Windows update KB3177467 – Causing crashing and boot loop

Oh those were the days. MS updates smashing their way into your infrastructure, leaving Exchange a gibbering wreck, W7 desktops not booting, WSUS not wanting to remove the updates… So glad those days are…gone… Oh wait, no, still happening!

In a physical environment, an update causing an issue with a desktop is a pain the backside – you have multiple options and ways to mitigate this. In a VDI environment… Well, you can imagine the carnage (Like Carmageddon without cars? Desktopgeddon? VDIGeddon? Ok, I’ll stop now.)

After trying multiple solutions, finally stumbled on someone else who had the problem way back in October 2016 and got it sorted out:

Update KB3177467 causing boot loop

Horizon View Client Install – Windows

And now for something completely different.

I mean, now for the Horizon View Windows Install!

Download the Horizon View Client from the following site:

https://my.vmware.com/web/vmware/details?downloadGroup=CART17Q1_WIN_440&productId=578&rPId=15156

1win2win

Now, you may not want USB redirection (or it may not work) and also it’s environment dependent whether you want to Log in as current user.

win3

Enter your Default connection server

win4

Continuing on from if you chose to log in as current user

win5win6win7win8win9

Run the app, log in and go forth!

WannaCry Attack and Petya

Yes, yes, we’re all sick of hearing about it this, but for those of you who didn’t get exposed to it, or did and needed that little bit more information, I’m posting it anyway.

As you may know, it wasn’t just Windows XP machines that got hit (contrary to popular media belief), there was a huge effect on Windows 7 machines that hadn’t been updated in a while.

I worked on this for the NHS and although it was mitigated by being a Horizon View environment, for another Trust, it was absolutely devastating to their physical environment.

So, aside from the patching you’ve all done and the MS KB:

KB4012212 for Win7 and KB4012213 for Server 2012

https://technet.microsoft.com/library/security/MS17-010

There is also the option to completely disable SMB v1. You can…Honest… It won’t break anything!

Good article from MS on why you NEED to stop using it and one on how to disable it:

https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/

https://blogs.technet.microsoft.com/staysafe/2017/05/17/disable-smb-v1-in-managed-environments-with-ad-group-policy/

Also, for those of you who would like to use a script, I found the following (somewhere!) Credit to the author!

=========================================================================

DISABLE SERVER SIDE SMB V1 PROTOCOL

=========================================================================

 

# Disable SMB V1 – Windows Server 2012 R2, Windows 10 and Windows 8.1

$ComputersList = Get-Content -Path “D:\temp\testservers.txt”

Invoke-Command -ComputerName $ComputersList {Remove-WindowsFeature FS-SMB1 -NoRestart}

 

# Disable SMB V1 – Windows 8 and Windows Server 2012

$ComputersList = Get-Content -Path “D:\temp\testservers.txt”

Invoke-Command -ComputerName $ComputersList {Set-SmbServerConfiguration -EnableSMB1Protocol $false}

 

# Disable SMB V1 – Windows Server 2008, Windows Server R2, Windows 7 and Windows Vista

$ComputersList = Get-Content -Path “D:\temp\testservers.txt”

Invoke-Command -ComputerName $ComputersList {Set-ItemProperty -Path”HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB1 -Type DWORD -Value 0 -Force}

 

 

=========================================================================

DISABLE CLIENT SIDE SMB V1 PROTOCOL

=========================================================================

 

# Disable SMB V1 – Windows Server 2012 R2, Windows 10 and Windows 8.1

$ComputersList = Get-Content -Path “D:\temp\testservers.txt”

Invoke-Command -ComputerName $ComputersList {Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol -NoRestart}

 

# Disable SMB V1 – Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012

$ComputersList = Get-Content -Path “D:\temp\testservers.txt”

Invoke-Command -ComputerName $ComputersList {sc.exe configlanmanworkstation depend= bowser/mrxsmb20/nsi}

Invoke-Command -ComputerName $ComputersList {sc.exe config mrxsmb10start= disabled}

 

Just goes to show that the reluctance for various institutions to perform updates needs to be overcome, as the consequences for older OS are becoming more and more serious!