Preventing IE Upgrade During Patching - K1000
Hi all-
I think this is a pretty simple question but I want to ask it to make sure this isn't a problem when we begin patching. Some of the applications are business use is very dependent on us using either Internet Explorer 8 or 9. What I'm trying to avoid is during patching, having our machines encounter any chance where they can be automatically updated to a higher version of Internet Explorer. In my subscription settings on the K1000, I currently have it setup as
Security Patches - Checked
Application Patches - Checked
Non-Security Patches - Checked
Application Patches - Checked
Include Software Installers - Unchecked
As long as I have that last option unchecked, will the IE browsers in my network never update automatically through patching or am I misinformed and should be looking elsewhere at making changes?
Thank you all!
-
We ran into problems with ie 11 not working on our people soft and other apps. So we wanted to block it also, but when we added our site and the sister site to the compatibility list in ie 11 the apps worked fine. - SMal.tmcc 10 years ago
-
Yeah, we've added one of our web-based applications that "requires" Internet Explorer 8 into the Compatibility List in IE 11 and observed that most of the functionality works however the vendor will not offer us support even in that particular configuration because it vehemently goes against their "official" compatibility documentation. - dtobias_keenan 10 years ago
-
...these vendors. I get it to a point, but come on, IE8? Update your code...sheesh. - jegolf 10 years ago
-
I have one Line of Business web application that works in any flavor IE, Chrome, Firefox, Opera, and I'm pretty sure Netscape Navigator and then I got this guy who will only work in IE8. It's......lovely....yeah, that's the word I'm looking for. - dtobias_keenan 10 years ago
Answers (3)
I would manually disable those patches in your patch listing just to be sure they don't deploy. It is flagged as an Application patch.
Comments:
-
agree - SMal.tmcc 10 years ago
-
Thanks, jegolf. This seems to be the solution we will adopt as well to ensure we don't get any unwanted IE upgrades. Thank you! - dtobias_keenan 10 years ago
We also disabled it via the K1000 patch listing and through our AD Group Policy using the Policy definitions (ADMX files) retrieved from the central store.
Windows Components/Windows Update/Automatic Updates Blockers v3hide
Policy Setting
Do not allow delivery of Internet Explorer 10 through Automatic Updates Enabled
Do not allow delivery of Internet Explorer 11 through Automatic Updates Enabled
Do not allow delivery of Internet Explorer 9 through Automatic Updates Enabled
We use the K1000 to patch our systems but we allow our Tech Team to go to Windows Update as needed so we needed to block the IE update as we too have specific browser version needs in our agency.
We've got the same issues with IE. We're running with the tick boxes as you suggest and also a patch smart label like:
select UID from KBSYS.PATCHLINK_PATCH where (( KBSYS.PATCHLINK_PATCH.IMPACTID != 'Software') AND KBSYS.PATCHLINK_PATCH.IS_APP = '0')
Basically what you get then is all OS patches (Mac and windows), but no upgrades. So no manual work and no worries about the next IE etc.
Also you have to add application patching (e.g. Java, Adobe etc.) as needed through adding more smart labels to the patching task.
Best regards
Adam
