|
KillHour posted:GPO doesn't stop the creator's update. I've had that disabled for 6 months without a problem until last week when it installed that update ANYWAYS overnight and broke the software in front of my customer. How will those customers use the software if the Windows updates will be forced on them as well?
|
#
?
Mar 15, 2018 18:18
|
|
|
|
| # ? May 26, 2024 07:32 |
|
|
I've escalated a high priority ticket with QA to find the bug and fix it so customers won't be affected. But at the end of the day, I have to have a successful demo/training even if there are "problems" and I absolutely cannot afford surprises. In a real site, however, most of our customers are on a domain where they can stop this stuff from happening. That's not an option for me.
|
|
#
?
Mar 15, 2018 18:21
|
|
|
I'm also on Pro and connected to a domain via a proxy server, which controls all updates. I'm still on the first creators update. I know its not your fault so I don't mean to seem like I'm getting at you, but unless VMWare works differently to a regular desktop then I'm still not understanding why updates can't be blocked by properly managed policies and OS image.
|
|
#
?
Mar 15, 2018 18:22
|
|
|
KillHour posted:GPO doesn't stop the creator's update. I've had that disabled for 6 months without a problem until last week when it installed that update ANYWAYS overnight and broke the software in front of my customer. You can keep the Windows Update Service (wuauserv) disabled, then enable it when you want to install updates. E: quickest way to do that is from an elevated Powershell window: Stop-service wuauserv Set-service 'wuauserv' -StartupType Disabled Then to enable it again: Set-service 'wuauserv' -StartupType Automatic Start-service wuauserv Squatch Ambassador fucked around with this message at 18:31 on Mar 15, 2018 |
|
#
?
Mar 15, 2018 18:27
|
|
|
Doctor_Fruitbat posted:I'm also on Pro and connected to a domain via a proxy server, which controls all updates. I'm still on the first creators update. I know its not your fault so I don't mean to seem like I'm getting at you, but unless VMWare works differently to a regular desktop then I'm still not understanding why updates can't be blocked by properly managed policies and OS image. You can but I don't have time to redesign my entire environment like that. You'd be shocked at how complicated all this is. During class, I have as many as 60 running VMs, 13 complete environments, 14 VLANs and a SAN. I've lost track of all the network services I have running - DNS, DHCP, NAT, WAN failover, OSPF.... All of this needs to be able to be unpacked from a box and set up in about 2 hours, normally on a customer's network that may require me to use their DNS servers or might be all wireless or who knows what else. I teach 3 different software packages, soon to be 4, and they all have to work in the same environment. I'm the only one who knows how ANY of this works and I've been told I have to "make some scripts so we can hire people that aren't as technical as you and it should just work." Also I'm nearly always traveling and I go directly from one site to the next and have MAYBE 3-4 days a month where I can actually work on the system and I can't afford to break anything I can't fix in time for the next class. No, I'm not particularly interested in adding the complexity of a domain even if that is the "right" way to do this. Maybe in the far future, but I have class on Monday so I need a fix now. Hungry Computer posted:You can keep the Windows Update Service (wuauserv) disabled, then enable it when you want to install updates. The Fall Creators Edition doesn't use that service, I'm pretty sure. I'll check. KillHour fucked around with this message at 18:35 on Mar 15, 2018 |
|
#
?
Mar 15, 2018 18:32
|
|
|
It's there, I tested the commands on my 1709 machine before posting it. if you open the Services menu it'll be listed as Windows Update.
|
|
#
?
Mar 15, 2018 18:39
|
|
|
Hungry Computer posted:It's there, I tested the commands on my 1709 machine before posting it. if you open the Services menu it'll be listed as Windows Update. It's not that the service doesn't exist, it's that the update to 1709 (the one that causes the problem) doesn't need that service. I ran the commands and it's still trying to update after a reboot. Edit: And I checked the services pane and Windows Update is disabled and not running. It's something else that's forcing this to happen. KillHour fucked around with this message at 18:43 on Mar 15, 2018 |
|
#
?
Mar 15, 2018 18:40
|
|
|
Hahaha holy poo poo. I stopped Windows from accessing the Windows/UpdateAssistant folder via permissions and it made a Windows/UpdateAssistantV2 folder instead! This thing is like a loving virus.
|
|
#
?
Mar 15, 2018 18:49
|
|
|
KillHour posted:Hahaha holy poo poo. I stopped Windows from accessing the Windows/UpdateAssistant folder via permissions and it made a Windows/UpdateAssistantV2 folder instead! This thing is like a loving virus. The easiest thing to do is to stop internet access completely of the VMWare network. Since you said that you need it, the next best thing is to only enable access to a set of whitelisted IPs, and hopefully none of those IPs serve the windows update.
|
|
#
?
Mar 15, 2018 18:53
|
|
|
Volguus posted:The easiest thing to do is to stop internet access completely of the VMWare network. Since you said that you need it, the next best thing is to only enable access to a set of whitelisted IPs, and hopefully none of those IPs serve the windows update. I've already blocked *.microsoft.com and *.windowsupdate.com via DNS blackholing. I have Wireshark running and I don't see anything else suspicious. I think the files are buried somewhere already.
|
|
#
?
Mar 15, 2018 18:56
|
|
|
Oh, yeah version updates are essentially an OS upgrade and don't need Windows Update for the final installation. 1703 > 1709 was particularly annoying because there's a bug that caused systems to enter Dual Scan mode and ignore our Windows Update Group Policy. For your situation I'd recommend checking out the LTSB version of Win10. You can download an evaluation from Microsoft to make sure your software works.
|
|
#
?
Mar 15, 2018 18:57
|
|
|
Can't you just like, set Microsoft.com to loopback in the hosts file it you want to prevent all updates in an embedded machine? I built a PC to control digital signage and I left it permanently unplugged from the internet, worked for me! Maybe make a VM and delete the virtual NIC?
|
|
#
?
Mar 15, 2018 19:01
|
|
|
Hungry Computer posted:Oh, yeah version updates are essentially an OS upgrade and don't need Windows Update for the final installation. 1703 > 1709 was particularly annoying because there's a bug that caused systems to enter Dual Scan mode and ignore our Windows Update Group Policy. I'll look into this, thanks. In the meantime, I think I hunted down the last piece. There were some xml files that had task definitions in them. Deleting them seemed to stop the system from trying to update. I'll monitor it overnight and make sure they don't sneak back on there. Is there a software that lets me blacklist certain programs entirely?
|
|
#
?
Mar 15, 2018 19:04
|
|
|
Zero VGS posted:Can't you just like, set Microsoft.com to loopback in the hosts file it you want to prevent all updates in an embedded machine? I need internet to these VMs, just not updates. I'm already blocking microsoft.com and windowsupdate.com
|
|
#
?
Mar 15, 2018 19:05
|
|
|
On Windows 10 Pro it seems like it I tell it I'm on a metered connection (i.e. pay-per-gigabyte), then it won't download any updates. Does anyone know if it actually honors that indefinitely?
|
|
#
?
Mar 15, 2018 19:17
|
|
|
KillHour posted:I need internet to these VMs, just not updates. I'm already blocking microsoft.com and windowsupdate.com
|
|
#
?
Mar 15, 2018 19:19
|
|
|
Zero VGS posted:On Windows 10 Pro it seems like it I tell it I'm on a metered connection (i.e. pay-per-gigabyte), then it won't download any updates. Does anyone know if it actually honors that indefinitely? That's what I've done. It complains every week or so that it can't download updates, but that's it.
|
|
#
?
Mar 15, 2018 19:24
|
|
|
Flipperwaldt posted:Maybe if you set a (third party even?) firewall to whitelist your software and whatever ports it needs specifically and disallow all other traffic. I'm not overly surprised that blocking just those domain names doesn't cut it. It seems to. A whitelist won't work for various reasons, but I'll keep an eye out for suspicious traffic going other places. Microsoft maintains a list of sites you should whitelist for Windows Update and those are the ones I've blacklisted: https://technet.microsoft.com/en-us/library/bb693717.aspx Running Windows Update manually throws connection errors.
|
|
#
?
Mar 15, 2018 19:39
|
|
|
KillHour posted:A whitelist won't work for various reasons You have no chance in hell of controlling that VM environment if a whitelist won't work. Make it work. 1-2 domains max you should have to connect to, nothing more. You can have another guest in another network (on the same host) that can connect to the entire internet, for your porn browsing habits, but keep the demo one off.
|
|
#
?
Mar 15, 2018 19:54
|
|
|
Volguus posted:You have no chance in hell of controlling that VM environment if a whitelist won't work. Make it work. 1-2 domains max you should have to connect to, nothing more. You can have another guest in another network (on the same host) that can connect to the entire internet, for your porn browsing habits, but keep the demo one off. You do remember that I said these get wiped clean every class right? I can't use a whitelist because most of the places I plug this thing into have captive portals that I have to authenticate to before I can access anything else and those change every time. 99% of the time, the networks this is plugged into already have filtering on them and even if they don't, each environment has its own VLAN without access to anything except the internet. If someone somehow gets something nasty, I'll just nuke their VM. The actual demo images are kept as a template, not a running VM.
|
|
#
?
Mar 15, 2018 20:02
|
|
|
KillHour posted:You do remember that I said these get wiped clean every class right? I can't use a whitelist because most of the places I plug this thing into have captive portals that I have to authenticate to before I can access anything else and those change every time. 99% of the time, the networks this is plugged into already have filtering on them and even if they don't, each environment has its own VLAN without access to anything except the internet. If someone somehow gets something nasty, I'll just nuke their VM. The actual demo images are kept as a template, not a running VM. What are you talking about? Who cares about the external network? I'm talking here about the private virtual network that the VMs belong to (wiped or not, the network doesn't change). That private network is controlled by the host. To what does that private network has access to is also controlled by the host. Therefore, you should block everything and only allow certain domains to be accessed by said private network. If you don't know how to do this, that's ok, the folks over the VM thread may be able to help you (ideally your IT department, for whom you're actually making money to keep them employed should, but that's another discussion).
|
|
#
?
Mar 15, 2018 20:33
|
|
|
I think he means that each person he demos to wants to access a different site relevant to them, which is why a whitelist isn't workable, but surely for a demo you'd just use a few examples of your choosing? It is a demo, after all.
|
|
#
?
Mar 15, 2018 20:36
|
|
|
No, I mean I'm not in control of where the VM network gets its internet from. If I only allow connections to a couple of host names, then when I try to connect and the gateway tries to redirect me to their internal portal, it will be blocked. Basically, I have to be able to roll up with my server, connect it to a customer's network and have everything "just work." To that end, I need to make everything as flexible as possible and I'm not really worried about or interested in controlling access to specific domains. I know how to do web filtering and I already have a Squid proxy running on the environment; my background is in network security. Yes I could probably make it work by using a special client exempt from the blacklist NATed together with everything else and have that handle registering with whatever bullshit my customers have to get on their network, but that adds yet more complexity to a system I've been charged with making simpler to use. I just have no interest in spending my limited amount of development time figuring out how to thread that needle. Edit: Classes make this more complicated than the demos do. Some of these trainings can last for 4 full days and the customer needs access to a bunch of stuff outside of the system. To make things worse, equipment I don't own has to be on the network (customers connect their laptops to a WAP I provide) and all that has to be copacetic. Some of them need to be able to phone home to their own domains, some of them have endpoint protection that freaks out if I try to intercept their SSL traffic, some of them just want to be able to check their emails during class. Yes, those systems have to be on the same subnet as the VMs. Just take my word for it. Sure, I could apply the whitelist to ONLY the VMs themselves, but at that point, diminishing returns aren't worth it. KillHour fucked around with this message at 21:07 on Mar 15, 2018 |
|
#
?
Mar 15, 2018 20:51
|
|
|
edit: More constructively, have you considered using WSUS? astral fucked around with this message at 21:37 on Mar 15, 2018 |
|
#
?
Mar 15, 2018 21:20
|
|
|
I can see how disabling Windows Update would be the easiest option here, but it appears to be plastering over some serious structural issues.
|
|
#
?
Mar 15, 2018 21:38
|
|
|
Doctor_Fruitbat posted:I can see how disabling Windows Update would be the easiest option here, but it appears to be plastering over some serious structural issues. The icing on the cake is how the already underpaid/overworked dude is going to get made redundant by the less technical people for whom the 'scripts' will be written and the company can pay them even less. Condolences, KillHour. 
|
|
#
?
Mar 15, 2018 21:46
|
|
|
So we finally have an good example of Windows update restarts loving someone over that we could really dig into, and the answer we've arrived at is to quit his job.
|
|
#
?
Mar 15, 2018 21:55
|
|
|
SwissArmyDruid posted:I still want to tear the head off of, and defecate in the neck stump of, whoever the hell decided that OneNote should be reset as the default printer every time I restart. Doctor_Fruitbat posted:So we finally have an good example of Windows update restarts loving someone over that we could really dig into, and the answer we've arrived at is to quit his job.
|
|
#
?
Mar 15, 2018 22:31
|
|
|
quote:Windows Update isn't loving that person over. The fact that their software doesn't work on the current version of Windows is. 
|
|
#
?
Mar 15, 2018 22:33
|
|
|
Ghostlight posted:Windows Update isn't loving that person over. The fact that their software doesn't work on the current version of Windows is. Yeah, I know, but at least we had real world details to dig in to this time rather than vague, nebulous reasons why they just can't possibly restart their loving PC once in a while.
|
|
#
?
Mar 15, 2018 22:39
|
|
|
There's a significant difference between "forced updates/restarts caused me to lose work/not be able to do a presentation" and "I am selling software that only works on an old version of Windows 10". Even you should be able to grasp that.
|
|
#
?
Mar 15, 2018 22:43
|
|
|
Yeah if someone was trying to sell me some software and I caught wind of it being broken on a fully updated Windows machine, I'd just ask them to pack their stuff again. I would assume it means the software is terribly written and depends on undocumented and incidental behaviors, definitely not something I want.
|
|
#
?
Mar 15, 2018 23:00
|
|
|
Ghostlight posted:Windows Update isn't loving that person over. The fact that their software doesn't work on the current version of Windows is. Regardless if their software works or not on the current version of windows, for a demo you do want a very controlled environment. You do not want a single DLL to be out of place. The developers will fix the software and next update (next Tuesday) microsoft will break something else. You're going to get stuck in a cat & mouse game. Essentially what he needs is enterprise windows, with domain controller and ability to control how and when software gets updated on the VMs, in the exact same way the IT department manages that in a normal business. That or completely isolate the VM network in its own subnet and restrict that network's access anywhere and give access to that subnet via other mechanisms (VPN for example). Yes, it gets complicated, but hey ... Microsoft cannot afford another series of worms/bad PR like they did 20 years ago. They're just protecting their rear end. nielsm posted:Yeah if someone was trying to sell me some software and I caught wind of it being broken on a fully updated Windows machine, I'd just ask them to pack their stuff again. I would assume it means the software is terribly written and depends on undocumented and incidental behaviors, definitely not something I want. That was true before windows 10. As you should know, microsoft has fired their QA people, and "backwards compatibility" are no longer words in MS dictionary. They break poo poo left and right with every update nowadays, regardless of how much you stick to the docs. Volguus fucked around with this message at 23:04 on Mar 15, 2018 |
|
#
?
Mar 15, 2018 23:02
|
|
|
It's not "Microsoft can't afford this" it's "the internet and users at large can't afford this". When you have literally billions of Windows users, a small percentage of them deciding they know better and won't update for months at a time means tens of millions of hacked computers up to all sorts of poo poo.Ghostlight posted:Have you tried going into your Printers and Scanners and unchecking the box Let Windows Manage My Default Printer? That's been the usual culprit for this in my experience. Usually it's faster to just explicitly set the default printer, if you ended up with "windows manages" on it should then say that setting the printer as a default will disable that.
|
|
#
?
Mar 15, 2018 23:08
|
|
|
nielsm posted:Yeah if someone was trying to sell me some software and I caught wind of it being broken on a fully updated Windows machine, I'd just ask them to pack their stuff again. I would assume it means the software is terribly written and depends on undocumented and incidental behaviors, definitely not something I want. Especially if said version of Windows has been out for five months and the software still hasn't been updated to work properly with it. 1603 is EOL this month; that's why the semi-annual channel is updating now.
|
|
#
?
Mar 15, 2018 23:17
|
|
|
You know, I sort of see this like uac in Vista again. Lots of things broken at first because they assume admin access. I'm sure that programs will get smarter about Windows updates, just after a few years.
|
|
#
?
Mar 15, 2018 23:46
|
|
|
Doctor_Fruitbat posted:What version of Windows 10 was it running (Pro, Enterprise, Creators update, etc?). The whole setup was a friday afternoon rushjob. I grabbed a laptop that had been lying in a drawer for more then a year because I needed a computer and it was the first one I found. The software was a little program I cobbled together quickly and would write the date to disk only after it had completed the test cycles. Stupid off course. But I figured the laptop wasn't connected to the Internet and it would all be fine. Turns out the WiFi network it was connected to was just down for maintenance when I was setting things up, which I didn't know because I don't normally work in that particular building and it went back up the next day. I could have taken the extra time to make sure things would actually have been okay, but it was 5 pm when I had things running and I wanted to go home. And it would all have been fine if Microsoft hadn't decided they should be everyone's nanny. So even if I can understand the reasoning behind it and think forced updates are probably for the best in the long run, I still reserve the right to be pissed off about it when things go wrong and it inconveniences me.
|
|
#
?
Mar 16, 2018 00:01
|
|
|
MS has just decided to shift any responsibility for software working in their OSes entirely over to the developers of said software. Got some old software you'd like to run but it's not being actively updated anymore? gently caress off and figure out your own solution, buy new software, write your own or make due without. I suppose that's one advantage of this, it cuts back on working software available on Windows OSes and that it makes the walled garden approach that MS wants more attractive by removing one of the major advantages of a more open approach: a greater variety of software to choose from. They can also save a lot on support costs, it's win/win for MS.
|
|
|
#
?
Mar 16, 2018 00:38
|
|
|
AVeryLargeRadish posted:MS has just decided to shift any responsibility for software working in their OSes entirely over to the developers of said software. Got some old software you'd like to run but it's not being actively updated anymore? gently caress off and figure out your own solution, buy new software, write your own or make due without. This hasn't happened, but ok. Same bullshit complaint has been getting made ever since Windows 3.0. It's always been on the original developers to make sure they wrote software in a forward thinking manner in the first place, it's never been Microsoft's responsibility. Stuff is going to change over 30+ years of Windows and the primary Microsoft now as always is to give assistance to developers who are willing to still provide updates to things.
|
|
#
?
Mar 16, 2018 00:52
|
|
|
|
| # ? May 26, 2024 07:32 |
|
|
KillHour posted:Hahaha holy poo poo. I stopped Windows from accessing the Windows/UpdateAssistant folder via permissions and it made a Windows/UpdateAssistantV2 folder instead! This thing is like a loving virus. Doctor_Fruitbat posted:So we finally have an good example of Windows update restarts loving someone over that we could really dig into, and the answer we've arrived at is to quit his job.
|
|
#
?
Mar 16, 2018 01:05
|
|
