Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Remotely uninstalling a bad Microsoft Cumulative update.

Posted on 2016-09-22
2
Medium Priority
?
75 Views
Last Modified: 2016-12-09
We pushed out (3163018 Cumulative update for Windows 10 Version 1511 and Windows Server 2016 Technical Preview 4: June 14, 2016) and it caused all our computers to lose the ability to receive new group policy changes. We tried to recall it with WSUS but it won't work. Is there a way to uninstall this patch remotely like with a batch file that is run at first log in?
We have tried this without luck "Psexec -u ourdomain\administrator -p xxxxxxx -d -s \\10.1.32.61 wusa.exe /uninstall /kb:3163018 /norestart .
Thanks
0
Comment
Question by:CityInfoSys
2 Comments
 
LVL 60

Accepted Solution

by:
Cliff Galiher earned 2000 total points
ID: 41811586
It isn't a bad patch. Microsoft correctly patched a security vulnerability that allowed MitM attacks via group policy manipulation.

Fix your policies and you'll be fine. I *strongly* discourage uninstalling that CU. As you can't apply any other security updates released after it either (that's what makes them cumulative) without re-introducing the same behavior, And there are known in-the-wild security attacks addressed in July/August/September CUs. So this would put you in a very unsafe situation. Fix your GPOs.
0
 
LVL 2

Author Comment

by:CityInfoSys
ID: 41811632
Thanks, I found this too.

To resolve this issue, use the Group Policy Management Console (GPMC.MSC) and follow one of the following steps:

Add the Authenticated Users group with Read Permissions on the Group Policy Object (GPO).
If you are using security filtering, add the Domain Computers group with read permission.

In the Group Policy Management Console, go to the Delegation tab and add the read permission there, not in the Security Filtering pane in the Scope tag. That will make the policy readable, while not affecting who it is applied to.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question