Microsoft update KB3159398



  • This update KB3159398

    can go F*** its self... breaks GPO policy's on machines.

    Windows 2008 R2 domain controller
    Windows 7 Pro Sp1 machines

    Come into today, and a few workstations lost their Aero theme desktop (went to basic), and also GPO policy settings.... found this update is root cause.

    Only applied to workstations that SOMEHOW windows updates still got applied. Even though have GPO policy forcing windows update features off on the workstations

    WSUS server in my network does not work and never worked properly, even after multiple setup attempts. I think its because I GHOST the machines rather than use SysPrep

    call me old school.. But sysprep is waste of time -- much faster to get baseline machine and create images...

    /rant





  • @ntoxicator said in Microsoft update KB3159398:

    I think its because I GHOST the machines rather than use SysPrep

    This is definitely your problem with WSUS.

    call me old school.. But sysprep is waste of time -- much faster to get baseline machine and create images...

    What's wrong with Sysprep? You create your base image, then run syspre, capture that image, and deploy. Are you calling the walkthrough of the OOBE a waste of time that you don't get when you deploy images of non Sysprep'ed machines?

    Maybe, but you're breaking the way things work. So either 'waste' the time time, or have broken things.



  • Do you only have Win 7 machines? i.e. do you have any win10, are they having this problem too?


  • Service Provider

    @Dashrender said in Microsoft update KB3159398:

    @ntoxicator said in Microsoft update KB3159398:

    I think its because I GHOST the machines rather than use SysPrep

    This is definitely your problem with WSUS.

    call me old school.. But sysprep is waste of time -- much faster to get baseline machine and create images...

    What's wrong with Sysprep? You create your base image, then run syspre, capture that image, and deploy. Are you calling the walkthrough of the OOBE a waste of time that you don't get when you deploy images of non Sysprep'ed machines?

    Maybe, but you're breaking the way things work. So either 'waste' the time time, or have broken things.

    You can use Ghost all you want, but you still have to use sysprep to bring the image down prior to ghosting. When you skip that, the systems all retain GUID information and AD will just be hosed to hell.


  • Service Provider

    @Dashrender and I both use Clonezilla to create our image. I know some others here have posted about using whatever the MS tool is, and you want to use Ghost. That part really does not matter.

    The important thing is running sysprep to set the image to create new GUID info on first boot.



  • Regardless of my clone or not. This update still fu* GPO policy. see to other issues. I just want to complain, bad day..

    No -- i dont use sysPrep, call me lazy. But i've had issues with it and never got it to work. Having to copy the files and configure the settings/flat file?

    I've slip streamed windows XP and Windows 7 easier than trying to get Windows built-in sysprep creator to work. I guess im a fucking noob.. i dont know. Its just annoying piece of functionality.

    I just take a machine that has all company software, settings, updates loaded and named. (not on domain yet). Then created a ghost image using CloneZilla.

    Then use CloneZilla to pull down image to new workstations, and then update hostname & join to domain. This has worked beautifully..... only thing I've not gotten to work is the WSUS server i've setup. I believe this all goes back to me not using sysprep...



  • @ntoxicator I feel ya man, I really do



  • NOTE*

    Have used CloneZilla in this manner for nearly 2 years.. have 120 workstations in production via this method. Unbox a new computer, clonezilla download image to disk. and then hostname & domain, and then deploy to desk.



  • meh, just feel like a beat dog today. dealing with some stupid issues from people all week. one of the sayings "cant fix stupid"

    one of those "R YOU SERIOUS?!" have had that all week, lol.

    But nonetheless. Uninstalling the update KB3159398 resolved the issue. Once removed and workstation restarted, GPO policies apply normally.

    as I did gpresult option and reviewed the html file output. Was clearly showing the GPO policies were not applied when KB3159398 was installed. After the removal, the GPO policies were being shown as applied on gpresult.

    Microsoft had just pushed out some very questionable patches/updates the past 2+ months. More so, dealing with them on consumer side. This one took the cake this morning in a SMB environment.

    Luckily, Only effected a very small set of workstations.



  • @ntoxicator said in Microsoft update KB3159398:

    I guess im a fucking noob.. i dont know.

    If we had signatures this would be my signature. I'm just putting that out into the universe.



  • @wirestyle22 said in Microsoft update KB3159398:

    @ntoxicator said in Microsoft update KB3159398:

    I guess im a fucking noob.. i dont know.

    If we had signatures this would be my signature. I'm just putting that out into the universe.

    You actually listen to advice that's given to you tho..... most people can't reprogram themselves like that.

    You also found the best place on the webs to get good advice, that helps a lot.



  • Thanks @ntoxicator 🙂
    Pulling the update.



  • @ntoxicator said in Microsoft update KB3159398:

    call me old school.. But sysprep is waste of time -- much faster to get baseline machine and create images...

    Considering sysprep has existed since Windows 2000, someone is just being lazy. If you said Ghostwalker, that's old school and hasn't worked in years.

    Your GPOs broke because the patch addressed Keberos authentication and GPO.

    https://technet.microsoft.com/library/security/MS16-072

    Since you have the same SID on all those boxes, whomever grabbed the token first won. All my clients didn't have a single problem with this. Between the hundreds of domains, I haven't heard a single person complain about GPOs. And we have 15 domains just for our corp environment, not to mention the 50 or so with customers VMs.

    In other words, work shit right and shit works right.



  • @PSX_Defector

    Very much understood and learned about SysPrep and such. However, the domain and environment has worked beautiful.

    This patch/update just broke part of the GPO policy -- otherwise, the user profile was fine. It broke their Aero desktop, loaded classic theme.

    It also broke BGinfo from being applied (Have .VBS commands that runs at logon). Pulling update restored their normal aero desktop, and BGinfo applied again.



  • This is why I never update Windows, too risky!



  • I've been debating how to approach this, I still don't really know.

    @ntoxicator You say that is all working great, but unfortunately that's clearly not the case. You have this problem today, and you have the WSUS problem from before. While it's true that 95% of things work fine when you have duplicate SIDs on the network, but here are two examples of why you shouldn't do that.

    You can probably solve this problem in your network by running sysprep now on those machines, don't use the generalize command, you don't want it to forget your installed hardware. set the computer name to the same, rejoin the domain, and you should be good to go. Of course test this on your machine or setup a test station to make sure you don't have other issues.

    As for sysprep, JB and I both don't use the unattend.xml, we simply run sysprep /oobe /generalize /shutdown - this allows the machines to detect new hardware and generate a new SSID. Adding this to our deployment setup is pretty painless.



  • @Dashrender

    As for sysprep, JB and I both don't use the unattend.xml, we simply run sysprep /oobe /generalize /shutdown - this allows the machines to detect new hardware and generate a new SSID. Adding this to our deployment setup is pretty painless.

    Thank you for this key detail here. I will work to add this to our deployment as well.

    can I pull down one of the images to a new workstation. run the sysprep /oobe /generalize /shutdown command, and then re-clone the machine?

    Or this command need to be ran on all newly cloned workstations? Then ofcourse, afterwards update hostname and set domain.



  • Yes you can push your current image to a test machine, then run the sysprep command, then after it shuts down, you can boot to your ghost disk, and make an image of that.

    But this image is something you should only deploy on new computers, you don't want to deploy it to existing as the users will loose everything and essentially be on a new install.

    to fix your existing machines, (and I can't stress enough - TEST TEST TEST) you can log into the computer as a user with local admin rights, make sure you know the local admin name/password (not a domain one) and run sysprep with no options. let it reboot, log in, change the computer name, reboot, join the domain, reboot, log in as the user and they should have their settings all back. But i've never actually done this, so again - TEST TEST TEST on a user/computer you don't care about first.

    FYI, this process does not require leaving the domain, you'll be rejoining hopefully using the same computer name.



  • @Dashrender

    Understood! We have a documented set username/password for the local machine logon.

    I'll be testing this on a fresh workstation I have here and create a new clone image for deployment.



  • @ntoxicator said in Microsoft update KB3159398:

    @Dashrender

    Understood! We have a documented set username/password for the local machine logon.

    I'll be testing this on a fresh workstation I have here and create a new clone image for deployment.

    Just to make sure we're on the same page. I'm proposing two different things here for you.

    1. create a new deployment image for new computers/users that has sysprep baked in.
    2. syspreping existing machines to solve your SID/GPO/WSUS problem.

    option 1 is pretty easy - deploy current image to test machine, run sysprep, shutdown, take new image, deploy new image as needed - enjoy life.

    option 2 requires a machine that is setup using your old method, i.e. no sysprep. you need to have it joined to the domain, a user logon, create some junk on the desktop, some favorites in the browsers, etc. Now, run sysprep on that machine. upon reboot, do what is needed to get it to be the same name it was before and joined to the domain. Then when you log in as that user, the user shouldn't notice any difference, all files should be where they left them. If this is not the case, then you'll need to find another solution to the SID problem for previously deployed computers.



  • @Dashrender
    Thank you so much!

    We're on the same page :). That is what my mindset was and will be testing.

    We use Roaming profile/Folder redirection -- so all user files and data will be just fine.

    Starting from today, I'm going to work create a new deployment image for new computers we deploy. I'll pull down an existing image, run the sysprep and then create a new image of this

    Question:

    Even after I make the clone image after running the sysprep. This will absolutely guarantee a unique GUID for each and every freshly cloned computer after fact?

    Greatly appreciate you pointing this command out to me. As before I tried to create sysprep using the unattend.xml configuration.



  • There are no guarantees in life, but you will be using the prescribed method for deploying Windows and should have fewer issues, like PSX, JB and I.

    Now if you want to automate more of the setup during the OOBE (out of box experience) during the mini setup post sysprep, you can still create and use an unattended.xml, but as you noticed, that takes a lot of effort and many trials to make sure it works as you desire.

    I tell you, the thing I really want, is the ability to give the computer a computer name during the mini setup so I don't have to waste a reboot doing that inside Windows. hell, if I could join the domain during that same mini setup, that would be awesome too. There were ways to allow this in the past, but they definitely weren't simple.



  • Gotcha 🙂

    Its just the fact the new clone image, when pulled down to a new workstation; it'll boot-up to the OOBE setup. Rather than take to Desktop / logon screen as currently does on our current image. And due to it being the OOBE; this is when the SID will be created.

    I tell you, the thing I really want, is the ability to give the computer a computer name during the mini setup so I don't have to waste a reboot doing that inside Windows. hell, if I could join the domain during that same mini setup, that would be awesome too. There were ways to allow this in the past, but they definitely weren't simple.

    I completely agree with you here...



  • @ntoxicator said in Microsoft update KB3159398:

    Gotcha 🙂

    Its just the fact the new clone image, when pulled down to a new workstation; it'll boot-up to the OOBE setup. Rather than take to Desktop / logon screen as currently does on our current image. And due to it being the OOBE; this is when the SID will be created.

    Correct. You'll go through a mini setup. If it's Windows 7 it might even ask you for a computername, Haven't done one in a while, don't recall. Windows 10 definitely does not ask. 😞


  • Service Provider

    @tonyshowoff said in Microsoft update KB3159398:

    This is why I never Windows, too risky!

    FTFY


Log in to reply
 

Looks like your connection to MangoLassi was lost, please wait while we try to reconnect.