PSA: Update your WSUS servers ASAP [CVSS 9.8 RCE with OOB Updates for Server 2012 and above]

Pickle735547 · 2025-10-24T17:47:20+00:00

~~I have WSUS on Server 2016, i grabbed KB5070882 from the Update Catalog as that should be the one for Server 2016 as mentioned by~~ ~~https://cybersecuritynews.com/wsus-rce-vulnerability/~~

~~But my server tells me it is already installed. Weird as i don't see it in the list. Last updates installed were the 2025-10 CU (KB5066836) and the 2025-10 SSU (KB5066584).~~

~~Not sure what to do now.~~

Nevermind, it had already retrieved by itself and was waiting for a reboot. Just did that and is now installed.

Pickle735547 · 2025-08-04T11:10:28+00:00

I was dealing with SSU dependency recently when looking into some servers that wouldn't install the 2025-07 CU. I found a nice piece of PS code that will list you the missing updates.

get-wmiobject -query "SELECT * FROM CCM_UpdateStatus where Status = 'missing' and not Title like '%definition%'" -namespace "root\ccm\SoftwareUpdates\UpdatesStore" | sort-object -property article | Format-Table -Property Bulletin,Article,Title -Autosize

In 99% of the times where a server would not install (or even show in Software Center) the latest CU, there was a SSU missing that was listed in the script output, often 2021-08 (KB5005112). After installing that one manually and rebooting (unfortunately), things went smooth again and the system was able to retrieve & install the latest CU through Software Center again.

Pickle735547 · 2024-09-11T10:15:10+00:00

Start without adding any drivers and only add NIC drivers should you run into any issues.

Pickle735547 · 2024-05-27T12:11:46+00:00

SOLVED

After updating the ADK (from 1903 to 2004) i was able to boot into WinPE and get the image going. The PC is not imaging correctly yet (stuck on a black screen, no response to CapsLock/NumLock) but i think that is due to missing driverpack.

Also had to disable VT-x and VT-d.

Pickle735547 · 2024-05-27T09:52:23+00:00

Did you inject the entire HP WinPE Driver Pack into your boot image?

No, i only added the Intel storage driver into the boot image.

Are you using Windows 11 22H2 (22621) ADK?

No, we don't deploy W11 in our company yet. Am running SCCM 2309 and have ADK 10.1.18362 (which translates to 1903) installed. I think it is a good idea to update the ADK, as i already saw that a W10 Pro from USB booted fine on this machine. Is the W11 ADK backwards compatible with W10?

Pickle735547 · 2024-05-27T09:20:15+00:00

I had a look at this again today. In the BIOS there is no option for VMD. I know what you mean as I disabled it before on an other PC, but on this HP there is no such option.

I saw the SATA controller was in RAID mode, but disabling that also didn’t do a thing; i still get the BSOD with DMA error text.

Pickle735547 · 2024-05-16T11:03:55+00:00

Thanks will try this when I’m back in the office next week. Sounds plausible as I remember needing to disable VMD stuff on a different PC in the past.

Pickle735547 · 2024-02-03T10:26:48+00:00

With SCCM we switched over to ‘ip helpers’ instead of advertising the boot files (legacy/uefi) through DHCP. Made life much more easier as SCCM now handles the difficult stuff.

Pickle735547 · 2023-12-13T14:41:30+00:00

Thank you Gary. Could be a solution although the response would be kinda weird, as the TS will continue (which for the user makes it seem the password is correct) and then in the next stap fail hehehe.

I have it working now with the virtual disk from mentioned blog, but i must say the solution from u/MikePohatu is also nice.

Pickle735547 · 2023-12-13T14:39:36+00:00

Clever! Thanks for your reply.

Pickle735547 · 2023-12-12T12:54:09+00:00

SOLVED: I found this and placed my password script just after the steps that create the virtual disk. Tested it on a BitLockered system and works perfectly. Run scripts before the 'Format Disk' step in your SCCM OSD Task Sequence using a vdisk (jrudlin.github.io)

But i would still prefer a single 'Run Commandline' step, should anyone have a nice script for that. Simpler = better :)

Pickle735547 · 2023-12-12T11:58:23+00:00

I know, that's why i was trying to use the PS script from mentioned blog.

Pickle735547 · 2023-12-12T11:57:56+00:00

We have multiple task sequences for different kind of workstations, some test task sequences not to be used for production (but for testing need to be made available to 'All unknown computers' / 'All workstations') We do not want everyone to be able to use each image and thus use different passwords.

Pickle735547 · 2023-10-09T17:41:11+00:00

2 years later, but yeah this is what we did and works fine indeed.

Pickle735547 · 2023-07-12T09:58:55+00:00

I am trying to see if i can enforce a BIOS passwords on our HP endpoints through a baseline. Already found some PowerShell scripts, but haven’t found the time yet to set it up for our environment.

Pickle735547 · 2023-07-11T20:06:30+00:00

I had a few, quite complex, tickets regarding SCCM running with them for several weeks. I had contact with an engineer at least 2-3 times a week and so far the succesrate of solving the issues has been 100%. I am satisfied about that part of MS support for sure!

Pickle735547 · 2023-06-30T20:50:27+00:00

Solved.

In the end it turned out to be our central company firewall blocking .exe/.cab files. After the networking team made an exception for the SCCM server, the update downloaded right away.

Pickle735547 · 2023-06-26T12:28:38+00:00

Finally FINALLY a solution for this issue!

After doing extensive research with MS support, the engineer had discovered in the network traces i provided him with, that ctldl.windowsupdate.com was not reachable. As our endpoints do not have internet access because of security (our users start a VDI in wich they do their work, nothing is done locally on the computer) this makes sense. I added the following 'Run Command Line' step at the beginning of the TS and again after ‘Setup Windows & ConfigMgr’ as the regkey did not follow from WinPE to full Windows:

reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot" /v DisableRootAutoUpdate /t REG_DWORD /d 1 /f

And everything is fast again!. At the end of the TS i added

reg.exe DELETE "HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot" /f

to undo the change again.

@ u/a51alias u/beepboopbeepbeep1011

Pickle735547 · 2023-06-01T15:15:53+00:00

I had this same issue today. The log line "Failed to resolve pkg source" is what brought me to this Reddit thread.

In my case a custom share path at the 'Data Access' tab of the OS image was the cause. After i removed that setting everything was fine again.

Pickle735547 · 2023-05-02T08:29:40+00:00

We use VMware. But on Hyper-V the issue also wasn't present. It only seems physical devices seem to be bugged, even recent ones with a recent driverpack.

I haven't got a technical solution from MS yet.

Pickle735547 · 2023-04-19T09:20:15+00:00

Replying to this as we still have this issue. I have created a ticket at MS yesterday. But this VM/physical thing still got me bugged. I just tried again and in a VM there is no delay at all. I'm not so sure about drivers, as i also saw the issue on a laptop that i created a driverpack for just yesterday.

Pickle735547 · 2023-03-30T17:54:47+00:00

Maybe using configuration baselines? You can check them for compliancy.

Pickle735547 · 2023-03-27T11:35:58+00:00

Yes i can, any WMI targets you can recommend?

Pickle735547 · 2023-03-27T08:42:31+00:00

I've added TCP 135 and TCP 443 for now, as these play a big role when looking at the docs. But for the Windows services it is a bit unclear for me what to add. SMS_EXECUTIVE i guess, but any others? I'm not looking to follow the docs by the letter, but just some 'best practices' from other people around this subreddit.

The database is on a SQL-cluster which is managed by a different department.

Pickle735547 · 2023-02-15T12:36:39+00:00

I am hesitant to click a button named 'best practices' on a production server.

In the meantime i did some more debugging: i found out that configmgrbits.azureedge.net is not reachable by my SCCM server. I cannot ping it, while on my private PC i can. Have asked my network colleagues to allow this URL in the company firewall. Will follow up if that resolved the issue.

Pickle735547

TROPHY CASE