Windows Update KB KB4535680 failed to install to Server 2016 PowerEdge R540

Hi @JMcR,

Thank you for letting me know about this, it helps for those users with servers which are not connected to the internet and uses SCCM for updates. Appreciate it. I'll update the L3 about it.

Hello,

we are investigating on it, we will let you know as we know more about it.

Thanks

Marco

I've run this on 2 R640, 2 R540, all running Windows Server 2019.   I've gotten different results.

One system seemed to encounter issues with the Call to Install-Module PSWindowsUpdate with

WARNING: The version '2.2.0.2' of module 'PSWindowsUpdate' is currently in use. Retry the operation after closing the applications.    The script pushes on regardless and doesn't seem to finish properly, consequently.

I essentially walked through command by command to follow it through, but I don't see it any longer attempting to install the defined KB when running windows update.   I did do a Windows Update  check online (normally SCCM is used), and applied the updates and rebooted, and after rebooting it did show the KB was installed properly.

One R540 indicated that the install succeeded but was failing to install other updates.  Windows Defender Update Failed to install on ‎2/‎16/‎2021 - 0x80240017, although we do seem to have a more recent version installed.    possibly just a coincidence.

All of the systems are up to date with the BIOS updates from firmware update boot images as of Mid January.

Thanks for this information, that can helpful for the community. We will keep you up to date.

Marco

Hi @EPL-Tech,

Thanks for letting me know the solution worked. I don't know in detail about what was the issue with the EFI boot. The L3 team worked with Microsoft and

Hi @brian.seppanen,

Thanks for updating the issue to me. I was informed that the script works only on servers which are connected to internet directly. @JMcR did helped providing some tweaks on the script to be executed on server running from SCCM updates. And for the R540, yes it's probably you have a more recent version installed therefore you should have a failed installation.

All of the servers I ran the script on have direct access to the Internet.     They will also get updates from SCCM.

I ran the script and although I received plenty of error messages from the script, KB4535680 installed successfully after running it.

For your reference, I got following error messages:

PS C:\Windows\system32> C:\Users\AdminNT\Desktop\DellPatch.ps1
WARNING: Unable to download from URI 'https://go.microsoft.com/fwlink/?LinkID=627338&clcid=0x409' to ''.
WARNING: Unable to download the list of available providers. Check your internet connection.
PackageManagement\Install-PackageProvider : No match was found for the specified search criteria for the
provider 'NuGet'. The package provider requires 'PackageManagement' and 'Provider' tags. Please check if the
specified package has the tags.
At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1:7405 char:21
+ ... $null = PackageManagement\Install-PackageProvider -Name $script:N ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (Microsoft.Power...PackageProvider:InstallPackageProvider) [I
nstall-PackageProvider], Exception
+ FullyQualifiedErrorId : NoMatchFoundForProvider,Microsoft.PowerShell.PackageManagement.Cmdlets.Install
PackageProvider

PackageManagement\Import-PackageProvider : No match was found for the specified search criteria and provider
name 'NuGet'. Try 'Get-PackageProvider -ListAvailable' to see if the provider exists on the system.
At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1:7411 char:21
+ ... $null = PackageManagement\Import-PackageProvider -Name $script:Nu ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (NuGet:String) [Import-PackageProvider], Exception
+ FullyQualifiedErrorId : NoMatchFoundForCriteria,Microsoft.PowerShell.PackageManagement.Cmdlets.ImportP
ackageProvider

WARNING: Unable to download from URI 'https://go.microsoft.com/fwlink/?LinkID=627338&clcid=0x409' to ''.
WARNING: Unable to download the list of available providers. Check your internet connection.
PackageManagement\Get-PackageProvider : Unable to find package provider 'NuGet'. It may not be imported yet.
Try 'Get-PackageProvider -ListAvailable'.
At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1:7415 char:30
+ ... tProvider = PackageManagement\Get-PackageProvider -Name $script:NuGet ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Microsoft.Power...PackageProvider:GetPackageProvider) [Get-Pa
ckageProvider], Exception
+ FullyQualifiedErrorId : UnknownProviderFromActivatedList,Microsoft.PowerShell.PackageManagement.Cmdlet
s.GetPackageProvider

Install-Module : NuGet provider is required to interact with NuGet-based repositories. Please ensure that
'2.8.5.201' or newer version of NuGet provider is installed.
At C:\Users\AdminNT\Desktop\DellPatch.ps1:18 char:1
+ Install-Module PSWindowsUpdate -Force

I updated the install.wim,   

the instruction do not indicate it, maybe assumed,  

Would I need to replace the install.wim in the windows update iso file before running the upgrade.

Thanks,

Stehen

Thanks,

 it worked for me and my server was acting unstable and for the last 48 hours it is runnng well and all updated thru 02-2012 loaded.

I followed the instructions in the .ps1 script and it appears to install the patch without errors. But when I run a Nessus scan the vulnerability 139239 - Windows Security Feature Bypass in Secure Boot (BootHole) still is flagged with the Plugin Output: 

• The Windows Secure Boot forbidden signature database (DBX) did not contain the expected certificates.
  Please refer to the vendor advisory for more information.  

The .ps1 script doesn't update the DBX with the compromised UEFI binaries. The only way I was able to update the DBX was following the Microsoft guidance for applying Secure Boot DBX update (ADV 200011). After I followed these instructions the vulnerability wasn't flagged on a subsequent Nessus Scan.

Machine is PowerEdge R730 with Windows Server 2016 Standard.

Will Dell provide a solution to update DBX?

Hello,

At the moment, we are only able to provide temporary workaround for everyone until the new patch is ready.

The Microsoft team and Dell engineers are working on the new patches currently.

Here the DBX fix on Microsoft KB https://bit.ly/3vbtNtl

Thanks

Marco

Hi DELL-Marco B,

Thank you for the quick response. Would this patch be necessary for Dell Machines that don't have Secure Boot enabled?

Hello,

Generally speaking, it is best to keep the server fully up to date on patches. However, if the server in question isn't using the feature an update pertains to, Secure Boot in this case, it can really be more of a housekeeping measure. I'd consider installing the patch, just in case Secure Boot were to become something you may need in the future.