200
    {00000000-0000-0000-0000-000000000000} - 0
    Install the next version of Windows.
    Recommended System Requirements
    Minimum Disk Space: Unspecified
    Minimum Memory: Unspecified
    Minimum CPU Speed: Unspecified
    Links

    Print | Close

  • Thanks, I have been hoping for something like this but when I browse to the site I get......."this page does not exist" and kaseya doesn't recognise the KB for me

  • Ceejays88,

    You won't see the patch in your VSA until a machine in your environment that needs the patch is scanned.  There's a KB article here describing the patch discovery process:  helpdesk.kaseya.com/.../34399846-Why-can-t-I-see-a-patch-in-my-VSA-that-I-know-has-been-released-by-Microsoft-

    If the patch is not yet visible on your VSA, you can still block it from deployment.  Navigate to Patch Management > KB Override, enter the KB number in question (just the number, not the leading "KB"), and click the Deny button.  You may receive a notification that the KB is not available on the VSA.  Click OK (or Continue).  The patch will be marked as denied.  

    When/if the patch is eventually discovered by your VSA, it will automatically be denied for all machines that are a member of at least one patch policy.  It is important to note that KB Override, by design, only works when machines are a part of patch policy.  If a machine is not a member of at least one patch policy, all missing patches are considered approved.  KB override is ignored for those machines.  This is noted at the top of the KB Override page.

  • Remember too that denying a patch in patch management doesn't prevent windows automatic updates from applying, nor does it prevent a user from manually installing patches. There are other settings in Kaseya to accomplish these things.

  • Further to this, it seems that the patch is only offered to non - domain joined computers so far.

    as this is an optional update, a default WU configuration won't try to download or install it....in any case one hopes that us VSA admins have made the appropriate Kaseya settings long before  this patch arrives :)

  • Thanks Craig for appraising.

    Is this released yet? I don't see anything on support.microsoft.com/.../3012973

  • Yes, it's released -- after all, that's how Kaseya detecte dit to begin with. Users here in Australia  are going nuts installing it. e.g. forums.whirlpool.net.au/forum-replies.cfm

  • And, you may want to read this article before installing Win 10 using "Express" mode:

    krebsonsecurity.com/.../windows-10-shares-your-wi-fi-with-contacts

  • All,

    Microsoft apparently has several patches that are potentially involved with some aspect of the update to Win10.  This information may change/augment in the future, but at the time I'm writing this, there appear to be at least three additional patches.  Admins may want to consider blocking these if you want to prevent systems from updating to Win10:

    KB2990214:  support.microsoft.com/.../2990214

    KB3044374:  support.microsoft.com/.../3044374

    KB3035583:  support.microsoft.com/.../3035583

    The first two are currently available in the MS Update Catalogue and, therefore, potentially visible in the Kaseya VSA (this article describes the patch detection process).  Admins can deny these patches using Patch Policies or admins can deny the KBs using KB Override.

    The third patch, KB3035583, is not currently included in the MS Update Catalogue and, therefore, will not currently be visible within the Kaseya VSA.  KB3035583 leads to a user-facing system tray notification to "Get Windows 10".  If this notification is visible on endpoints, you may be able to disable and/or remove it.  I found several references online.   This article is both informative and relatively straight-forward, but there are several others available, as well.

    Kaseya recommends the Patch Management > Windows Auto Update setting is configured to "Disabled".  Any other setting may allow the local Windows Update Agent to download and install patches, and those non-Kaseya processes will not honor Kaseya patch policies.  Kaseya cannot prevent end users from downloading and executing patches outside of your configured processes.  If this is of concern, admins should find suitable methods to block manual installations, such as denying software install/execution via Group Policy, local security policies, or other similar methods.

    Please be sure to research the patches you are allowing into your environment and allow or block those patches based on your business/client/customer needs.  While we are happy to share general information regarding how to accomplish these goals using Kasyea, each admin should make the decisions and adjust as appropriate for his/her managed environment.  

  • The two new patches (KB2990214 and KB3044374) that are visible from the MS catalog are actual updates for the Windows Update API. It adds the option to upgrade to Windows 10 to Windows Update for Windows 7 and Windows 8.1 systems, but it does not actually upgrade to Windows 10 as this is still optional.

    These updates are also for Server 2008 R2 and Server 2012 R2 and they do not give you the option to upgrade/crossgrade to Windows 10 so there is a good chance that these updates might actually be required to get future updates from Microsoft.

    The only risk I can see for if these updates are installed is if somebody decides to manually run the Windows 10 upgrade via Windows Update which is generally disabled as best practice if you update via Kaseya Patch Management.

    Note that if Windows Update is not disabled via Kaseya the users could manually install these two new patches anyways and get the Windows 10 upgrade option via Windows Update.

    So I'm not sure if blocking these two new updates is the right thing to do...



    typo
    [edited by: HardKnoX at 6:00 PM (GMT -7) on Sep 1, 2015]
  • I have fully tested the patch on two systems and it is NECESSARY. If you have any people using One Drive, OneDrive for Business, especially with SharePoint libraries sync, they MUST HAVE this update. The SharePoint sync libraries was not able to sync prior to this update because of One Drive for Business lack of compatibility with hardened MFA in Office 365. After application of this update, the One Drive functionality with all three desktop apps as well as the Window Store app all works again.

    APPLY the update.

    I have noticed that the update is not available for all systems.