All you should do without going through the update process to get it to work.
New certISRG_Root_X1
https://search.censys.io/certificates/96bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c6https://mega.nz/file/cUxBhT6a#jzRjAiL6e5Y4baCOl9sfTWSuEkcE3uKd5hGJjFMmUXkSHA-1
cabd2a79a1076a31f21d253635cb039d4329a5e8
VT
https://www.virustotal.com/gui/file/96bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c6/communityInstall (update ieframe.dll & other libs e.g IE11):
Windows6.1-KB3004394-v2-x64.msu
https://www.microsoft.com/en-us/download/details.aspx?id=45633Add by doing:
Start > Run "
rundll32.exe cryptui.dll,CryptUIStartCertMgr"
Remove old certs in the tab "trusted root certification authorities" add the new one from above and that should be it.
Neat to have things:(Disable Windows Error Recovery nonsense. Had multiple times it suddenly messed up sth trying to "repair" it when I had a few bad block(s), you can fix it yourself it won't break it for you automatically during boot because that just sucks big time)
@echo off
bcdedit /set {default} bootstatuspolicy ignoreallfailures
pauseFixes:Disable update to Windows 10 from Windows 7/8/8.1
; DisableOSUpgrade.reg
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"DisableOSUpgrade"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Gwx]
"DisableGwx"=dword:00000001
https://github.com/aakkam22/windowsUpdateLoopFixWindows update glitch fixes:
Windows6.1-KB3020369-x64.msu
Windows6.1-KB3102810-x64.msu
Windows6.1-KB3135445-x64.msu
Windows6.1-KB3138612-x64.msuRemove bloated updates:
https://gist.github.com/xvitaly/eafa75ed2cb79b3bd4e9Disable UPnP media service and such, because, local exploits (test with msf framework)..
Don't use RDP, and if at least install the security patches and use two factory auth. Maybe just better avoid this, and VNC is less secure (they don't encrypt the entire session) anyway so think about this. What you can do is tunnel through SSH and local port forward to get access to local services over secure connection or use a VPN in between them.
Customized WIM images (unattended windows images):Can't find the right website anymore but it was sth like with DISM so you can make a updated image (WIM) aka slipstreaming after applying all the new changes. I used to do this it is somewhat more work but you can make a pendrive bootable ready to install without doing all the work over and over again.
http://woshub.com/manually-install-cab-msu-updates-windows/https://download.wsusoffline.net/I want to add a
disclaimer here, if you make your image test it completely in a virtual machine and on a physical test system debug it before you start installing it.
Make sure your updates cab, msu files and such came from a trusted source and in the end promiscuous mode the OS image to make sure nothing bad crawled in the installation. Just because of possible 3rd party promiscuity tends and just security in general, you don't want to ship a old OS with built in virus (wet dream for hackers). Also I highly advise any users on old OS to use noscript and use a sandbox in the cloud such as Falcon or locally e.g is a free open solution
https://github.com/sandboxie-plus/Sandboxie or block 70% of the www with peerblock or hardware fw. Rule of thumb in general but just my two cents to add here.. Don't use IE11, it's full of ROP memory exploits. Use Mozilla or chromium engine they are better and still updated.
Regarding win8.1 and higher. The telemetry is so terrible all the crap. I have tried to block updates on windows 10 and without hardware firewall it's really a endless war.
Home
Help
Search
Login
Register
