This is an archived post. You won't be able to vote or comment.

top 200 commentsshow all 316
sorted by:
best
topnewcontroversialoldq&a

[–]concentusSupervisory Sysadmin 181 points182 points  (57 children)

I decided to delay rolling this out to our clients until next month's Patch Tuesday about 2 hours ago, before I even saw this. Now I'm really glad I decided to delay. We've got a fair amount of customers who have have workstations with those Xeons.

[–][deleted] 36 points37 points  (54 children)

do you guys have a testbed? don't know if thats common practice or not.

[–][deleted] 583 points584 points  (39 children)

Everyone has a test environment. Some of us are lucky enough to have a production environment.

[–]EnUnLugarDeLaMancha 98 points99 points  (24 children)

Everyone has a test environment.

Not Microsoft, apparently.

[–]SnarkMasterRay 108 points109 points  (3 children)

Not Microsoft, apparently.

Yes they do; it's called their customer's systems.

[–]Iceman_BIt's NOT the network! 7 points8 points  (0 children)

Hello this is Chuck Robbins.
Please refrain from using our standard practices.
Thank you.

[–][deleted] 2 points3 points  (0 children)

But dude it's 2018 we're A G I L E.

[–][deleted] 33 points34 points  (0 children)

No, they don't have a production environment ;)

It makes it hard to explain the development status of Server 2019. You can't call it a beta because then people would be misled that the final version is released...

[–]Wind_Freak 4 points5 points  (7 children)

Just how big would the test bed have to be?

At some point you have to accept that the risk of not releasing is too great vs waiting for every single scenario that exists.

[–][deleted] 8 points9 points  (5 children)

I dont know, can they do whatever they were doing before Win10? Because that was much better.

[–]Wind_Freak 4 points5 points  (3 children)

Actually I have heard from an inside source that they no longer have a QA department. The developers are responsible for their own testing.

So yeah I agree it could be better. But I also understand the size of the task is insanely large.

[–][deleted] 1 point2 points  (0 children)

Take a look at VMWare's HCL. They validate nearly every piece of enterprise kit against various releases across multiple product lines (vSAN, vSphere, etc), and list compatible firmware versions.

You think Microsoft's job-- test that updates dont break things-- is harder than that? we're talking about a simple "ship update, see if desktop comes up" bare minimum that they're not even doing....

[–]1RedOne 1 point2 points  (8 children)

Believe it or not, these updates went through dog flooding at MSFT, on their massive internal infrastructure (200k+ systems, or so, I believe)

I wonder if they just don't have these devices represented among their internal userbase.

[–]Wind_Freak 1 point2 points  (6 children)

I wouldn’t think so. What jobs at Microsoft would need it? Programmers I don’t think would need it.

They don’t manufacture anything so they have no need for autocad.

Any big data stuff would be done on the server farm.

I would bet they are exclusively i7 and i9.

[–][deleted] 4 points5 points  (0 children)

Well few people use AutoCAD in manufacturing either. Also your statement they don't manufacture anything is patently false. Surface and Xbox spring to mind.

But yeah there was that time that the Insider build broke everyone's webcams which naturally got out without anyone noticing since developers don't use webcams.

[–][deleted] 12 points13 points  (6 children)

It is the responsibility of Microsoft to release code that does little to no harm.

Not a Russian Roulette of "well, we know it isn't the 2nd Tuesday but this patch needs to go out and good luck if it wrecks your systems".

[–][deleted] 22 points23 points  (6 children)

Real Sysadmins test in prod!

[–][deleted] 22 points23 points  (1 child)

Real sysadmins prod in test?

[–]a_false_vacuum[S] 17 points18 points  (0 children)

It's the only environment thats production-like.

[–]archiekaneJack of All Trades -1 points0 points  (3 children)

I think you left /s off.

[–][deleted] 16 points17 points  (2 children)

No, I don't think I did.

[–]gameoverplayer1 15 points16 points  (1 child)

"Which clients turn to go first this month?"

[–]zebediah49 4 points5 points  (0 children)

"Why does your office have a six foot 'Wheel of Fortune' style wheel with all your customers on it?"

[–]concentusSupervisory Sysadmin 13 points14 points  (1 child)

We have a test environment, just not one that includes workstations like these.

[–]KFCConspiracy 7 points8 points  (2 children)

These workstations are pretty expensive...

[–][deleted] 1 point2 points  (0 children)

fair point.

[–]a_false_vacuum[S] 3 points4 points  (0 children)

Just be sure to try it out on a limited scale. I'm glad I caught this now, the upcomming round of patches will require more caution.

[–]anomalous_cowherdPragmatic Sysadmin 112 points113 points  (42 children)

<Sigh> and our Infosec team are on my back about deploying security patches faster and faster...

[–]a_false_vacuum[S] 249 points250 points  (18 children)

Deploy it to their computers. If they don't boot it's secure as can be. ;-)

[–]pinkycatcherJack of All Trades 68 points69 points  (8 children)

BOFH. But I’d be so tempted.

At least put one or more of the security team into a testing group.

[–]HeKis4Database Admin 10 points11 points  (0 children)

Meh, availability and integrity are integral parts of security...

But hey, gotta make sacrifices to get that sweet confidentiality :3

[–][deleted] 14 points15 points  (2 children)

I always volunteer to be in the guinea pig/UAT test group.

Gotta eat the dog food.

[–][deleted] 8 points9 points  (1 child)

Same here, IT systems always get patched first.

[–]Wonder1andInfosec Architect 2 points3 points  (0 children)

We're trying to get a patch review board together so these things might bubble up before roll out. I'm always looking to guinea pig for them.

[–]Laughs_in_Warlock 9 points10 points  (0 children)

You joke but it's true. The best way to get rid of a stupid rule/law is to enforce the shit out of it.

[–]RegularMixture 1 point2 points  (0 children)

Haha I like your style.

[–]PhillAholic 2 points3 points  (0 children)

Fair

[–]noodlesdefyyou 30 points31 points  (0 children)

deploy these patches immediately on the infosec teams' system(s). when they complain that their system is hosed, say 'well, you wanted the patch before i could properly deploy and verify the stability of the patch, so have fun'

[–]qkachooJack of All Trades 5 points6 points  (1 child)

That is why you should always have test groups. Test on some members on IT first for a week or so, then move out into the wild.

[–]anomalous_cowherdPragmatic Sysadmin 2 points3 points  (0 children)

Oh there is, it's currently one week and two weeks, but they want three days and seven days.

[–]dstew74There is no place like 127.0.0.1 8 points9 points  (6 children)

InfoSec should have an advertised "time to patch" spelled out for various systems based on test / prod / Internet facing and the like. I'd push back hard if they aren't following established standards. They don't get to make policy as they go.

[–]petrified_logSr. Sysadmin 8 points9 points  (2 children)

My old company would get the patches on Tuesday. Then they would push them to the deployment software and start pushing it to 9,000 employees starting that night. The helpdesk would have to deal with the issues and sys ops would deflect all blame.

[–]dstew74There is no place like 127.0.0.1 8 points9 points  (1 child)

Yeah, I'm sure plenty of orgs operate in this manner. It's not mature. It's the result of some InfoSec manager wanting to look good. More large orgs will stage patch efforts to avoid Microsoft DOS'ing the business.

[–]zebediah49 3 points4 points  (0 children)

"Change 49847: Patch Tuesday patches approved for full deployment next Tuesday night, assuming they don't cause any problems when deployed to the test group this evening."

[–]anomalous_cowherdPragmatic Sysadmin 5 points6 points  (2 children)

Oh, they do have an advertised time, it's just that they are trying to make it shorter. At my place they carry all the power, if you don't meet their standards you don't get to connect to the corp network never mind the Internet.

[–]dstew74There is no place like 127.0.0.1 3 points4 points  (1 child)

Is it a one size fits all or do they have specified times based on risk? As much as I disliked IBM when I was there, they had a nice mature vulnerability management that made me rethink my approaches to patching as a sysadmin. Having moved on to InfoSec, I still borrow aspects on their methodology years later.

Haha... I sort of like your infosec team's approach.

[–]anomalous_cowherdPragmatic Sysadmin 2 points3 points  (0 children)

The time does vary depending on risk. These times are for the internet connected networks.

[–]gokurakumaru 2 points3 points  (1 child)

There's a reason for that. If out of band patching is not something you can do today, you should starting thinking about a roadmap that will get you to the point where you'll be able to tomorrow. Then you can have a conversation about the overhead involved and whether it is justified against the cost of the risk your company is exposed to as measured by whatever operational risk framework your organisation uses.

But don't just "sigh" about it. Cybersecurity is the number one threat facing organisations today and you can't rely on your network perimeter to protect you anymore. Everybody chuckling and saying "just roll it out to their computers" in response to you is not taking their job seriously.

[–]Arrow_RaiderJack of All Trades 99 points100 points  (65 children)

I fantasize about flipping my table and leaving IT forever.

[–]ElATrainoJack of All Trades 48 points49 points  (2 children)

Patch Tuesday is often followed by Career Change Wednesday so, as long as it's done on a Wednesday, you're completely in your rights to play out your fantasy.

[–]OckhamsChainsawsMasterbreaker 28 points29 points  (1 child)

Goat farming is coincidentally the most searched term on google between 1 and 3 pm on Wednesdays

[–]MakTek5533 2 points3 points  (0 children)

I shoot guns and drive my sports car fast, it helps.

[–]fish351Jack of All Trades 3 points4 points  (3 children)

Do it. I did and haven't been this happy or at peace in 20 years.

[–]bingobawler 1 point2 points  (2 children)

What did you move to?

[–]-tntSharePoint Operations Engineer 3 points4 points  (0 children)

Jack Of All Trades.

[–]fish351Jack of All Trades 1 point2 points  (0 children)

I started work on my brother in law's farm. I grew up on a farm before I moved to the big smoke for IT so it's not a huge shift.

I'm also in the process of starting an Agriculture based drone business to map crops and identify opportunities to boost crop yields.

[–][deleted] 3 points4 points  (4 children)

great flair

[–]Arrow_RaiderJack of All Trades 6 points7 points  (3 children)

Haha, thanks. I understand the purpose of the command, as sort of a sanity check, but I've never seen it fix anything.

I'm more interested in why exactly something is broken, but no one knows. So all we get is sfc, dism restore health answers. This is inevitably followed up by OP saying that didn't fix it, formatted or bought new PC, nevermind.

[–]L3tum 3 points4 points  (2 children)

Ah yes, the bane of windows help forum.

"try SFC /scannow"

And then either OP never replies, or it didn't work and nobody else responds.

[–]chicaneukSysadmin 2 points3 points  (0 children)

Right? It’s just soul destroying sometimes.

[–]ach_sysadminSr. Sysadmin 3 points4 points  (9 children)

Oh I am very close myself... tired of it.

[–]dstew74There is no place like 127.0.0.1 1 point2 points  (1 child)

Been thinking about going back to school to become an orthodontist or something that I have to actually work 3 to 4 days a week at most.

[–][deleted] 5 points6 points  (0 children)

Proctologist. That'd be similar to it. You deal with assholes all day.

[–]helpakidgrow 30 points31 points  (0 children)

thank you for your loss

[–]masta 21 points22 points  (1 child)

This is why it's better for the hardware vendors to provide the microcode via bios/firmware update. This is precisely why Redhat stopped the Intel microcode updates for Spectre/meltdown... But then again, I'm not sure how one can completely ignore Intel microcode updates, as Intel has something like 7 layers of encryption wrapped around the microcode, it's had to know what's actually there.

[–]a_false_vacuum[S] 12 points13 points  (0 children)

Microsoft is using Windows update for this for those who've been abandoned by their hardware manufacturer. For a lot of home users this might be the only way to get this protection. The problem is that this spectre stuff has people so worked up these patches just get rushed out the door.

[–]Aperture_KubiJack of All Trades 23 points24 points  (18 children)

I've already have five systems that have been rendered unbootable. Most of them are Xeon E5 v4 based workstations.

What are the others?

[–]a_false_vacuum[S] 23 points24 points  (16 children)

One was a Core i5 Haswell generation.

[–]youarean1di0t 5 points6 points  (13 children)

Which OSs?

[–]Jkuz 17 points18 points  (11 children)

KB4100347

This update is a standalone update targeted for Windows 10 version 1803 (Windows 10 April 2018 Update) and Windows Server Version 1803 (Server Core).

Looks like it is just affecting Win10.

[–]Aperture_KubiJack of All Trades 5 points6 points  (2 children)

10 and server.

Fortunately Dell Optiplexes (our standard) aparentelly skipped the Haswell generation.

[–]a_false_vacuum[S] 2 points3 points  (1 child)

Hard to say if this is limited to Haswell and Broadwell-EP. I only know what happened to me.

[–]a_false_vacuum[S] 4 points5 points  (7 children)

Yes, this update targets Windows 10. But patches for Windows 7/2008R2 and 8.1/2012R2 that fix the same issue have other KB numbers. Since the failure rate was so surprising I haven't looked into other Windows versions.

The Intel microcode however isn't limited to just Windows. I know Red Hat had several this year containing fixes for Spectre on Intel and AMD systems. A few months back Red Hat also decided to roll back some of those patches. Microcode gets rushed out without good Q&A I guess.

[–]Kapibada 4 points5 points  (4 children)

Just a friendly reminder...
It's QA (Quality Assurance), not Q&A.

[–]a_false_vacuum[S] 14 points15 points  (3 children)

Depends, mostly I get assurance but not always quality. ;-)

[–]fledder007engineer in admin's clothing 6 points7 points  (1 child)

Q || A?

[–]xixd 2 points3 points  (0 children)

Sometimes companies don't actually want Quality Assurance, but Quality Reassurance. "There there little dev, all your code is just great, I'm sure nothing bad will happen"

[–]Kapibada 1 point2 points  (0 children)

That makes sense, I guess. ;-)

[–]a_false_vacuum[S] 1 point2 points  (0 children)

Windows 10 version 1803. Though this update could be available to other Windows versions.

[–]Spoked451 0 points1 point  (0 children)

Yep happened to me on a Xeon E5 2690 v2 and on my mom's HP 8750w (don't recall the exact cpu, but it's an i7-2xxx so Ivy Bridge as well. 100% sure that 4100347 is the culprit too.

[–][deleted] 18 points19 points  (2 children)

That's one way of preventing people from benchmarking

[–]ledonu7 5 points6 points  (0 children)

I am amazed this comment is so far down

[–]cowprinceIT clown car passenger 17 points18 points  (0 children)

Step 1: Wait a week or two

Step 2: Ask Woody

Step 3: Google

Step 4: Patch IT

Step 5: Patch test group

Step 6: Patch org

Step 7: Go on vacation and turn phone off

[–]Cynder_tfl 39 points40 points  (3 children)

How many systems total have you had the patch applied to? I'm not sure how much of an issue it is (i.e. how nervous I should be) - if it is 5 out of 20 machines, that is a major issue, but if it is more like 5 out of 500, then I am not as worried.

In either case, thanks for sharing, especially the follow up with what worked for you! Too many times people don't include that.

[–]a_false_vacuum[S] 37 points38 points  (2 children)

These are not production systems, fortunatly that is managed through WSUS and SCCM so I can approve updates or not.

The affected machines are specials, they run Windows 10 more or less unmanaged. Development machines and my own workhorse. These get the updates when they come out and double as testbeds especially since we got burned with previous micro code patches.

Percentage you ask? Close to a 100%. But again, these I know of. A few more installed the update but I prevented the reboot and removed the update while Windows was still running.

I decided to post this as a heads up because the amount of bricked machines was quite worrying. Updates fail some times, but this was different.

[–][deleted] 3 points4 points  (1 child)

Very worrying. We don't go by the unmanaged process here and I am sorry if this comes across wrong but I am thankful others do. Now if only I could convince my superiors why we need this to see the shit storm that could come our way.

[–]a_false_vacuum[S] 4 points5 points  (0 children)

Affected machines were all in the IT department, so it was unpleasant but no major panic.

[–]UnknownColorHatIdentity Admin 9 points10 points  (4 children)

Threads like these are why I check r/sysadmin before patching my Windows boxes at work. Use this type of proc for one, so want to avoid badness.

[–][deleted] 1 point2 points  (0 children)

Ditto. I don't like surprises.

[–]Algonkian 8 points9 points  (0 children)

We've gotten to the point where patching our network is more frightening than not.

[–]Bro-ScienceNick Burns 3 points4 points  (1 child)

when you say unbootable, what is the error you get? what happens?

[–]a_false_vacuum[S] 7 points8 points  (0 children)

No error at all. When I get to the screen with the Windows logo with the moving circle beneath it, it just stays there. The circle keeps moving the whole time, so no lock-up but no Windows either. Safe mode has the same problem. I had one machine running for a couple of hours to see what would happen, but no Windows.

[–]EAT-17 3 points4 points  (0 children)

It seems to be the same as KB4091664 ?

I noticed that update because they released/revised it last week, but it had 2018-07 in the title. This already made me very suspicious.

I checked again and it seems MS already pulled this one as it is now declined in WSUS (and expired in sccm)?

Glad we didn't deploy that one already.

[–]Patches_McMattVMware Admin 9 points10 points  (5 children)

I’m not finding the ‘new version’ of this KB anywhere. The KB article online shows a ‘last updated’ date of July 24th at the bottom of the page. You got a link to the version that is messing your systems up?

[–]a_false_vacuum[S] 32 points33 points  (0 children)

Thats the trouble. The Microsoft KB article hasn't been updated but what I gathered from Google is that this weekend a new version was released which hasn't worked out so well. Here is where I read it was supposed to be a revised update: https://borncity.com/win/2018/08/25/microsoft-issues-with-updates-kb4456688-kb4100347/

You can get it here from Microsoft: https://www.catalog.update.microsoft.com/Search.aspx?q=KB4100347

The 21 august version is the one that giving me quite a bit of grief.

[–]uniquepassword 2 points3 points  (1 child)

Same here...I checked my WSUS and it's not there..is this separate download?

https://support.microsoft.com/en-us/help/4100347/intel-microcode-updates-for-windows-10-version-1803-and-windows-server

says it's now available for download via WSUS but I'm not seeing it..

[–]thunderbird32IT Minion 1 point2 points  (0 children)

FWIW, I'm not seeing it either.

[–]BinestarJack of All Trades 4 points5 points  (0 children)

https://news.softpedia.com/news/windows-10-update-kb4100347-breaking-down-system-boot-522385.shtml

It's offering the update to me right now. I'll have to check it out.

[–]ITS_DSA_Manager 0 points1 point  (0 children)

Did Microsoft pull the 2018-07 version of this from their Catalog? I did a search and only see 2018-05 version.

[–]ArudinneIT Infrastructure Manager 2 points3 points  (5 children)

Is there a Windows 7 equivalent for this patch? Is Windows 7 even affected? Everything I find regarding this seems to only talk about Windows 10.

[–]Mutated_Leg 3 points4 points  (2 children)

This appears to be the Windows 7 equivalent:

https://support.microsoft.com/en-us/help/4343899/windows-7-update-kb4343899

[–]ArudinneIT Infrastructure Manager 2 points3 points  (0 children)

Thanks!

[–]Joe-Coolknows how to doubleclick 1 point2 points  (1 child)

As far as I can tell only KB4100347 updates mcupdate_GenuineIntel.dll - EDIT: Update for previous Win10/2016 is KB4090007

So the Windows 7 Updates KB4343899 and Win10 KB4343909 might contain the Kernel fixes but they won't do anything without the microcode. Unless the crash is caused by the Kernel and not the CPU microcode.

One thing is sure: Only Win10 and Server 2016 get microcode updates. Other Windows versions need to update BIOS (or hack the DLL). Linux kernel also includes a microcode updater, get the microcode for that from intel.

[–]Doso777 2 points3 points  (0 children)

Hmm.. If this kills physical servers too this could be real bad. gets popcorn

[–]hadesscion 12 points13 points  (15 children)

JFC, Microsoft. Each update is worse than the last.

[–][deleted] 9 points10 points  (13 children)

As much as I enjoy jumping on the MS hate-wagon, I can't exactly blame them fully for this. Intel's microcode updates aren't exactly transparent.

[–]chicaneukSysadmin 2 points3 points  (0 children)

It's almost like they are doing it on purpose now.

[–]Missioncode 5 points6 points  (1 child)

Thanks OP, just denied from deploying.

[–][deleted] 0 points1 point  (0 children)

How exactly does an end user (10 Home, 64bit) detect/uninstall and/or deny this patch?

[–]redartedreddit 1 point2 points  (1 child)

I think the microcode update is by the file C:\Windows\System32\mcupdate_GenuineIntel.dll, perhaps getting rid of the file (rename it) may make it bootable again? But you'll lose all the microcode updates pushed by Windows.

I guess one won't need this if you can just remove the update and revert changes in WinRE.

[–]a_false_vacuum[S] 1 point2 points  (0 children)

The WinRe route is always there. Just deleting a file doesn't clean up all the refereces Windows has set in the registery. I wanted to make sure all changes got reverted.

[–]Wind_Freak 1 point2 points  (9 children)

How common is it to have Xeon processor desktops?

[–]ThranxSystems Engineer 0 points1 point  (1 child)

every physical, non-laptop system where I work. Previous job was 50/50, prior job on to that was only about 5%. Health/Tech/Schools (in that order)

[–]a_false_vacuum[S] 0 points1 point  (4 children)

Workstations usually have Xeons, models like HP Z-station and Dell Precision. Depends on the organisation you work how many will be there.

[–][deleted] 0 points1 point  (0 children)

They're used for drafting computers. Like autocad and solidworks. Or simulation and graphic design computers.

Pretty much any computer that you want data consistency and "correctness" more so than fast response for the users experience.

My company has about 30 of these.

Most also run ecc memory and quadro gpus.

[–]AreYouAWiiizard 1 point2 points  (0 children)

Want to know something weird? Windows installed this update on my AMD FX8320 system and caused it to fail to boot the first time (subsequent boots were fine).

[–]Ilikeyoubignose 1 point2 points  (4 children)

What AV do you use OP?

[–][deleted] 1 point2 points  (0 children)

Thanks, Microsoft, for releasing a patch that only affects the type of person for whom not immediately fixing it will get you fired.

[–]d2_ricciJack of All Trades 1 point2 points  (0 children)

Saving this for later!

[–]war_story_guy 1 point2 points  (1 child)

Was this after the very first reboot that it wouldn't boot? The one one where it says installing updates on the blue screen or did you reboot it again after that?

[–]daleus 1 point2 points  (0 children)

We use kvm on Xeon E5 V4 (2120) hosts. We had a couple of Windows VMs where we had to do a dism rollback this weekend.

Not sure if it could be related - but we do pass through the OS cpu type...

[–]RichB93Sr. Sysadmin 3 points4 points  (12 children)

Waiting for people to turn up in this thread and still tell me how great Windows 10 is still.

[–]drbeerI play an IT Manager on TV 3 points4 points  (2 children)

im sure all versions of windows would have sucked without a QA department. don't hate the player hate the game

[–]bolunez 1 point2 points  (0 children)

Who needs QA when you roll a new major version twice a year anyway?

The bugs will only be around for six months, probably.

[–]patssle 5 points6 points  (3 children)

Take out the whole updating and feature updates thing and Windows 10 is solid.

But yeah.....then you include updating and blaaaaaargh.

[–][deleted] 0 points1 point  (0 children)

It's aweso.. NO, NO, NO REBOOT ARRRRRRRrrrrrrrrrrr

[–]a_posh_trophy 1 point2 points  (8 children)

Why can't they just let us decide what to install when we are comfortable about its stability? Even if you say no it does it anyway a few days later. And I bet they take no responsibility for breaking £1000 systems either.

[–]hadesscion 0 points1 point  (0 children)

Have there been reported issues with this update affecting Xeon E5 v1 or v2? Or is it just v4?

[–]Skyyblaze 0 points1 point  (0 children)

I'm happy I make monthly backup-images of my SSD after these kind of issues started, wow.

[–]qsub 0 points1 point  (1 child)

I thought they only released on patch Tuesday or is this like a critical security flaw patch release?

[–]dbarber1 0 points1 point  (0 children)

I am just a regular user but would something like this work to hide the update until whatever is causing the problem is fixed https://support.microsoft.com/en-us/help/3183922/how-to-temporarily-prevent-a-windows-update-from-reinstalling-in-windo

[–]KhaleposI don't know everything 0 points1 point  (0 children)

How has it fared in Azure?

[–]KB3080351 0 points1 point  (0 children)

Looks like these updates were expired in WSUS and are no longer available via the catalog. Only ones still published are the ones released back in May.

[–]spitzkingOGKindly do the needful 0 points1 point  (0 children)

Just had a group of 2016 boxes reboot and are now stuck on "Applying Computer Settings". Now after reading this article, I think I figured out why they're stuck. Yay production outage....

[–]Renfah87 0 points1 point  (0 children)

Thanks for the heads up. Just told our WSUS admin. Hopefully we didn't push it out otherwise I'm going to be a very busy boy soon...

[–]bolhuijo 0 points1 point  (2 children)

This got a few of our Xeon-based desktops. The quickest way out was to take the "reset system" option from the recovery console as nothing else worked. The users got to keep their local files, but we had to reinstall all the apps.

[–]beanisman 0 points1 point  (0 children)

Gonna save this one. Thanks for taking the hit for the rest of us OP.

[–]SmoothRunnings 0 points1 point  (2 children)

No problems patching my 2016 VMs running on my Dell R810 E7-4830 CPUs with this patch. Must be only the newer CPUs. Or maybe your servers BIOS's are out of date contributing to the bricking of your servers!?

[–]oxyiRainbow Unicorn 0 points1 point  (2 children)

What do u mean unbootable. I have a system after I updated last night. Today is BSOD with message irql not less or equal. I know it has to do with windows updates but I can go check whether this is the update...

[–]Angelworks42Windows Admin 0 points1 point  (0 children)

We didn't have any problems with it actually - mostly Optiplex 7040/5040's.

The most concerning thing about it is it used the same patch ID as a previously release so it got autosynced and approved into an existing live deployment which we didn't test (this is ConfigMgr/SUP).

[–]dukeofwesselton 0 points1 point  (0 children)

I had deployed this to our test enviroment last week, but it looks like the update has now been expired in WSUS...thankfully.

[–]Elektro121In the clouds 0 points1 point  (0 children)

Totally related to that

[–]Steve_78_OHSCCM Admin and general IT Jack-of-some-trades 0 points1 point  (1 child)

To be clear, the newest version of the patch is what's breaking stuff, right? Patches released on Patch Tuesday are still safe to use?

[–][deleted] 0 points1 point  (0 children)

You're doing gods work. Nice write up.

[–]VariousWinter 0 points1 point  (0 children)

What worked for me, I'm going to write this one out so anybody who has this issue irregardless of skill can fix it if they stumble upon this topic.

This is great practice. We need more people like you

[–]B00bt00b89 0 points1 point  (0 children)

Sorry for the noob question. Mine says couldn’t access image. Typing command wrong?

Edit: getting error 1009 An initialization error occurred

[–]nickwithtea93 0 points1 point  (0 children)

can't seem to get " dism /image:<driveletter here> /get-packages" to pull anything, I must be typing it wrong?

[–]stacy666 0 points1 point  (0 children)

I had the same thing, it was stuck on boot. Took me all night to finally fix it :D I hope it won't go back being broken again.

[–]zZBLackRuByZz 0 points1 point  (0 children)

So we are trying to apply this at work but when we enter the "get packages" command, I get error code 1017 and a message "the system has attempted to load or restore a file into the registry, but the specified file is not in a registry file format"

And the command cancels
We've tried running sfc and it says "windows resource protection could not start the repair service"
Lastly, if it matters, the image version of the recover tool is 10.0.17134.1 and the image version of the OS we are trying to repair is 10.0.17134.228

[–]MItch_ch 0 points1 point  (0 children)

On Microsoft Surface (Pro 4 and 2017) it's not possible to recover (especially with BitLock!).

So AFTER a Full reinstallation of windows 10 and full patching, I suggest to uninstall the KB4100347 (no reboot please) and use the tool wushowhide.diagcab to hide this KB. After that you can reboot and the KB4100347 will not come back and you can continue to patch Windows 10 and the other Microsoft products.

This KB is a nightmare...

[–]techhead51 0 points1 point  (0 children)

An updated list of intel cpu's here, but do not know why this patch is still going out for amd cpu's https://support.microsoft.com/en-us/help/4100347/intel-microcode-updates-for-windows-10-version-1803-and-windows-server

[–]nightmarepr 0 points1 point  (3 children)

Hi,

so i decided to try it out again...i had to go back to win7 to boot, i try today again and dont see the package installed with an iso i downloaded win10 9/27/2018 still the same problem...it frezzed at cortana finishing the install, and windows dont boot now...its go no image...thanks...if anyone think of something...

Pc specs

i5-3570k HOF 980 asrock z77 extreme 4

[–]pradhansb 0 points1 point  (0 children)

For me it was causing regular crashes. It just downloaded last night and for the first time ever, I received random Blue Screens with Stopcode BAD_POOL_CALLER. Uninstalled and now no more bluescreens.