Microsoft update KB3159398

ntoxicator

This update KB3159398

can go F*** its self... breaks GPO policy's on machines.

Windows 2008 R2 domain controller
Windows 7 Pro Sp1 machines

Come into today, and a few workstations lost their Aero theme desktop (went to basic), and also GPO policy settings.... found this update is root cause.

Only applied to workstations that SOMEHOW windows updates still got applied. Even though have GPO policy forcing windows update features off on the workstations

WSUS server in my network does not work and never worked properly, even after multiple setup attempts. I think its because I GHOST the machines rather than use SysPrep

call me old school.. But sysprep is waste of time -- much faster to get baseline machine and create images...

/rant

ntoxicator

Here is link to others complaining:

https://social.technet.microsoft.com/Forums/en-US/e2ebead9-b30d-4789-a151-5c7783dbbe34/patch-tuesday-kb3159398?forum=winserverGP

Dashrender

@ntoxicator said in Microsoft update KB3159398:

I think its because I GHOST the machines rather than use SysPrep

This is definitely your problem with WSUS.

call me old school.. But sysprep is waste of time -- much faster to get baseline machine and create images...

What's wrong with Sysprep? You create your base image, then run syspre, capture that image, and deploy. Are you calling the walkthrough of the OOBE a waste of time that you don't get when you deploy images of non Sysprep'ed machines?

Maybe, but you're breaking the way things work. So either 'waste' the time time, or have broken things.

Dashrender

Do you only have Win 7 machines? i.e. do you have any win10, are they having this problem too?

JaredBusch

@Dashrender said in Microsoft update KB3159398:

@ntoxicator said in Microsoft update KB3159398:

I think its because I GHOST the machines rather than use SysPrep

This is definitely your problem with WSUS.

call me old school.. But sysprep is waste of time -- much faster to get baseline machine and create images...

What's wrong with Sysprep? You create your base image, then run syspre, capture that image, and deploy. Are you calling the walkthrough of the OOBE a waste of time that you don't get when you deploy images of non Sysprep'ed machines?

Maybe, but you're breaking the way things work. So either 'waste' the time time, or have broken things.

You can use Ghost all you want, but you still have to use sysprep to bring the image down prior to ghosting. When you skip that, the systems all retain GUID information and AD will just be hosed to hell.

JaredBusch

@Dashrender and I both use Clonezilla to create our image. I know some others here have posted about using whatever the MS tool is, and you want to use Ghost. That part really does not matter.

The important thing is running sysprep to set the image to create new GUID info on first boot.

ntoxicator

Regardless of my clone or not. This update still fu* GPO policy. see to other issues. I just want to complain, bad day..

No -- i dont use sysPrep, call me lazy. But i've had issues with it and never got it to work. Having to copy the files and configure the settings/flat file?

I've slip streamed windows XP and Windows 7 easier than trying to get Windows built-in sysprep creator to work. I guess im a fucking noob.. i dont know. Its just annoying piece of functionality.

I just take a machine that has all company software, settings, updates loaded and named. (not on domain yet). Then created a ghost image using CloneZilla.

Then use CloneZilla to pull down image to new workstations, and then update hostname & join to domain. This has worked beautifully..... only thing I've not gotten to work is the WSUS server i've setup. I believe this all goes back to me not using sysprep...

MattSpeller

@ntoxicator I feel ya man, I really do

ntoxicator

NOTE*

Have used CloneZilla in this manner for nearly 2 years.. have 120 workstations in production via this method. Unbox a new computer, clonezilla download image to disk. and then hostname & domain, and then deploy to desk.

ntoxicator

meh, just feel like a beat dog today. dealing with some stupid issues from people all week. one of the sayings "cant fix stupid"

one of those "R YOU SERIOUS?!" have had that all week, lol.

But nonetheless. Uninstalling the update KB3159398 resolved the issue. Once removed and workstation restarted, GPO policies apply normally.

as I did gpresult option and reviewed the html file output. Was clearly showing the GPO policies were not applied when KB3159398 was installed. After the removal, the GPO policies were being shown as applied on gpresult.

Microsoft had just pushed out some very questionable patches/updates the past 2+ months. More so, dealing with them on consumer side. This one took the cake this morning in a SMB environment.

Luckily, Only effected a very small set of workstations.

wirestyle22

@ntoxicator said in Microsoft update KB3159398:

I guess im a fucking noob.. i dont know.

If we had signatures this would be my signature. I'm just putting that out into the universe.

travisdh1

@wirestyle22 said in Microsoft update KB3159398:

@ntoxicator said in Microsoft update KB3159398:

I guess im a fucking noob.. i dont know.

If we had signatures this would be my signature. I'm just putting that out into the universe.

You actually listen to advice that's given to you tho..... most people can't reprogram themselves like that.

You also found the best place on the webs to get good advice, that helps a lot.

nadnerB

Thanks @ntoxicator
Pulling the update.

PSX_Defector

@ntoxicator said in Microsoft update KB3159398:

call me old school.. But sysprep is waste of time -- much faster to get baseline machine and create images...

Considering sysprep has existed since Windows 2000, someone is just being lazy. If you said Ghostwalker, that's old school and hasn't worked in years.

Your GPOs broke because the patch addressed Keberos authentication and GPO.

https://technet.microsoft.com/library/security/MS16-072

Since you have the same SID on all those boxes, whomever grabbed the token first won. All my clients didn't have a single problem with this. Between the hundreds of domains, I haven't heard a single person complain about GPOs. And we have 15 domains just for our corp environment, not to mention the 50 or so with customers VMs.

In other words, work shit right and shit works right.

ntoxicator

@PSX_Defector

Very much understood and learned about SysPrep and such. However, the domain and environment has worked beautiful.

This patch/update just broke part of the GPO policy -- otherwise, the user profile was fine. It broke their Aero desktop, loaded classic theme.

It also broke BGinfo from being applied (Have .VBS commands that runs at logon). Pulling update restored their normal aero desktop, and BGinfo applied again.

tonyshowoff

This is why I never update Windows, too risky!

Dashrender

I've been debating how to approach this, I still don't really know.

@ntoxicator You say that is all working great, but unfortunately that's clearly not the case. You have this problem today, and you have the WSUS problem from before. While it's true that 95% of things work fine when you have duplicate SIDs on the network, but here are two examples of why you shouldn't do that.

You can probably solve this problem in your network by running sysprep now on those machines, don't use the generalize command, you don't want it to forget your installed hardware. set the computer name to the same, rejoin the domain, and you should be good to go. Of course test this on your machine or setup a test station to make sure you don't have other issues.

As for sysprep, JB and I both don't use the unattend.xml, we simply run sysprep /oobe /generalize /shutdown - this allows the machines to detect new hardware and generate a new SSID. Adding this to our deployment setup is pretty painless.

ntoxicator

@Dashrender

As for sysprep, JB and I both don't use the unattend.xml, we simply run sysprep /oobe /generalize /shutdown - this allows the machines to detect new hardware and generate a new SSID. Adding this to our deployment setup is pretty painless.

Thank you for this key detail here. I will work to add this to our deployment as well.

can I pull down one of the images to a new workstation. run the sysprep /oobe /generalize /shutdown command, and then re-clone the machine?

Or this command need to be ran on all newly cloned workstations? Then ofcourse, afterwards update hostname and set domain.

Dashrender

Yes you can push your current image to a test machine, then run the sysprep command, then after it shuts down, you can boot to your ghost disk, and make an image of that.

But this image is something you should only deploy on new computers, you don't want to deploy it to existing as the users will loose everything and essentially be on a new install.

to fix your existing machines, (and I can't stress enough - TEST TEST TEST) you can log into the computer as a user with local admin rights, make sure you know the local admin name/password (not a domain one) and run sysprep with no options. let it reboot, log in, change the computer name, reboot, join the domain, reboot, log in as the user and they should have their settings all back. But i've never actually done this, so again - TEST TEST TEST on a user/computer you don't care about first.

FYI, this process does not require leaving the domain, you'll be rejoining hopefully using the same computer name.

ntoxicator

@Dashrender

Understood! We have a documented set username/password for the local machine logon.

I'll be testing this on a fresh workstation I have here and create a new clone image for deployment.