Windows 10 cumulative updates, categorized as ‘Updates’, do not show up in Configuration Manager / WSUS

We are using Configuration Manager current branch to update the existing Windows 10 machines with quality updates. All Configuration Manager Components are running on ‘Server 2016’ + KB4284833. The error is reproducible in CMCB 1802, 1802 + KB4339794 or TP 1806.2. Windows 10 cumulative updates categorized as ‘Updates’ are not imported in to Configuration Manager […]

Deploy Intel microcode updates published by Microsoft via Configuration Manager

Microsoft published the Intel microcode update for Windows 10 1709 as a standalone update (KB4090007), so it is not showing up in WSUS. However, it can be deployed as an application: wusa.exe “windows10.0-kb4090007-x64_7063a0b6a38e2a648aa1d77570503f7062360c9d.msu” /quiet /norestart But, even if the current version 1.003 is already supporting more CPU models as version 1.001, it doesn’t cover all […]

Intel Management Engine vulnerability INTEL-SA-00086 and how to detect vulnerable systems in Configuration Manager

Intel published a new vulnerability on 11/20/17 around Intel® Management Engine (ME): INTEL-SA-00086 causing Elevation of Privilege (EoP), Remote Code Execution (RCE) or Denial of Service (DoS). Intel published also a detection tool to run on clients. The detection tool is creating registry values about the vulnerability state of a client. To check the status […]

You need an enterprise grade client management tool

I still see enterprises trying to go simple with their Windows clients: somehow deploying Windows 10, applying GPOs and just using WSUS to apply updates. But this leaves many points open in the management of the client ecosystem. Firmware-settings The new Windows 10 guards heavily depend on virtualization technologies, so beyond TPM 2.0, UEFI and […]