|Getting the Meltdown/Spectre CPU Security Patches to Install
|Page 1 of 1|
|Author:||drshock [ Sat Jan 06, 2018 10:42 pm ]|
|Post subject:||Getting the Meltdown/Spectre CPU Security Patches to Install|
I happen to run WHS 2011 on an HP Gen8 Microserver which HPE has published plans to issue a BIOS patch for the subject vulnerability - https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-a00039267en_us.
But to complete the fix you need the Microsoft patches to apply also (OS patches + BIOS CPU microcode patches). This is covered by the Windows 2008 R2 security patches we already get with WHS 2011, but will not install automatically if you have not installed any sort of Anti Virus package. I'm not sure why, but Windows Defender on WHS 2011 or Windows Server 2008 R2 will not trigger the pre-requisite registry key addition needed.
The comment to a post from user Bert5485 finally clued me in to the problem here - https://community.spiceworks.com/topic/2102479-microsoft-guidance-to-mitigate-speculative-execution-side-channel-vulnerabilitie. And after manually applying the registry change the security patches came thru Windows Update on WHS 2011 as expected.
The registry change I made manually to get it going is documented here by Microsoft - https://support.microsoft.com/en-us/help/4056897
Do not make this registry change manually if you are running any kind of antivirus package, as it was put there to prevent your server from doing a blue screen of death (BSOD) on boot up due to the security patch mitigation! Adding this registry key manually is just for those servers without any AV installed, or where the AV manufacturer has OK'd doing it.
BTW, the validation script from Microsoft requires PowerShell 5 to run. So if you haven't upgraded WHS 2011 to that, you will need to do that before you can run the Powershell validation of the vulnerability here - https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in
Hope this helps someone else running into the same problem.
|Page 1 of 1||All times are UTC - 7 hours [ DST ]|
|Powered by phpBB® Forum Software © phpBB Group