Meltdown/Spectre Patch is failing on all W10v1607

For some strange reason the patch will not install on any w10 v1607 in my entire domain. If I take that same machine and bring it up to v1709 and applied the appropriate Meltdown patch... It installs.
There is a know issue with Bloomberg and v1709 which why I must remain on 1607.

See screenshot below.
Meltdownw10v1607
GGHCAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hello ThereSystem AdministratorCommented:
The first rule what to do is to have all updates installed.



https://www.catalog.update.microsoft.com/Search.aspx?q=KB4056890
Choose the correct version - x86 or x64 + not for servers.

Next follow these steps: https://support.microsoft.com/en-ph/help/971058/how-do-i-reset-windows-update-components

Also see all known issues within this update. Also here.
0
Hello ThereSystem AdministratorCommented:
Some people were helped by this:

1- Disable automatic update

2- Clear temporary files running "Disk Cleanup" (you should clean up all system files too)

3 - Download and run this utility from Microsoft: https://support.microsoft.com/en-us/help/10164/fix-windows-update-errors

4 - Run the Windows update repair tool (the built-in utility you'll find in "Settings" https://www.microsoftpressstore.com/articles/article.aspx?p=2467489)

5 - Download and run the KB4054517 offline installer (https://www.windowslatest.com/2017/12/13/direct-download-links-kb4054517-windows-10-build-16299-125/)

6- Reboot and re-enable the automatic Windows updates. Check and you'll find the KB4054517 is now properly installed
0
Hello ThereSystem AdministratorCommented:
Also you can run Windows Update Diagnostic Tool from HERE.

You might also consider disabling your antivirus off. It might help.
0
Challenges in Government Cyber Security

Has cyber security been a challenge in your government organization? Are you looking to improve your government's network security? Learn more about how to improve your government organization's security by viewing our on-demand webinar!

Hello ThereSystem AdministratorCommented:
Can you please check out Event Viewer for more details?
0
Hello ThereSystem AdministratorCommented:
From another discussion:
I had previously enabled the Windows Store policy to “Turn off the offer to update to the latest version of Windows” found at Computer Configuration/Administrative Templates/Windows Components/Store. As soon as I disabled this policy the 1607 update began applying to my 1511 machines that were registering as not needed.
0
JohnBusiness Consultant (Owner)Commented:
If you have to stay at V1607, then you can only do the security updates allowed for V1607. For more advanced features you must upgrade. Contact Bloomberg for them to fix your issue.
0
Hello ThereSystem AdministratorCommented:
Btw as far I can see are you trying to apply v1607 on machine with v1607 already installed?
0
masnrockCommented:
Did you update your antivirus software? A registry key has to be updated. Here's what's you need in case you want to do it manually.

Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat" Value="cadca5fe-87d3-4b96-b7fb-a231484277cc" Type="REG_DWORD”

Open in new window


You need to do that first, THEN you can install the patch.
0
GGHCAuthor Commented:
Thanks Hello There for your guidance.  
I confirmed it is the correct one for W10 v1607. I actually tried both the Delta and Cumulative from the Windows Catalog
I ran through all the procedure except the one to apply KB4054517 since it applies to 1709.

It's so bizarre because this patch is not in Windows Update, not in the history. Since this up was just released I didn't see it being Superceded. Also I am getting it straight from the Windows catalog.
May just raise a Microsoft Ticket.

Here is the reason I can not move forward to v1709.

Bloomberg statement regarding v1709 issue.
MS response is to "rollback" if you encounter issue.
0
GGHCAuthor Commented:
@masnrock All the Computers have the QualityCompat key. Placed there by Symantec as part of self update.
0
McKnifeCommented:
Since your screenshot shows you are trying a delta update, I would double check what you download. Please link the download of the cumulative update that you chose.

You need the last on the list: http://download.windowsupdate.com/c/msdownload/update/software/secu/2018/01/windows10.0-kb4056890-x64_1d0f5115833be3d736caeba63c97cfa42cae8c47.msu
0
serialbandCommented:
Bloomberg's software will frequently cause patching delays.  You may have to wait until they catch up before you can patch.
0
GGHCAuthor Commented:
@Mcknife I did try both the delta and the cumulative update. Unfortunately I get the same N/A when trying either one. Bizarre
0
McKnifeCommented:
If you did that download manually and not through your patch management software bloomberg and it did not work, then it's very odd and I would suggest to do a repair installation using the windows 10 v1607 setup media/ISO file. Then, updating will definitely work again.
0
GGHCAuthor Commented:
@McKnife the patch will not install the KB4056890 to any W10 v1607 in my entire environment. This is not seen on any other version or with any other patch. I might just get the details from Bloomberg on which exact window/section is effected and see if any user is using it.
0
McKnifeCommented:
Look, here, it installs. Take a clean 1607 - it will install. That's why I recommend the repair installation.
0
masnrockCommented:
Do you have a single system that you could have Bloomberg on and upgrade to v1709? There is this particular excerpt:
On November 14, 2017, Microsoft released a patch for Windows 10 Fall Creators Update (OS build: 16299.64) which addresses one of the known issues. Please see the Microsoft Support article for more details.
Obviously, there is no way for us to guarantee that it'll work properly. However, it might be a topic worth discussing with Bloomberg.
0
GGHCAuthor Commented:
Today I will try just that- create a standalone pc with v1607 to test.

Also I assume there should be a log somewhere on the machine that details was the patch install is doing and what cause it to think it’s N/A.
Anyone know this location?
0
Hello ThereSystem AdministratorCommented:
WindowsUpdate.log is under C:\Windows\...
1
GGHCAuthor Commented:
Confirmed that by moving a PC to the AD OU Computers, the update gets applied.
Time to dig through GP Result on an affected PC...
0
GGHCAuthor Commented:
This is the only setting that seems to apply to the issue. I will Deny/Apply on that GPO for a test PC and test it after hours.
MSUpdate_GPO
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
masnrockCommented:
Ah. That would explain a lot, given that we're still within the first 2 weeks of the update's release. Especially given that the updates were released on Jan. 3.
0
GGHCAuthor Commented:
The culprit was the AD Policy to postpone for 2 weeks. We have a 3rd party patch management and was able to install patches as released, strange this one was being blocked by this policy.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.