3

So we have an environment with machines running Server 2008r2, 2012r2, and 2016 (the majority are running 2012r2). All the server updates are managed by a WSUS server running 2012r2 (it patches itself, too). Yesterday, I manually synchronized the WSUS server and approved the updates related to Meltdown and Spectre. I then verified that everything downloaded properly by updating the WSUS Server itself with the patches-- everything worked as expected.

Now, this morning, after everything should have scanned for the updates (and they did scan), only a few computers are showing as needing the updates-- in fact, the vast majority are showing as installed/not applicable.

They are all either running Symantec Endpoint Protection or Windows Defender/Forefront and have the proper compatibility registry key set. If you download the update from the update catalog and install it, it installs successfully, but I don't want to have to patch all the servers manually. Other updates are installing just fine from the WSUS server.

This hasn't just happened in this one environment. In another environment that I work on sometimes, it is having the same issue (only they are using Avast! business security, but again, the registry key is set).

Does anyone have any insight into this?

Thanks!

~Allen

Allen Howard
  • 335
  • 2
  • 9
  • Is there even a spectre patch available yet??? – Chopper3 Jan 05 '18 at 19:03
  • 1
    @Chopper3, yes- Microsoft release Out of Band patches Wednesday night. https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution – Allen Howard Jan 05 '18 at 19:05
  • Note that in addition to the Windows and A/V updates, we will need to install BIOS/firmware/microcode updates, according to Microsoft. – Todd Wilcox Jan 05 '18 at 19:58
  • @ToddWilcox Yeah, I can confirm that based on Windows clients. But Windows should still install the update without the firmware update as not all the patches require it (only one of them does). – Allen Howard Jan 05 '18 at 20:08
  • @AllenHoward - This looks strange. I was able to update Server 2016 after making the required changes in the Registry. Are you sure you have made the proper Compatibility settings in the Registry (if you're having non-Microsoft Antivirus)? – Am_I_Helpful Jan 08 '18 at 13:46
  • @Am_I_Helpful: Yes. I verified that SEP and Avast (one for each environment) have the settings correct. I can patch them all manually with the update from the update catalog, it just isn't detecting from WSUS or Windows Update (online, bypassing WSUS) – Allen Howard Jan 08 '18 at 14:21
  • @AllenHoward - I didn't get your point about the Antivirus settings! Whether you made the required registry changes as suggested by Microsoft in their article? In my case, after adding the registry DWORD & Key, and a needed reboot, my servers started downloading installing updates. – Am_I_Helpful Jan 08 '18 at 15:11
  • @Am_I_Helpful Are you talking about the settings to enable the functionality, or to ensure AV compatibility? I was under the impression that the update should be installed first and then the settings turned on in BIOS. (Reference: https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution) – Allen Howard Jan 08 '18 at 15:32
  • @AllenHoward - I was talking of setting of Registry as per this article by Microsoft -> https://support.microsoft.com/en-us/help/4072699/january-3-2018-windows-security-updates-and-antivirus-software ; The antivirus software must set a registry key as described in order to receive the January 2018 security updates, OR else manually set the registry key as described in order to receive the January 2018 security updates. – Am_I_Helpful Jan 08 '18 at 17:23
  • @Am_I_Helpful- Yes-- That's the settings I'm talking about-- both SEP and Avast have made the necessary registry key without requiring manual intervention. – Allen Howard Jan 08 '18 at 17:26

2 Answers2

0

So today I logged onto the WSUS console, and now all the machines are reporting that the update is needed and can be installed. It seems Microsoft has revised these updates for Windows Server 2012r2 and Windows 8.1, as well. This seems to have caused the servers to detect.

The clients seem to detect now as well, I'm wondering if Microsoft put in a validity date starting today?

Allen Howard
  • 335
  • 2
  • 9
-2

As per me if possible wait for sometime as current patches may impact performance of server. This patch should be applied on hardware in form of firmware first and then on hypervisor n last on guest OS .

For now these patches are like mitigation creating a layer between hardware and OS to avoid this issue.

So wait if possible and follow sequence or update patches and prepared for performance issues.

user451361
  • 1
  • 1
    This advice is highly situational. Many environments require security as a first priority and in those environments, waiting is not an option. – Todd Wilcox Jan 09 '18 at 19:54
  • Agree on your points but presently we all mostly on VM and cloud instances it's not easy to bypass all layers . But yes depends on each m every condition and situation . – user451361 Jan 10 '18 at 02:19
  • @user451361 - The order of applying the patches are exactly in the reverse order to what experts like Microsoft, etc. have suggested in the advisory; hence, a downvote. – Am_I_Helpful Jan 10 '18 at 18:57
  • @Am_I_Helpful - Thanks for your feedback :) - But me too have some feedback from different vendors and read many articles like below: https://www.ibm.com/blogs/bluemix/2018/01/ibm-cloud-spectre-meltdown-vulnerabilities/ ---- Drivers or firmware never can patched in reverse order as per my experience. they always comes from hardware to host os and then host os to guest os. might be you have some better understanding then me. Thanks anyways – user451361 Jan 11 '18 at 02:24