So we have an environment with machines running Server 2008r2, 2012r2, and 2016 (the majority are running 2012r2). All the server updates are managed by a WSUS server running 2012r2 (it patches itself, too). Yesterday, I manually synchronized the WSUS server and approved the updates related to Meltdown and Spectre. I then verified that everything downloaded properly by updating the WSUS Server itself with the patches– everything worked as expected.
Now, this morning, after everything should have scanned for the updates (and they did scan), only a few computers are showing as needing the updates– in fact, the vast majority are showing as installed/not applicable.
They are all either running Symantec Endpoint Protection or Windows Defender/Forefront and have the proper compatibility registry key set. If you download the update from the update catalog and install it, it installs successfully, but I don't want to have to patch all the servers manually. Other updates are installing just fine from the WSUS server.
This hasn't just happened in this one environment. In another environment that I work on sometimes, it is having the same issue (only they are using Avast! business security, but again, the registry key is set).
Does anyone have any insight into this?
Thanks!
~Allen
Best Answer
So today I logged onto the WSUS console, and now all the machines are reporting that the update is needed and can be installed. It seems Microsoft has revised these updates for Windows Server 2012r2 and Windows 8.1, as well. This seems to have caused the servers to detect.
The clients seem to detect now as well, I'm wondering if Microsoft put in a validity date starting today?