none
Servers Not Being Offered Security Patch for Meltdown/Spectre

    Question

  • Hi All,

    So we have an environment with machines running Server 2008r2, 2012r2, and 2016 (the majority are running 2012r2).  All the server updates are managed by a WSUS server running 2012r2 (it patches itself, too).  Yesterday, I manually synchronized the WSUS server and approved the updates related to Meltdown and Spectre.  I then verified that everything downloaded properly by updating the WSUS Server itself with the patches-- everything worked as expected.

    Now, this morning, after everything should have scanned for the updates (and they did scan), only a few computers are showing as needing the updates-- in fact, the vast majority are showing as installed/not applicable. 

    They are all either running Symantec Endpoint Protection or Windows Defender/Forefront and have the proper compatibility registry key set.  If you download the update from the update catalog and install it, it installs successfully, but I don't want to have to patch all the servers manually.  Other updates are installing just fine from the WSUS server.

    This hasn't just happened in this one environment.  In another environment that I work on sometimes, it is having the same issue (only they are using Avast! business security, but again, the registry key is set).

    Does anyone have any insight into this?

    Thanks!

    ~Allen

    Friday, January 5, 2018 6:12 PM

Answers

  • Yes, I see that, too-- although the second ones should only be needed to enable the changes, not to install.

    That being said, after the revision to the Windows Update yesterday, all of my servers are now finding the update.  Clients are also starting to see the update (Windows 7 has found it, despite there not being a revision.  I'm wondering if there could have been something on the update to not offer it until today's date?

    Tuesday, January 9, 2018 3:51 PM

All replies

  • I am having the same issue. Opened a support case with Microsoft and spend more than four hours on the phone with them, but the best they can come up with is that we will have to wait and see and maybe they can get back to me in a couple days.
    Friday, January 5, 2018 11:40 PM
  • That's a helpful response from Microsoft!  I appreciate it, though.  Let me know if you hear anything, please.
    Saturday, January 6, 2018 3:15 AM
  • I am having the exact same issue.

    Saturday, January 6, 2018 3:55 AM
  • Per this article, no patch is yet available for Windows 2008 or 2012, unless they are R2:

    https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution

    Does this explain anyone's experience?

    Edit: Also, this PowerShell module might prove useful:

    https://gallery.technet.microsoft.com/scriptcenter/Speculation-Control-e36f0050


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)


    Saturday, January 6, 2018 4:18 PM
  • Richard - this is not explaining our experience.  I have two Windows 2012 R2 servers running the absolute newest version of Symantec Endpoint Protection Client (14.0.3876.1100), and have verified the registry value "cadca5fe-87d3-4b96-b7fb-a231484277cc" is present under QualityCompat and Data is set to 0x00000000.

    When I check for updates via Windows Update (not WSUS), the update is not advertised.  

     
    Saturday, January 6, 2018 5:42 PM
  • This is also not my experience with either set of servers.  I have both Symantec and Avast between the two environments with the key set and it's not finding the update-- All Windows Server 2012 R2, 2016 or 2008R2.

    The Power shell module is just to verify that everything is working once it's installed-- it's very helpful to check the hardware's firmware supports the microcode settings.

    Saturday, January 6, 2018 6:48 PM
  • Same issue. WSUS downloads update, I approved, never applied to any PCs (Vipre/Malwarebytes):

    "The update is installed/not applicable on 57 computers"

    Checking the installed updates on windows 10 PCs shows never applied and the Speculation Powershell check confirmed.  The update was applied on my home PC (Norton/Hitman).  Will wait a few days and then panic.

    Saturday, January 6, 2018 9:51 PM
  • This spreadsheet of virus vendors and compatibility might help:

    https://docs.google.com/spreadsheets/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview?sle=true#gid=0

    I got the link from this Wiki:

    https://social.technet.microsoft.com/wiki/contents/articles/51021.mitgations-for-speculative-execution-side-channel-vulnerabilities-meltdown-spectre.aspx

    I added a comment to the Wiki referencing this thread, and requesting assistance.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Saturday, January 6, 2018 10:12 PM
  • We are seeing the same issue here as well for both Windows 8.1 and Server 2012 R2. These test environments have the latest patch level for Symantec EndPoint Protection and should be getting the updates.

    Thanks,

    Mike

    Monday, January 8, 2018 1:34 PM
  • Same issue here, Symantec 14, Eraser version 117.3.0.359.  Have Server 2012 standard and server 2012 R2 machines that are not being offered the patch.  I realize as of time of this writing MS hasn't released a patch for Standard.
    Monday, January 8, 2018 2:30 PM
  • Hello All,

          I have a similar problem as Allen.  The environment I am supporting has machines running Windows 7,Server 2008R2, 2012R2, and 2016.  All the machines are running different versions of System Center Endpoint Protection and are patched via WSUS 2012 R2. 

    I would say that only 20% of the machines are being offered the Meltdown and Spectre patch.  On the machines that are being offered the patches, I find no trace of the the QualityCompat registry key. I have checked on the machines with the latest version of System Center Endpoint Protection client and on machines with older versions of the End Point client.  Is Microsoft not using the same registry key for their own AV products?

    On machines that are not being offered the patches, I have added the QualityCompat key and had some success in getting them to be offered the patch after rebooting the server.   It seems that the patch/AV registry check process is faulty. 

    I am interested in hearing the experience of others that are running the System Center Endpoint Protection in their environment.   Thanks Ron

    Monday, January 8, 2018 3:19 PM
  • I have the same issue that WSUS clients are not pulling the patches.  I have Avast! installed but reg key is present.  If i tell the Windows update to check online instead it finds the patch.
    Monday, January 8, 2018 5:49 PM
  • Same thing here but with Windows 10 clients mostly.  Updates are approved and downloaded but marked as not applicable. AV software is supported.  I installed it manually on one PC and confirmed with Powershell that's it patched, but WSUS still lists it as not applicable.
    Monday, January 8, 2018 9:45 PM
  • Same thing here but with Windows 10 clients mostly.  Updates are approved and downloaded but marked as not applicable. AV software is supported.  I installed it manually on one PC and confirmed with Powershell that's it patched, but WSUS still lists it as not applicable.
    Same in our environment.
    Tuesday, January 9, 2018 3:36 AM
  • I had a similar issue, mostly windows 10, update 4056890 should apply to all of these machines, but SCCM shows update as "not required" for all of these machines.

    I found setting the two reg keys listed here made machines show the update as "required" and then installed without issue.

        support.microsoft.com/en-us/help/4056890/windows-10-update-kb4056890

    (apologies - account not verified so can't post an actual link)

    We're running Sophos here, and after some digging on their site, they mention that the latest update from them sets these reg keys. The release of this update from Sophos is expected to be phased between 6-10th Jan I believe. We've not yet had this update, so are waiting to see if it appears, if not, i'll apply the reg keys by other means.

    Just got to sort something with the 2008 & 2012 servers now.

    • Proposed as answer by MisterLeeee Tuesday, January 9, 2018 12:42 PM
    • Unproposed as answer by Allen Howard- CMU Tuesday, January 9, 2018 3:51 PM
    Tuesday, January 9, 2018 12:25 PM
  • I found setting the two reg keys listed here made machines show the update as "required" and then installed without issue.

        support.microsoft.com/en-us/help/4056890/windows-10-update-kb4056890


    There's only one registry key listed in this KB article.  All of our machines already have it set by the AV manufacturers.
    Tuesday, January 9, 2018 1:31 PM
  • From didfferent articles, I'm seeing 3 registry settings need to happen...

    One from this article:

    Key="HKEY_LOCAL_MACHINE"Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat"

    Value Name="cadca5fe-87d3-4b96-b7fb-a231484277cc"

    Type="REG_DWORD

    Data="0x00000000

    Two from this article:

    https://support.microsoft.com/en-hk/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in

    To enable the fix *

    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f

    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

    Restart the computer for the changes to take effect.

    To disable the fix *

    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f

    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

    Restart the computer for the changes to take effect.

    (There is no need to change MinVmVersionForCpuBasedMitigations.)

    What a cluster...   but at least we have job security for a little while longer!

    Tuesday, January 9, 2018 3:37 PM
  • Yes, I see that, too-- although the second ones should only be needed to enable the changes, not to install.

    That being said, after the revision to the Windows Update yesterday, all of my servers are now finding the update.  Clients are also starting to see the update (Windows 7 has found it, despite there not being a revision.  I'm wondering if there could have been something on the update to not offer it until today's date?

    Tuesday, January 9, 2018 3:51 PM
  • My Windows 10 clients have received the update but none of my 2012 R2 servers. WSUS update showing as not applicable yet.

     Probably need to reboot. Only reboot once a week. So we'll see.

    Allen-  With your servers patched now, have you noticed any performance dip?

    • Edited by rm304 Tuesday, January 9, 2018 3:58 PM
    Tuesday, January 9, 2018 3:53 PM
  • Just an FYI that the monthly rollup patch for Server 2012 R2 (KB4056895) now appears to be live and offered through Windows Update and the Microsoft Update Catalog.  I guess Microsoft fixed whatever was keeping it from being released.

    https://www.catalog.update.microsoft.com/Search.aspx?q=KB4056895
    Tuesday, January 9, 2018 5:47 PM
  • My Windows 10 clients have received the update but none of my 2012 R2 servers. WSUS update showing as not applicable yet.

     Probably need to reboot. Only reboot once a week. So we'll see.

    Allen-  With your servers patched now, have you noticed any performance dip?

    You need to add the registry key of :

    Contact your Anti-Virus AV to confirm that their software is compatible and have set the following REGKEY on the machine

    Key="HKEY_LOCAL_MACHINE"Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat"

    Value Name="cadca5fe-87d3-4b96-b7fb-a231484277cc"

    Type="REG_DWORD

    Data="0x00000000

    and then you will be able to have the update available to your servers. This is to prevent issues with AV programs.

    Tuesday, January 9, 2018 6:02 PM
  • Allen-  With your servers patched now, have you noticed any performance dip?

    Have not patched them yet, I just see that it needs the patch.  We need to wait for our maintenance window before we can patch.
    Tuesday, January 9, 2018 6:04 PM
  • Hi rm304,

    A new blog for performance impact regarding those update FYI, Understanding the performance impact of Spectre and Meltdown mitigations on Windows Systems




    “Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.”

    Wednesday, January 10, 2018 9:05 AM
  • My Windows 10 clients have received the update but none of my 2012 R2 servers. WSUS update showing as not applicable yet.

     Probably need to reboot. Only reboot once a week. So we'll see.

    Allen-  With your servers patched now, have you noticed any performance dip?

    You need to add the registry key of :

    Contact your Anti-Virus AV to confirm that their software is compatible and have set the following REGKEY on the machine

    Key="HKEY_LOCAL_MACHINE"Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat"

    Value Name="cadca5fe-87d3-4b96-b7fb-a231484277cc"

    Type="REG_DWORD

    Data="0x00000000

    and then you will be able to have the update available to your servers. This is to prevent issues with AV programs.


    If you add this registry key before your AV is updated, you will most likely get BSOD.  Better to wait for your AV to update and add this on its own.   As in my case I had to add the two extra reg entries and then reboot before the update showed as needed in WSUS
    Wednesday, January 10, 2018 2:42 PM
  • Already stated previously, the update was NOT being advertised to systems even with the QualityCompat registry entry already present and valid.
    Wednesday, January 10, 2018 4:11 PM
  • Same thing here, a handful of my servers got the update via WSUS, all servers I have checked have the registry key already, still 80% of them are not pulling the updates, all servers except 2 are Win2008r2.
    Wednesday, January 10, 2018 9:04 PM
  • I spent the day troubleshooting this on my Windows Server 2012 R2 machines pulling from my WSUS server. I had the same symptom - the update would be evaluated as "Installed / Not Applicable".

    I managed to fix this on my machines, which caused the update to be detected from my WSUS server and subsequently install correctly on my Windows Server 2012 R2 servers. But frankly the process really sucks:

    1) On the server, manually install the following two files in this order:

         Windows8.1-KB2919442-x64.msu (https://www.microsoft.com/en-us/download/details.aspx?id=42162)

         Windows8.1-KB2919355-x64.msu (https://www.microsoft.com/en-us/download/details.aspx?id=42334)

    2) Reboot

    3) Rerun windows updates ("check for updates"). You should see basically all relevant updates since 2014. I had 155 updates available. You'll notice the spectre/meltdown updates are now included in that list. Install them all and reboot as applicable. Of course, this will probably take hours :(

    What I did to figure this out:

    1. I increased the logging level using the instructions at the bottom of this page: https://support.microsoft.com/en-us/help/902093/how-to-read-the-windowsupdate-log-file
    2. I checked for updates. I found the clue in the log C:\windows\logs\cbs\cbs.log by searching that file for the update I was interested in, KB4056898. That update was detecting for a "parent", KB2919355, which is an update from 2014. It did not find that parent and declared the update unnecessary.
    3. I tried installing just that update, and failed. There are a lot of articles about people painfully installing KB2919355 by sequentially installing about 10 seperate updates. I managed to get my server working by only doing the two I listed above. YMMV.

    Microsoft, if you're listening, please improve this situation :)

    • Proposed as answer by WSUAL2 Wednesday, May 30, 2018 4:45 PM
    Wednesday, January 10, 2018 10:56 PM
  • Has anyone else noticed some funkiness with approvals for these updates in WSUS?

    I've noticed machines reporting the updates needed but not detecting the updates on the client side for install, which appeared at first to be specific to Windows 10 1709, but today started showing up across other OS' making it seem more general.

    What's odd, is I normally have the patches approved for specific approval groups but not the default All Computers or Unassigned Computers groups, however I noticed that the update is reported needed in WSUS, but doesn't show up unless I approve the update for All Computers, as well as the Group the systems are assigned to. If I only approve for one or the other, nothing shows up....it makes no sense.

    Friday, January 12, 2018 12:24 AM
  • I figured out my issue.

    We run SEP in our environment, turns out a handful of machines had corrupt definitions and had defs that were more than a few days old.

    Being that this was the case, they weren't offered the updates.  Once that was remedied on those machines by using SymDiag to check the definitions integrity, fixing the corruption and getting new definitions installed when updates are checked they all present as they normally would.

    For the record, the registry key was present on all machines prior to doing this fix, new definitions or not.

    Friday, January 12, 2018 12:27 AM
  • Hi,

    we are working with Windows 2012 R2 servers and some of them does not have antivirus programs installed. We install against WSUS and i added the registry key.

    But still nothing. I stopped Windows Update and cleared the SoftwareDistribution Dir. Still nothing. 

    Does the update NEED an antivirus program?

    Next step will be installing SEP for testing purposes on one of the server. But this cannot be the solution.

    EDIT: My own fault ;) My key was QualityComp instead of Compat


    Regards Stephan

    OneDrive / Sharepoint Blog


    • Edited by Stephan G Saturday, January 13, 2018 12:13 PM
    Saturday, January 13, 2018 11:55 AM
  • I want to thank you J Niland for your post, as it helped me figure out why we were not seeing the new patches on certain servers. 

    We have several older Windows 2008r2 servers that were not seeing the patch from our WSUS or from the official Windows Update either.  I found this thread, and enabled the advanced logging J Niland mentioned but could not find a patch that explained this.  Assumptions about the cause of our problem led me down the wrong path.  I finally just started to read the CBS.log and WindowsUpdate.log on a system that I enabled the logging on (https://support.microsoft.com/en-us/help/902093/how-to-read-the-windowsupdate-log-file)  and then found the log entries where the patch is looking for the QualityCompat key.  What followed that surprised me - it was also checking for an old (I presume) Symantec file ("C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys") !  as far as I am aware this is not documented anywhere, as this is the first I heard of that.

    We replaced Symantec on our servers a few years ago.  The product is not really installed - those files remain after a dirty uninstall.  So I renamed the folder and rescanned, and now I am getting the new patches!

    My guess is our older Windows 2008r2 servers with this problem were originally on SEP 11, then upgraded to SEP 12 before we finally replaced Symantec with another vendor.  My assumption is the old files were left from the 11->12 upgrade, given the small number of servers that have these files.  We have since scanned all of our servers for these files, and only have a dozen that all happen to be our oldest servers.

    Here is a screenshot of the WindowsUpdate.log file I mentioned:


    • Edited by BSpies1 Tuesday, January 16, 2018 4:18 PM wanted to emphasis the issue
    Tuesday, January 16, 2018 4:15 PM
  • JNiland and BSpies1, thank you so much!  This resolved my issue as well.  Even manually adding the registry would not fix my issues.  However, I updated from Symantec to Trend WFBS several months ago and found the same old Symantec directories!  Deleting those directories helped Windows find my updates. 
    Thursday, January 18, 2018 12:21 AM
  • I'm getting the KB's installed, but still showing vulnerable to both of these.

    Any idea's why this is? 

    If you read through the InSpectre's explanation there, the KB's only make the OS aware of the patch.  To patch Meltdown, use InSpectre, click the button there until it says "disable protection", which in my case took 2 clicks on each server.  Once you reboot, you should be protected.

    For Spectre, a bios update is required as it's hardware related, not only software.

    Monday, January 22, 2018 5:40 PM
  • I misread Microsoft's posts about clients and assumed it was for servers as well: 

    Note By default, this update is enabled. No customer action is required to enable the fixes. We are providing the following registry information for completeness in the event that customers want to disable the security fixes related to CVE-2017-5715 and CVE-2017-5754 for Windows clients.

    To enable the fix *

    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f

    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

    Restart the computer for the changes to take effect.

    To disable the fix *

    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f

    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

    Restart the computer for the changes to take effect.

    (There is no need to change MinVmVersionForCpuBasedMitigations.)

    I enabled this using the reg add, and rebooted.  Once the appropriate reg key is there, and the Server is rebooted. Meltdown is no longer a vulnerability.



    • Edited by JoeFri Wednesday, January 24, 2018 8:44 PM
    Monday, January 22, 2018 8:13 PM
  • Note By default, this update is enabled. No customer action is required to enable the fixes. We are providing the following registry information for completeness in the event that customers want to disable the security fixes related to CVE-2017-5715 and CVE-2017-5754 for Windows clients.
    The note says it all: "For Windows Clients".  There was ad different page for Windows Servers ;)
    Monday, January 22, 2018 8:15 PM
  • Ahh, that's what I was assuming, but haven't found a link containing that statement yet.  Do you have a link?
    Monday, January 22, 2018 8:17 PM
  • https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution
    Monday, January 22, 2018 8:18 PM
  • perfect!

    thank you

    Monday, January 22, 2018 8:20 PM
  • For those that don't run AV, here's your options as well:

    1. Apply the patch manually:

    Host with no AV - can be manually installed - having no AV on the server only prevents windows updates from pushing it to said server.

    Here's the links to mitigation patches you'll probably need:

    2012R2

    https://www.catalog.update.microsoft.com/Search.aspx?q=KB4056895

     

    2008R2

    https://www.catalog.update.microsoft.com/Search.aspx?q=KB4073578

    2. Manually add the AV reg key so windows updates will allow the patch (this is a separate key that is different from the key's that enable the mitigation patch):

     

    Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat" Value="cadca5fe-87d3-4b96-b7fb-a231484277cc" Type="REG_DWORD”

    Data="0x00000000”

    I choose option 1, since I only had a hand full of hosts to update, I just manually updated it then confirmed with the Inspectre tool that the host is no longer vulnerable to Meltdown.

    Wednesday, January 24, 2018 7:25 PM
  • Performance hit won't be noticed until the Spectre patch is applied, which is the BIOS update / CPU firmware.  Once that is applied, you'll notice the hit.  

    This tool will let you know where stand performance wise before you apply the BIOS update, so you know if you should think twice about applying that fix or not:

    https://www.grc.com/inspectre.htm

    Wednesday, January 24, 2018 8:47 PM
  • After a lot of time on support with MS we have found that if you place "2018-01 Security Only Quality Update for Windows Server 2008 R2 for x64-based Systems (KB4056897)" in you software update group then the patches were not appearing on ANY systems.  The moment this was removed the patches started flowing to our 2012 and 2016 servers without any issues. 

    We eventually replaced this with "2018-01 Security Monthly Quality Rollup for Windows Server 2008 R2 for x64-based Systems (KB4056894)" and the 2008 R2 servers were able to the get the meltdown and spectre patches this way.  Not ideal, but has got around applying these patches via SUP's.

    Wednesday, February 7, 2018 2:58 PM
  • Thank you. The "("C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys")" file was my problem as well.  Even though I ran LiveUpdate on my Windows Server 2016 VM template, it never updated that file...it was still dated from 2017.  Then I found this article from SEP:

    https://support.symantec.com/en_US/article.GUIDES10040.html

    Specifically: The behavior of the Eraser Engine driver is by default. It only gets activated/installed “as needed”.  In practical terms this means that it gets installed after the first Active (Quick) Scan.

    So I ran a quick scan on my template, and then the file got updated to a 2018 version.  Then Windows Update saw the new patches for Spectre/Meltdown.

    That was awesome detective work BSpies1!  Thanks!

    NK

    Thursday, February 15, 2018 8:36 PM
  • What file/folder exactly did you rename?  We went from SEP <some version, can't remember> to SCEP.  I see that folder exists on my problem systems.  When I try and rename the c;\program files\common files\symantec shared folder, it's in use and won't let me rename it. I'm in the process of identifying what's using it, but was wondering if you renamed the root symantec shared folder or some sub folder or file. 

    Wednesday, February 21, 2018 5:06 PM
  • For me it happened on Servers 2008 R2 and 2012 R2 with no antivirus installed.
    Monday, February 26, 2018 12:12 PM
  • I spent the day troubleshooting this on my Windows Server 2012 R2 machines pulling from my WSUS server. I had the same symptom - the update would be evaluated as "Installed / Not Applicable".

    I managed to fix this on my machines, which caused the update to be detected from my WSUS server and subsequently install correctly on my Windows Server 2012 R2 servers. But frankly the process really sucks:

    1) On the server, manually install the following two files in this order:

         Windows8.1-KB2919442-x64.msu (https://www.microsoft.com/en-us/download/details.aspx?id=42162)

         Windows8.1-KB2919355-x64.msu (https://www.microsoft.com/en-us/download/details.aspx?id=42334)

    2) Reboot

    3) Rerun windows updates ("check for updates"). You should see basically all relevant updates since 2014. I had 155 updates available. You'll notice the spectre/meltdown updates are now included in that list. Install them all and reboot as applicable. Of course, this will probably take hours :(

    What I did to figure this out:

    1. I increased the logging level using the instructions at the bottom of this page: https://support.microsoft.com/en-us/help/902093/how-to-read-the-windowsupdate-log-file
    2. I checked for updates. I found the clue in the log C:\windows\logs\cbs\cbs.log by searching that file for the update I was interested in, KB4056898. That update was detecting for a "parent", KB2919355, which is an update from 2014. It did not find that parent and declared the update unnecessary.
    3. I tried installing just that update, and failed. There are a lot of articles about people painfully installing KB2919355 by sequentially installing about 10 seperate updates. I managed to get my server working by only doing the two I listed above. YMMV.

    Microsoft, if you're listening, please improve this situation :)

    Thanks for posting this, I had the same issue. I was just missing KB2919355. I wasted a ton of time, but would have been even more without your post!!!!


    Tuesday, March 13, 2018 8:32 PM
  • Thanks for posting this, I had the same issue. I was just missing KB2919355. I wasted a ton of time, but would have been even more without your post!!!!
    Tuesday, March 13, 2018 8:32 PM
  • Great find! Appreciate it. I was having same issues with a number of older 2008 R2 servers. Renaming the "Symantec Shared" folder did the trick. Can't believe it's still checking that folder even with McAfee Enterprise now in our environment!
    Friday, March 16, 2018 7:16 PM
  • This worked for me.  Been working for days on this issue.  Thanks for posting your fix!
    Wednesday, May 30, 2018 4:46 PM