Unsolved
1 Message
1
22435
Windows Update KB KB4535680 failed to install to Server 2016 PowerEdge R540
Windows Update KB KB4535680 failed to install to Server 2016 PowerEdge R540
Microsoft Advised
This security update makes improvements to Secure Boot DBX for the supported Windows versions listed in the "Applies to" section. Key changes include the following:
Windows devices that has Unified Extensible Firmware Interface (UEFI) based firmware can run with Secure Boot enabled. The Secure Boot Forbidden Signature Database (DBX) prevents UEFI modules from loading. This update adds modules to the DBX.
A security feature bypass vulnerability exists in secure boot. An attacker who successfully exploited the vulnerability might bypass secure boot and load untrusted software.
This security update addresses the vulnerability by adding the signatures of the known vulnerable UEFI modules to the DBX.
Issue |
Workaround |
Some original equipment manufacturer (OEM) firmware might not allow for the installation of this update. |
To resolve this issue, contact your firmware OEM. |
DELL-Joey C
Moderator
Moderator
•
3.1K Posts
0
February 23rd, 2021 19:00
Hi @JMcR,
Thank you for letting me know about this, it helps for those users with servers which are not connected to the internet and uses SCCM for updates. Appreciate it. I'll update the L3 about it.
DELL-Marco B
Moderator
Moderator
•
3.4K Posts
0
February 24th, 2021 04:00
Hello,
we are investigating on it, we will let you know as we know more about it.
Thanks
Marco
EPL-Tech
5 Posts
0
February 24th, 2021 04:00
brian.seppanen
9 Posts
0
February 24th, 2021 07:00
I've run this on 2 R640, 2 R540, all running Windows Server 2019. I've gotten different results.
One system seemed to encounter issues with the Call to Install-Module PSWindowsUpdate with
WARNING: The version '2.2.0.2' of module 'PSWindowsUpdate' is currently in use. Retry the operation after closing the applications. The script pushes on regardless and doesn't seem to finish properly, consequently.
I essentially walked through command by command to follow it through, but I don't see it any longer attempting to install the defined KB when running windows update. I did do a Windows Update check online (normally SCCM is used), and applied the updates and rebooted, and after rebooting it did show the KB was installed properly.
One R540 indicated that the install succeeded but was failing to install other updates. Windows Defender Update Failed to install on 2/16/2021 - 0x80240017, although we do seem to have a more recent version installed. possibly just a coincidence.
All of the systems are up to date with the BIOS updates from firmware update boot images as of Mid January.
DELL-Marco B
Moderator
Moderator
•
3.4K Posts
0
February 24th, 2021 09:00
Thanks for this information, that can helpful for the community. We will keep you up to date.
Marco
DELL-Joey C
Moderator
Moderator
•
3.1K Posts
0
February 24th, 2021 18:00
Hi @EPL-Tech,
Thanks for letting me know the solution worked. I don't know in detail about what was the issue with the EFI boot. The L3 team worked with Microsoft and
DELL-Joey C
Moderator
Moderator
•
3.1K Posts
0
February 24th, 2021 18:00
Hi @brian.seppanen,
Thanks for updating the issue to me. I was informed that the script works only on servers which are connected to internet directly. @JMcR did helped providing some tweaks on the script to be executed on server running from SCCM updates. And for the R540, yes it's probably you have a more recent version installed therefore you should have a failed installation.
brian.seppanen
9 Posts
0
February 25th, 2021 04:00
All of the servers I ran the script on have direct access to the Internet. They will also get updates from SCCM.
RonHK
9 Posts
0
February 28th, 2021 19:00
I ran the script and although I received plenty of error messages from the script, KB4535680 installed successfully after running it.
For your reference, I got following error messages:
PS C:\Windows\system32> C:\Users\AdminNT\Desktop\DellPatch.ps1
WARNING: Unable to download from URI 'https://go.microsoft.com/fwlink/?LinkID=627338&clcid=0x409' to ''.
WARNING: Unable to download the list of available providers. Check your internet connection.
PackageManagement\Install-PackageProvider : No match was found for the specified search criteria for the
provider 'NuGet'. The package provider requires 'PackageManagement' and 'Provider' tags. Please check if the
specified package has the tags.
At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1:7405 char:21
+ ... $null = PackageManagement\Install-PackageProvider -Name $script:N ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (Microsoft.Power...PackageProvider:InstallPackageProvider) [I
nstall-PackageProvider], Exception
+ FullyQualifiedErrorId : NoMatchFoundForProvider,Microsoft.PowerShell.PackageManagement.Cmdlets.Install
PackageProvider
PackageManagement\Import-PackageProvider : No match was found for the specified search criteria and provider
name 'NuGet'. Try 'Get-PackageProvider -ListAvailable' to see if the provider exists on the system.
At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1:7411 char:21
+ ... $null = PackageManagement\Import-PackageProvider -Name $script:Nu ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (NuGet:String) [Import-PackageProvider], Exception
+ FullyQualifiedErrorId : NoMatchFoundForCriteria,Microsoft.PowerShell.PackageManagement.Cmdlets.ImportP
ackageProvider
WARNING: Unable to download from URI 'https://go.microsoft.com/fwlink/?LinkID=627338&clcid=0x409' to ''.
WARNING: Unable to download the list of available providers. Check your internet connection.
PackageManagement\Get-PackageProvider : Unable to find package provider 'NuGet'. It may not be imported yet.
Try 'Get-PackageProvider -ListAvailable'.
At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1:7415 char:30
+ ... tProvider = PackageManagement\Get-PackageProvider -Name $script:NuGet ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Microsoft.Power...PackageProvider:GetPackageProvider) [Get-Pa
ckageProvider], Exception
+ FullyQualifiedErrorId : UnknownProviderFromActivatedList,Microsoft.PowerShell.PackageManagement.Cmdlet
s.GetPackageProvider
Install-Module : NuGet provider is required to interact with NuGet-based repositories. Please ensure that
'2.8.5.201' or newer version of NuGet provider is installed.
At C:\Users\AdminNT\Desktop\DellPatch.ps1:18 char:1
+ Install-Module PSWindowsUpdate -Force
AhKauai
2 Posts
0
February 28th, 2021 19:00
I updated the install.wim,
the instruction do not indicate it, maybe assumed,
Would I need to replace the install.wim in the windows update iso file before running the upgrade.
Thanks,
Stehen
AhKauai
2 Posts
0
March 8th, 2021 19:00
Thanks,
it worked for me and my server was acting unstable and for the last 48 hours it is runnng well and all updated thru 02-2012 loaded.
bjdix
2 Posts
0
March 9th, 2021 14:00
I followed the instructions in the .ps1 script and it appears to install the patch without errors. But when I run a Nessus scan the vulnerability 139239 - Windows Security Feature Bypass in Secure Boot (BootHole) still is flagged with the Plugin Output:
Please refer to the vendor advisory for more information.
The .ps1 script doesn't update the DBX with the compromised UEFI binaries. The only way I was able to update the DBX was following the Microsoft guidance for applying Secure Boot DBX update (ADV 200011). After I followed these instructions the vulnerability wasn't flagged on a subsequent Nessus Scan.
Machine is PowerEdge R730 with Windows Server 2016 Standard.
Will Dell provide a solution to update DBX?
DELL-Marco B
Moderator
Moderator
•
3.4K Posts
0
March 10th, 2021 02:00
Hello,
At the moment, we are only able to provide temporary workaround for everyone until the new patch is ready.
The Microsoft team and Dell engineers are working on the new patches currently.
Here the DBX fix on Microsoft KB https://bit.ly/3vbtNtl
Thanks
Marco
bjdix
2 Posts
0
March 10th, 2021 13:00
Hi DELL-Marco B,
Thank you for the quick response. Would this patch be necessary for Dell Machines that don't have Secure Boot enabled?
Dell-DylanJ
2.9K Posts
0
March 10th, 2021 14:00
Hello,
Generally speaking, it is best to keep the server fully up to date on patches. However, if the server in question isn't using the feature an update pertains to, Secure Boot in this case, it can really be more of a housekeeping measure. I'd consider installing the patch, just in case Secure Boot were to become something you may need in the future.