locked
WSUS reporting "Not Applicable" Status for Spectre Meltdown updates set to "Install" on Windows 10 computers RRS feed

  • Question

  • - One WSUS server - Windows 2016, fully patched

    - 2900 client computers running Windows 10 Enterprise 64bit, with a mix of 1607 and 1703

    - Microsoft built-in Defender is the only AV on our computers

    - All Intel procs

    We built a new WSUS server in early January of this year and set the GPOs accordingly.  At first, the only updates we approved were the January KB405689X.  Clients reported, downloaded, and successfully patched.  We did the same thing for the Feb. KB407459X updates, plus the Flash updates from Jan. and Feb.  Again, no problem, until this week.

    While going through inventory this week and putting some remaining computers on the network to get the updates, we noticed that something is causing the Spectre Meltdown patches to stop being available to the local computers.  In WSUS, these updates show "Install" yet the status is "Not Applicable."  Interestingly, the clients have no problem recognizing and pulling the Flash updates from WSUS.  Again, this just started happening this week.

    After reading many articles on what may cause this, here's what else I can add...

    - We have not modified our added any new GPOs to our network in months.

    - There is no sign of the "reg key" that needed to be provided by AV companies when this whole thing broke out, even though it was recently lifted with the March update (which we have not approved yet).

    - Even when adding the reg key, still no go.

    I know similar issues have been posted here and on other sites, and some have had success with modifying Insider Build and Telemetry GPOs, the reg key, etc.  These aforementioned solutions either do not affect or help us.

    Any ideas of what might have occurred?  

    Thanks

    Friday, March 23, 2018 12:16 PM

Answers

  • So I think I understand what the deal is.  It's been some time since I've really been involved in WSUS so maybe my expectations were miscalculated.  

    The newer March updates for Spectre - Meltdown and Flash are superseding.  When they were made available to the public, our WSUS server recognized this and rendered all previous updates as superseded, and therefore, "Not Applicable."  Therefore, any of our computers that missed the boat for January and February have to wait until I approve the March updates before they get anything.

    I think that is somewhat unfair in the sense that, without fully testing the March updates, the January and February updates will not install from WSUS just to have some sort of protection.  Sure, we could manually install those superseded patches, although that defeats the purpose of having a WSUS server.  It is our environment, so we should be able to control the flow of patches.

    Oddly, the January Flash patch still worked, despite the fact that a February Flash patch was approved and superseding.  And, why was the February Flash patch in "Not Applicable" state and the January one still offered?  Only Microsoft could answer that, I guess.

    • Marked as answer by Just In Time Thursday, March 29, 2018 4:13 PM
    • Unmarked as answer by Just In Time Thursday, March 29, 2018 4:13 PM
    • Marked as answer by Just In Time Thursday, March 29, 2018 4:13 PM
    • Unmarked as answer by Just In Time Thursday, March 29, 2018 4:13 PM
    • Marked as answer by Just In Time Thursday, March 29, 2018 4:13 PM
    Thursday, March 29, 2018 4:13 PM

All replies

  • Did you check if the update is installed on the computer?

    Have you examined the windowsupdate.log which will be in c:%windir%Windowsupdate.log?


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, March 26, 2018 9:18 AM
  • The updates are not installed on any of the computers we pulled out of storage last week.  All computers up until approximately 3/19 were getting the approved updates from our WSUS server.  Now, they are only getting offered one.  To be exact, here are the only updates set to "Install" for a Windows 10x64 1703 computer...

    2018-01 - KB4056891 - Security Update for Spectre and Meltdown

    2018-02 - KB4074592 - Security Update for Spectre and Meltdown

    2018-01 - KB4056887 - Security for Flash

    2018-02 - KB4074595 - Security for Flash

    The only update being offered by the WSUS server to any clients that don't have the list above yet is 2018-01 - KB4056887.  The other three are NOT offered, even though they are needed AND can be applied manually through download.  The WSUS server shows these computer as "Not Applicable" which doesn't make sense.  Again, this just started occurring week beginning 3/19.  It was running smoothly until then.  The only change to the server was the March security updates being installed.  No configuration changes were made.  I even tried uninstalling those March updates just for the heck of it.  That didn't help.

    Tried the ideas posted here...

    https://social.technet.microsoft.com/Forums/Lync/en-US/d1534aa5-3358-40f8-adf1-d83dc4384386/wsus-problem-all-windows-10-1703-updates-not-applicable-to-all-workstations?forum=winserverwsus

    ...and that is not issue.  Checked for these settings anyway and made sure.

    I have parsed and looked through the windowsupdate.log.  It is quite extensive.  Anything specific I should be looking for other than the fact it is successfully talking to WSUS?  Thanks


    Wednesday, March 28, 2018 1:59 PM
  • So I think I understand what the deal is.  It's been some time since I've really been involved in WSUS so maybe my expectations were miscalculated.  

    The newer March updates for Spectre - Meltdown and Flash are superseding.  When they were made available to the public, our WSUS server recognized this and rendered all previous updates as superseded, and therefore, "Not Applicable."  Therefore, any of our computers that missed the boat for January and February have to wait until I approve the March updates before they get anything.

    I think that is somewhat unfair in the sense that, without fully testing the March updates, the January and February updates will not install from WSUS just to have some sort of protection.  Sure, we could manually install those superseded patches, although that defeats the purpose of having a WSUS server.  It is our environment, so we should be able to control the flow of patches.

    Oddly, the January Flash patch still worked, despite the fact that a February Flash patch was approved and superseding.  And, why was the February Flash patch in "Not Applicable" state and the January one still offered?  Only Microsoft could answer that, I guess.

    • Marked as answer by Just In Time Thursday, March 29, 2018 4:13 PM
    • Unmarked as answer by Just In Time Thursday, March 29, 2018 4:13 PM
    • Marked as answer by Just In Time Thursday, March 29, 2018 4:13 PM
    • Unmarked as answer by Just In Time Thursday, March 29, 2018 4:13 PM
    • Marked as answer by Just In Time Thursday, March 29, 2018 4:13 PM
    Thursday, March 29, 2018 4:13 PM