Based on some literature published from Microsoft, Internet Explorer 9 will be classified as an Update Roll-up, available for Windows 7, Windows Vista and Windows Server 2008 / 2008 R2.
From http://technet.microsoft.com/en-us/ie/gg615599:
Microsoft will release the Windows Internet Explorer 9 Installation and Availability update to Windows Server Update Services (WSUS) marked as an Update Rollup package. If you have configured WSUS to "auto-approve" Update Rollup packages (this is not the default configuration), Windows Internet Explorer 9 will be automatically approved for installation and consequently, you may want to take the actions below to manage how and when this update is installed.
Since Kaseya uses Microsoft's update catalog, you'll see this same "Update Roll-up" Category in Kaseya.
You can set this category to either Pending Approval or Deny today and ensure that IE9 is not automatically deployed to your customers by Kaseya's Patch Management, without the requirement to approve or deny an individual KB number (unlike some other "patch management" solutions):
I have seen IE updates also classified under "Update (Optional)", and it is pretty common to also have that category set to Pending Approval or Deny.
For an end-user with their local Windows Auto update settings still enabled, IE9 come in as an Important (and NOT optional!) update that Microsoft will recommend they install.
Anyone using Kaseya for Patch Management can easily control whether or not an agent has Windows Auto Update enabled or not, easily turning it off from Kaseya:
You'll also see Microsoft has created an "Internet Explorer Blocker Toolkit", though this isn't really relevant if you are disabling end-user Windows Auto Updates. The only thing this tool does is re-classify the IE9 update from Important to Optional for the end-user and it doesn't prevent them from manually downloading it.
This will still not prevent an end-user from manually hitting the Windows Download Center and downloading IE9, so if you really want to ensure nobody does this, you can use Application blocker to block the user from running the following EXE's
From http://technet.microsoft.com/en-us/library/gg699422.aspx
Windows Vista
x86
IE9-WindowsVista-x86-ENU.exe
Windows Vista x64 Edition
x64
IE9-WindowsVista-x64-ENU.exe
Windows 7
IE9-Windows7-x86-ENU.exe
Windows 7 x64 Edition
IE9-Windows7-x64-ENU.exe
Windows Server 2008 R2
Windows Server 2008 R2 x64 edition
I've never gone as far as to actually block a patch with Application blocker, but you at least have the option.
Whenever you are ready to approve IE9 for deployment if you had it's category set to Deny or Pending Approval when it was detected by Kaseya, you just need to approve the update by clicking the appropriate patch category, selecting the patch, and clicking 'Approve':
I have a Patch Filter set here to narrow down the number of updates listed.
Make sure you check 'Show Details' to see exactly what the patch does:
I have heard that IE9 is supposed to be available via Windows Updates and the general Windows Update catalog today, though none of my machines seem to have picked it up yet.
If you are looking at this thread and not using Patch Management in Kaseya yet, I recommend you check a video I made on it :)
http://community.kaseya.com/resources/m/mediagallery/1572.aspx
Thanks for this Ben, was asked about it last week and you reminded me that I need to do something about it.
Question, Microsoft has a "Internet Explorer 9 Blocker Toolkit" that essentially just adds a registry entry, will this still block IE9 from being deployed by Kaseya Patch management?
www.microsoft.com/.../details.aspx
I'm in the process of scripting this now, so would appreciate your advice :)
[rant]
Argh! Why did Microsoft make separate installers for Server 2008 and Server 2008 R2?!
[/rant]
Just looking into a IE9 deployment script and if the "DoNotAllowIE90" registry key works
So to answer my own question the "Internet Explorer 9 Blocker Toolkit" only appears to block Microsoft Automatic updates, manual installation still works and I suspect Updates done via Kaseya is the same as a manual installation
Yep. You will need to use application blocker I guess if you want to ensure nobody is able to install it :)
The IE9 blocker tool / registry key just re-classifies the update from Important to Optional as well based on what I read, it doesn't hide it.
Some news on this...
www.infoworld.com/.../false-alarm-windows-update-not-pushing-out-ie9-290
No obvious ETA from Microsoft on when IE9 will be pushed via Windows Updates.
Right now, the only people who would even see it with their local Windows Automatic update process are those who had previously installed the Beta or Release Candidate of IE9.
It is being pushed as of last night thru Windows Update
Very annoying, I created a "Deny Policy" a few months ago and since then Windows 7 x64 received 2 more IE9 installation packages each with the same KB article number but each with their own unique update GUID. As Kaseya Patch policies uses the update GUID's to to keep track of the patches, twice I had IE9 install on systems that should not have received these updates.
I have logged a ticket with support but as usual their 1st level support guys have no idea what I'm going on about and now want's to look at my Deny policy.
@Ben is there any possibility that Patch Management will get improved to allow you to deny patches by KB article number instead of the GUID?
So okay just got schooled by John from Kaseya Support.
Another alternate option exist that will block IE9 by it's KB number (982861) instead of the GUID. There is the KB Override option under "Patch Policy". The down side of this method is that it is global, meaning this will deny the update for all agents, however you can still see the update and manually push it out.
Hopefully they will incorporate this KB Override function into the policies instead of making it a global setting.