Hyper-V Server 2016 Meltdown/Spectre Patching

Does anyone know the state of patching Hyper-V Server 2016 (just the hypervisor)?  A Microsoft engineer told me that Hyper-V Server is not applicable to the new Windows patches that were just released but I'd like to get a second opinion on that.  Currently, my Hyper-V Server never reported to WSUS that it needed the January Meltdown/Spectre update that was applied to Windows Server 2016.
ColumbiaMarketingAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
The host machine should be patched and you should check for BIOS and Chipset updates and do applicable updates. This covers the patches for the hardware issue.

The guest machines should be patched to keep them up to date.
McKnifeCommented:
The hypervisor OS 2016, no matter if core or full installation, needs to be patched, the engineer was seriously wrong.
If it is not detected, that is because it has no compatible AV installed or the built-in windows defender is disabled. If defender is disabled, it also stops updating itself and with updating stopped, windows update will not correctly detect an AV solution to be present.

->check your AV
->if it's defender, enable defender, update defender and redetect the windows updates.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ColumbiaMarketingAuthor Commented:
McKnife, would you be able to provide information on how to go about enabling Defender on Hyper-V Server?  When I initially set it up I was not given any option to enable Defender by default, nor do I see any reference to it running under Services.
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

McKnifeCommented:
Defender is enabled by default on server 2016 / server 2016 Hyper-v.
1st, before we go into this, check the presence of the following registry key:
--
Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat"
Value="cadca5fe-87d3-4b96-b7fb-a231484277cc" Type="REG_DWORD”
Data="0x00000000”
--
Is it present on the server in this form?
ColumbiaMarketingAuthor Commented:
That's what's confusing I guess.  This is strictly just the hypervisor version with no GUI, Hyper-V Server, and not Windows Server with the Hyper-V role installed.  I can't seem to find any information in regards to configuring Windows Defender with Hyper-V Server 2016, only for Windows Server running the Hyper-V role.  

And no, I do not see that registry entry under 'SOFTWARE\Microsoft\Windows\CurrentVersion.'
ColumbiaMarketingAuthor Commented:
I apologize, I do see Windows Defender running under Services.
McKnifeCommented:
See... you have some in charge of that server that has deactivated windows defender before. Else it would be active and updated and that key would be there. Please check the following regkey to determine the state of defender:
HKLM\Software\Policies\Microsoft\Windows Defender key: DisableAntiSpyware - if it is set to 1, then defender was disabled by policy.
McKnifeCommented:
Ah, just saw your newest comment. If it is running, do also check the key.
If the key is not there or set to 0, please do a windows update on that machine so that defender is updated as well.
ColumbiaMarketingAuthor Commented:
I do not see that registry key you mentioned anywhere and I have been running Windows update successfully on this and WSUS reports that it is 100% up to date.
McKnifeCommented:
By now I mentioned two keys. What about the defender key?
ColumbiaMarketingAuthor Commented:
Both keys are not present.
McKnifeCommented:
Say, are you perfectly sure that there is no secondary AV installed on that machine?
ColumbiaMarketingAuthor Commented:
None whatsoever.  We use SEP 14 but since this is just a hypervisor it was never installed on it.
McKnifeCommented:
Something is fishy. I went through your comments. You wrote
" I do not see that registry entry under
'SOFTWARE\Microsoft\Windows\CurrentVersion.
'" while I mentioned a ´value blow some other key, one deeper:
SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat"
so your answer is not clear.
Double check.
ColumbiaMarketingAuthor Commented:
I apoplogize, I should have stated that 'QualityCompat' key is not listed at all.
McKnifeCommented:
Ok, let's move on: on your host, open powershell and launch
Get-MpComputerStatus
Quote the output (or pipe it into a file:
Get-MpComputerStatus | out-file c:\test\mpstatus.txt
) and upload that file.
ColumbiaMarketingAuthor Commented:
I believe I found at least part of the issue.  Since we use SEP 14 on everything, WSUS was not syncing the Windows Defender product.  I have just enabled this in WSUS, ran a synchronization, and I am now waiting for the Hyper-V server to check in to see if it reports as needing definition updates.  If it reports then I will approve them for it, update, and then check to see if the January Microsoft update is listed as needed.  

I ran the powershell command and the definitions for everything are definitely not current.
ColumbiaMarketingAuthor Commented:
That was indeed the issue.  Once it downloaded the most recent Windows Defender definitions it then reported to WSUS that it needed the January Cumulative update which it installed without issue.  

Thanks for your help McKnife.  It's perplexing that an actual Microsoft Support Engineer told me that Hyper-V Server wasn't applicable to the January update and that it was up to date.
McKnifeCommented:
You are welcome.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2016

From novice to tech pro — start learning today.