Remotely Deploying the Patch to Fix Intel’s ‘Meltdown’ CPU Security Flaw

As you have probably already seen in the tech news this week, all Intel CPUs have a newly discovered flaw being called ‘Meltdown‘. More information is available here.

Currently the only way to address this hardware flaw is by applying an update to the operating system. If you will be using BatchPatch to distribute the update to your computers then you have a couple of different options for making this happen.

The update has been released under the following KB IDs, which vary depending on the version of operating system that is installed on your computer. You should definitely read the KB release notes (links below) because there are important compatibility issues, particularly with anti-virus applications, to be aware of before installing the update, which are outlined on the pages linked below.

KB4056892 (applies to Windows 10 version 1709)
KB4056891 (applies to Windows 10 Version 1703)
KB4056890 (applies to Windows 10 Version 1607, Windows Server 2016)
KB4056888 (applies to Windows 10 Version 1511)
KB4056893 (applies to Windows 10 Enterprise released in July 2015)

Applying the Update to Systems that Have Access to the Internet or a WSUS

For systems that have access to the internet or a WSUS, applying the update with BatchPatch should be very straightforward. You’ll simply need to execute your normal Windows Update routine so that computers download and install the appropriate update. For most users this means you’ll execute ‘Actions > Windows updates > Download and install updates + reboot if required‘ or similar.

In the case with my lab Windows 10 Version 1607 computer, when I ran BatchPatch ‘check for available updates’ this is the result I got:

To update this computer I will simply execute ‘Download and install updates + reboot if required‘ and that should be all I need to do.

Applying the Update to Systems that Do Not Have Access to the Internet or a WSUS

Using Offline Mode to Deploy the Updates:

If you are applying this out-of-band patch to systems that do not have internet access or access to a WSUS, one option is to wait until Microsoft publishes the next WsusScn2.cab file, which they do on a monthly basis. The next release of this file *should* have the relevant updates included, which means that you will be able to follow your normal routine of applying Windows updates using ‘offline mode‘ in BatchPatch.

EDIT 20180108: Microsoft released a new WsusScn2.cab file on Jan 4, 2018 that contains the relevant updates.

Using the BatchPatch ‘Deployment’ Functionality to Deploy the Updates:

You will need to first manually download the required update from the Microsoft catalog. Links to each update (each OS version has its own update) are provided on the pages linked above for each KB ID. Once you have downloaded the relevant update for each operating system in your environment, and once you have read through the KB articles to make sure that your systems are ready to receive the update, then you may go ahead and deploy the .MSU file using BatchPatch’s standard ‘Deploy’ method for .MSU files, which is outlined here: Remotely Deploy a Standalone .MSU Update to Multiple Computers

This entry was posted in Blog, General, Tutorials and tagged , , . Bookmark the permalink. Both comments and trackbacks are currently closed.