The preference is to install patches prior to our automated patching. If this isn’t possible, remove the above servers from the current automated patching schedule, and re-add the next day.

The Update Process

Do not use the windows update GUI. This will install the bad patch and force a reboot, likely leaving you with a boot loop. If you forget and get stuck in a boot loop, there is a recovery process below. The other reason to not use the windows update UI is the fixed KBs are only downloaded if you have the ‘download updates for other Microsoft products’ ticked.

I highly recommend downloading these prior to the outage window as they’re circa 1.5GB and will take up to 3 hours to install.

1. If the server you are patching is 2016 or newer  – skip the dodgy KB and jump straight to downloading and installing the fixed KB. These patches are cumulative and will save you a patching cycle.
2. If the server you are patching is 2012 R2 or below – download both the dodgy KB and the fixed KB. Install the dodgy KB and then the fixed KB. Do not reboot when the dodgy KB prompts to, ignore it and install the second update.
3. Confirm in the windows update history that the server reports the fixed patch installed.
4. Perform a normal scan/install for updates to capture anything outside of this patch such as PowerShell updates etc.

So I used the GUI to install the update or rebooted between patches and the server is in a boot loop – what now?

1. Try to log in straight after the server reboots and stop the netlogon service. This will sometimes prevent the lsass service from crashing and give you time to install the fixed KB.
2. Boot a windows ISO and load the recovery prompt under advanced and enter the following commands.

Diskpart

List volume # use the ltr column to determine the drive letter for the below command

exit

dism /image:D:\ /Remove-Package /PackageName:XXXXXXX #where XXXX is the KB from above.

3. If the above fails or you are uncomfortable running the dism commands, call the TSO

Lastly if N-Able has been on the server at some point it’ll have disabled the windows update GUI. Check patch management isn’t enabled in n-able, if it’s not use the PowerShell script below to clean up the relevant registry keys. If there is a GPO in place and we rip something out we shouldn’t, it will reapply in <15 minutes.

$ErrorActionPreference = ‘Continue’

Remove-ItemProperty ‘HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate’ -Force -Name WUServer

Remove-ItemProperty ‘HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate’ -Force -Name TargetGroup

Remove-ItemProperty ‘HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate’ -Force -Name WUStatusServer

Remove-ItemProperty ‘HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate’ -Force -Name TargetGroupEnable

Set-ItemProperty ‘HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate\AU’ -Value 0 -Force -Name UseWUServer

Set-ItemProperty ‘HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate\AU’ -Value 0 -Force -Name NoAutoUpdate

Set-ItemProperty ‘HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate’    -Value 0 -force -Name DisableWindowsUpdateAccess

Restart-Service -Name wuauserv