Something very bad happened to me today. All of my computers on my domain (around 600 systems) are set to look to my WSUS server for updates via a GPO. I have explicitly denied the IE10 update to all my systems. Well, somehow last night, the systems lost communication with my domain controllers. This caused all of my systems to loose the GPO that tells them where to look for updates. Every system that was powered on checked for updates from the Microsoft site and automatically installed them. As you can imagine, this caused a lot of headaches for me in the morning. Here’s what I did to fix it.
Pull a list of all computer names that are affected out of Active Directory using the Export List feature. Save the list as hostnamelist.txt
Download PSTools: http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
Open notepad and save the following to a script called IE.bat
FORFILES /P %WINDIR%\servicing\Packages /M Microsoft-Windows-InternetExplorer-*10.*.mum /c "cmd /c echo Uninstalling package @fname && start /w pkgmgr /up:@fname /norestart /quiet"
Put that script in the same directory as PSExec.
Run the script via Psexec:
C:\folder\> Psexec.exe @hostnamelist.txt –c IE.bat
That script will remove Internet Explorer 10 without interrupting users. Once the script has been applied to all computers, the systems must be rebooted. This can be done automatically using the shutdown -r command at the end of the script.