Will Spectre patch (KB4056897) install on Server 2008r2 with no antivirus installed? RRS feed

  • Question

  • I run a 2 node Windows Server 2008R2 cluster that is air-gapped from the net and has no antivirus product installed.  The recently released patch for the meltdown/spectre bug indicates it will not install unless compatible anti-virus is installed.  What if no anti-virus is installed?  I know I can probably use the RegKey workaround, but I have to tightly control the configuration of the cluster and manual registry updates are frowned upon...

    Friday, January 5, 2018 1:05 AM

All replies

  • I'm actually testing on one of my test servers now, W2008 R2 ENT with no AV installed, only Windows defender. the server was not getting the updates from WSUS.

    After looking at the registry, originally the key was not there so manually added it. After that I was able to get get the update from WSUS. Installing now. Will Update on results.


    Friday, January 5, 2018 6:51 AM
  • No issues with the install. only after manually adding the registry key I was able to get the following updates to install:

    2018-01 Security Monthly Quality Rollup for Windows Server 2008 R2 for x64-based Systems (KB4056894)

    2018-01 Security Only Quality Update for Windows Server 2008 R2 for x64-based Systems (KB4056897)

    Cumulative Security Update for Internet Explorer 11 for Windows Server 2008 R2 for x64-based Systems (KB4056568)

    looks like you will have to add the it so you can get your cluster updated.

    Good Luck!

    Friday, January 5, 2018 7:01 AM
  • I am in the same position, trying to install KB4056897 on Windows Server 2008 R2 Datacenter. After adding  the registry key, I am unable to see the update from WSUS and manual installation fails with message: "The update does not apply to your system".

    Do you have any clue how to proceed in this case..?

    • Edited by raddd Saturday, January 6, 2018 6:28 PM typo
    Saturday, January 6, 2018 6:27 PM
  • KB4056894 is identified as the Monthly Quality Rollup.  I believe it includes KB4056897 which is a Security Only Rollup.  They both include the mention of the AV registry key.  I have a server with 6894 installed on it and we will do a vulnerability scan and see if it still flags the CVE.
    Monday, January 8, 2018 12:38 AM
  • The sad point is that my OS does not see neither KB4056897 nor KB4056894 in WUA at all and their manual installation fails.

    The Amazon AWS bulletin ( mentions that:

    Please note, Server 2008R2 and 2012R2 patches are currently unavailable through Windows Update requiring manual download, Microsoft advise these patches will be available Tuesday, January 9th.

    so let's see..

    Tuesday, January 9, 2018 2:38 PM