Skip to main content

SOLVED: GPO blocks Windows Meltdown / Spectre Update KB4056892

By
Dell was very fast to release BIOS updates (version A21) just a few days after the Meltdown / Spectre disaster became public. So I installed them on all of our Dell 9020 PCs and M4800 notebooks and I thought that everything was fine as I had automatic Windows Updates enabled...

But then I noticed that the required Windows Meltdown / Spectre Update KB4056892 was not installed for some reason. So I decided to run the Meltdown / Spectre PowerShell test script released by Microsoft and the surprise was that everything showed up in red, i.e. nothing was patched, not even the BIOS!



Then I suspected Kaspersky that might be preventing the Windows update from installing because I read about some AV conflicts. But Kaspersky did really fine this time - it had set the registry key allowing the update to install correctly on all computers.

So what was the problem?

Microsoft is the problem as usual! I had set some GPO to prevent preview builds and feature updates from installing immediately. This is under "Windows Update for Business":

Windows Update for Business GPO settings

The question is: Why does Microsoft regard such a critical security update as a preview build???

But even after setting those GPO settings to be delayed for 0 days it did not work.

The solution: I finally set all three Windows Update for Business GPO settings to NOT CONFIGURED (don't forget to run gpupdate /force on all PCs to force-apply the group policy) and this finally offered me the missing KB4056892 update. Puuuh!



Now if I run Microsoft's PowerShell vulnerability test everything has suddenly turned green, also the firmware stuff which shows me that Dell's BIOS update now also works ok.




If you still don't get the update what else to check?

Try removing any special Windows Update settings in Group Policy. If you have 1709 you can go to the Windows Update settings - at the top you see in red that some settings are configured by your organization - then you can click below on the blue link that shows which update policies actually apply - see my screenshot (in German) below.
You can see that I have some special installation time settings which is ok. But it is important that there are no special delivery settings defined (e.g. no semi-annual stuff or similar). Also make sure that you are not using O&O Shutup 10 or similar apps that can block Windows feature or preview build updates.
Windows has become a real mess these days....


This leads to:



BTW: I am still waiting for BIOS updates from HP and Fujitsu.

Hope this helps ;-)

Anguel
Labels:

Comments

Post a Comment

Popular posts from this blog

SOLVED: Making Wake-on-Lan (WOL) work in Windows 10 / 8.x

By
WINDOWS 10 UPDATE: THIS FIX ALSO APPLIES TO WINDOWS 10 , IT IS EVEN MORE IMPORTANT,  BECAUSE WINDOWS 10 TURNS "FAST STARTUP" (read below) BACK ON AFTER UPDATES (yes, Microsoft does not stop creating nonsense features / bugs). TO DISABLE FAST STARTUP ON WIN 10 THROUGH GROUP POLICY PREFERENCES CREATE THE FOLLOWING KEY: HKLM\System\CurrentControlSet\Control\Session Manager\Power\HiberbootEnabled and set its value to 0 ! I had very serious problems getting Wake-On-Lan (WOL) to work on my new Dell Optiplex 9020 MT (MiniTower) on Windows 8.1 Pro. I finally got this to work and would like to share my experience here. Note: At the time of this writing the current Dell BIOS for Optiplex 9020 MT was A05. UPDATE: The same behavior is also observed with DELL BIOS A07. Maybe Dell needs to comply with some power saving requirements and therefore enables Deep Sleep instead of Wake-On-LAN? Whatever the reason is, it is extremely annoying that this is the default and it is not ...
34 comments
Read more

Changing the Reserved IP Address in a Static DHCP Reservation in Windows Server

By
  Static IPs preferred DHCP is a good thing if it works - set and forget. But what happens if the DHCP server is down for some reason? Exactly - the whole network stops working. Another problem of DHCP are those random IPs a client gets each time. This is very bad for printers that use DHCP. Therefore I prefer static IPs over dynamic.   Windows Server 2012 R2 Essentials: You cannot stop Windows LAN Configuration Service anymore Unfortunately, there is some strange behavior on Server 2012 R2 Essentials if you just enter static IPs on your Windows clients - your Windows OS will show exclamation marks on your network connection from time to time, etc. There is actually a Windows Server LAN Configuration service which keeps overwriting your manual settings and the bad thing is that you cannot stop that service in Server 2012 R2 any more for some reason...So, instead, I decided to use DHCP on the server and add an Alternative IP Configuration with all static data as...
Post a Comment
Read more

Veeam Backup & Replication: "Failed to execute script in guest OS" (Linux Guest VM on Hyper-V)

By
Problem: Veeam Pre-Freeze / Post-Thaw .sh Scripts Fail on Linux Guest VMs (e.g. Ubuntu) with "Failed to execute script in guest OS" although the scripts run fine. I use Hyper-V but that should not matter. Failing scripts are configured to "Require successful script execution" under "Application-Aware Processing Options" under "Guest Processing" in the Veeam backup job. My Solution: Some commands executed inside the scripts seem to return error output which is passed back to Veeam through the script and confuse Veeam so it reports that the script was not successful. So we must redirect error output from such commands to 2>/dev/null or some file, otherwise error status is passed back to this script and Veeam reports a failure. For information about discarding error output, see https://bash.cyberciti.biz/guide//dev/null_discards_unwanted_output Additional information: Also make sure that Veeam scripts (*.sh) are located on the Veea...
Post a Comment
Read more