Skip to main content

SOLVED: GPO blocks Windows Meltdown / Spectre Update KB4056892

Dell was very fast to release BIOS updates (version A21) just a few days after the Meltdown / Spectre disaster became public. So I installed them on all of our Dell 9020 PCs and M4800 notebooks and I thought that everything was fine as I had automatic Windows Updates enabled...

But then I noticed that the required Windows Meltdown / Spectre Update KB4056892 was not installed for some reason. So I decided to run the Meltdown / Spectre PowerShell test script released by Microsoft and the surprise was that everything showed up in red, i.e. nothing was patched, not even the BIOS!



Then I suspected Kaspersky that might be preventing the Windows update from installing because I read about some AV conflicts. But Kaspersky did really fine this time - it had set the registry key allowing the update to install correctly on all computers.

So what was the problem?

Microsoft is the problem as usual! I had set some GPO to prevent preview builds and feature updates from installing immediately. This is under "Windows Update for Business":

Windows Update for Business GPO settings

The question is: Why does Microsoft regard such a critical security update as a preview build???

But even after setting those GPO settings to be delayed for 0 days it did not work.

The solution: I finally set all three Windows Update for Business GPO settings to NOT CONFIGURED (don't forget to run gpupdate /force on all PCs to force-apply the group policy) and this finally offered me the missing KB4056892 update. Puuuh!



Now if I run Microsoft's PowerShell vulnerability test everything has suddenly turned green, also the firmware stuff which shows me that Dell's BIOS update now also works ok.




If you still don't get the update what else to check?

Try removing any special Windows Update settings in Group Policy. If you have 1709 you can go to the Windows Update settings - at the top you see in red that some settings are configured by your organization - then you can click below on the blue link that shows which update policies actually apply - see my screenshot (in German) below.
You can see that I have some special installation time settings which is ok. But it is important that there are no special delivery settings defined (e.g. no semi-annual stuff or similar). Also make sure that you are not using O&O Shutup 10 or similar apps that can block Windows feature or preview build updates.
Windows has become a real mess these days....


This leads to:



BTW: I am still waiting for BIOS updates from HP and Fujitsu.

Hope this helps ;-)

Anguel

Comments

Popular posts from this blog

SOLVED: Making Wake-on-Lan (WOL) work in Windows 10 / 8.x

WINDOWS 10 UPDATE:
THIS FIX ALSO APPLIES TO WINDOWS 10, IT IS EVEN MORE IMPORTANT,  BECAUSE WINDOWS 10 TURNS "FAST STARTUP" (read below) BACK ON AFTER UPDATES (yes, Microsoft does not stop creating nonsense features / bugs).
TO DISABLE FAST STARTUP ON WIN 10 THROUGH GROUP POLICY PREFERENCES CREATE THE FOLLOWING KEY:
HKLM\System\CurrentControlSet\Control\Session Manager\Power\HiberbootEnabled
and set its value to 0 !

I had very serious problems getting Wake-On-Lan (WOL) to work on my new Dell Optiplex 9020 MT (MiniTower) on Windows 8.1 Pro. I finally got this to work and would like to share my experience here.

Note: At the time of this writing the current Dell BIOS for Optiplex 9020 MT was A05.
UPDATE: The same behavior is also observed with DELL BIOS A07. Maybe Dell needs to comply with some power saving requirements and therefore enables Deep Sleep instead of Wake-On-LAN? Whatever the reason is, it is extremely annoying that this is the default and it is not clearly docu…

Changing the Reserved IP Address in a Static DHCP Reservation in Windows Server

Static IPs preferred DHCP is a good thing if it works - set and forget. But what happens if the DHCP server is down for some reason? Exactly - the whole network stops working. Another problem of DHCP are those random IPs a client gets each time. This is very bad for printers that use DHCP. Therefore I prefer static IPs over dynamic.
Windows Server 2012 R2 Essentials: You cannot stop Windows LAN Configuration Service anymore
Unfortunately, there is some strange behavior on Server 2012 R2 Essentials if you just enter static IPs on your Windows clients - your Windows OS will show exclamation marks on your network connection from time to time, etc. There is actually a Windows Server LAN Configuration service which keeps overwriting your manual settings and the bad thing is that you cannot stop that service in Server 2012 R2 any more for some reason...So, instead, I decided to use DHCP on the server and add an Alternative IP Configuration with all static data as a fallback if my serv…

Windows Server 2012 R2 ESSENTIALS: Virtualization How-To, Physical Hyper-V Host and Virtual Server (VM)

This is intended to be a guide how to install Microsoft Windows Server 2012 R2 ESSENTIALS as a virtual server, i.e. inside a virtual machine (VM). This VM will run on a physical Hyper-V host which will be again Windows Server 2012 R2 ESSENTIALS itself. This type of installation is allowed by Microsoft but they have not included a tool to simplify the process. In order to achieve our aim, we need to modify the original ISO by removing the Essentials Role and Essentials Setup using Microsoft's own tools.

DISCLAIMER: To my best knowledge everything described here complies with the MS license terms. It worked for me but does not mean that it will work for you as is. So make sure that you have understood everything and check if each step applies to your system. There is no liability for damages.
Physical Hyper-V Host vs Virtual Server (Guest VM) Windows Server 2012 R2 Essentials is a very interesting operating system for small businesses. What many people don't know: Microsoft now …