[German]At the moment there is some confusion about the cumulative update KB4494441 for Windows 10 Version 1809. And there are other issues, that have been reported.
Update KB4494441 for Windows 10 V1809
Ccumulative update KB4494441 for Windows 10 Version 1809 was released on May 14, 2019 as a security update during the regular patchday. I reported about it in the blog post Patchday Windows 10 Updates (May 14, 2019). Microsoft mentioned two fixes. Retpoline protection will be enabled in this update as soon as Spectre V2 is enabled:
- Enables “Retpoline” by default if Spectre Variant 2 (CVE-2017-5715) is enabled. Make sure previous OS protections against the Spectre Variant 2 vulnerability are enabled using the registry settings described in the Windows Client and Windows Serverarticles. (These registry settings are enabled by default for Windows Client OS editions, but disabled by default for Windows Server OS editions). For more information about “Retpoline”, see Mitigating Spectre variant 2 with Retpoline on Windows.
- Provides protections against a new subclass of speculative execution side-channel vulnerabilities, known as Microarchitectural Data Sampling, for 64-Bit (x64) versions of Windows (CVE-2019-11091, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130). Use the registry settings as described in the Windows Client and Windows Server articles. (These registry settings are enabled by default for Windows Client OS editions and Windows Server OS editions).
The update is also intended to introduce protection against the microarchitectural data sampling vulnerability called Zombieload.
There are some user comments reporting issues with update KB4494441 (see my German blog post Patchday Windows 10-Updates (14. Mai 2019)).
- Update agent broken: Blog reader Tobias reported in this comment that the Windows Update Agent is broken after installing. Windows Update Agents reports error code 0x8024002E (agent *FAILED* [8024002E] CheckAccessByPolicy) during the next update search. This is also reported in this comment and should also occur with Windows 10 V1803).
- Temporary user profile: This comment reports a temporary user profile is used after installing the update – but could be an isolated case.
- Hyper-V Hypervisor broken: In this comment it is reported that the Hypervisor for Hyper-V does not start on Windows Server 2019 anymore.
In addition, there seems to be a bug that now also occurs under Windows 10 V1809 with this update installed.
- Multiple reboots, multiple installations required: This comment reports that the update was installed multiple times on multiple systems. There is also a thread on reddit.com. This is well known (Microsoft has confirmed this here) and has been reported elsewhere. In the following section a user reports about several reboots. This comment notes that the Explorer no longer works.
- Furthermore, users noticed that the build number does not change after the installation – I found it elsewhere – I remember that it worked after a new installation run.
The most serious thing I can see in this list: The update agent seems to be corrupted by the SSU or cumulative update and returns error 0x8024002E. The bug has also been reported earlier (see here and here). I had written something about it in my German blog post Windows 10: Update-Fehler 0x8024002E, but I’m not sure if it will help.
Multiple reboots and more issues
When I created the blog post, I had already linked a tweet in which users @PhantomofMobile reported about issues.
— Crysta T. Lacey (@PhantomofMobile) 15. Mai 2019
Once he had to do two reboots to get the update installed. He also noticed that the build numbers for the cumulative update and the servicing stack update were the same as KB4499728 (17763.503.1.x).
But even more strange is @PhantomofMobile’s hint that it has not yet received any hint that protection against the Microarchitectural Data Sampling vulnerability called Zombieload has been enabled. He posted a PowerShell output showing the status of each protection. There, MDS is set to False. .
Thanks for the heads-up. The team is looking at this, no action is required to enable the mitigation, you likely don’t have the latest microcode so the mitigation is disabled. Please confirm? If I recall your setup correctly you need to get from oem. Documentation can be improved
— Jorge Lopez (@cybericua) 15. Mai 2019
Microsoft’s Jorge Lopez then contacted us and wrote that you don’t really have to do anything as a user. According to this addendum in the Technet community, Retpoline should be activated automatically under Windows 10 Version 1809 and Windows Server 2019 or newer versions if the prerequisites are met. His team is taking a look at this. It may be related to the microcode updates that OEMs have to deliver for their motherboards. Intel may not have taken something into account in its BIOS updates for the NUCs the user is using. The discussion on Twitter is still ongoing.