[German]Administrators of Lenovo Servers should take care. November 2016 Security Update for Boot Manager (3193479) is causing some Lenovo Servers to hang during boot at Lenovo splash screen.
It's always a good idea to defer updates a few weeks after patch day using WSUS and see, if updates are causing "collateral damages". For November 2016 patch day it was a good decision to defer update installation for 3 weeks.
What's the matter?
At November patch day Microsoft has released a couple of security and non-security updates (see Microsoft Patchday November 8, 2016). Update MS16-140, Security Update for Boot Manager (3193479), has been quoted a "important" and is released for:
- Windows 8.1
- Windows RT 8.1
- Windows 10
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016
This update is contained within the following packages:
- KB3197876 (November 2016 Security Only Quality Update for Windows Server 2012)
- KB3197877 (November 2016 Security Monthly Quality Rollup for Windows Server 2012)
- KB3197873 (November 2016 Security Only Quality Update for Windows 8.1, and Windows Server 2012 R2)
- KB3197874 (November 2016 Security Monthly Quality Rollup for Windows 8.1 and Windows Server 2012 R2)
- KB3200970 (Cumulative update for Windows 10 Version 1607 and Windows Server 2016: November 8, 2016)
Security update MS16-140 resolves a vulnerability CVE-2016-7247 in Microsoft Windows. The vulnerability could allow security feature bypass if a physically-present attacker installs an affected boot policy (UEFI boot).
Only Lenovo Systems running Windows Server 2012 or Windows Server 2012R2 and configured with secure boot are exposed. Lenovo Systems running Windows Server 2016 are exposed regardless of the secure boot configuration.
But there is a problem with installing the security update
Lenovo M5 or X6 systems running Microsoft Windows Server 2016, Server 2012R2 or Server 2012 can be rendered inoperable after applying one of the updates specified above for Microsoft Windows Server. This has been revealed by Lenovo within this article System hangs at Lenovo splash screen after Windows Server 2016, 2012R2, or 2012 November update – Lenovo System X M5 and X6 (dated 11/24/2016).
Affected configurations
The system may be any of the following Lenovo servers:
- Lenovo Flex System x240 M5 Compute Node, Type 2591, any model
- Lenovo Flex System x240 M5 Compute Node, Type 9532, any model
- Lenovo Flex System x280 X6 Compute Node, Type 4258, any model
- Lenovo Flex System x280 X6 Compute Node, Type 7196, any model
- Lenovo Flex System x480 X6 Compute Node, Type 4258, any model
- Lenovo Flex System x480 X6 Compute Node, Type 7196, any model
- Lenovo Flex System x880 X6 Compute Node, Type 4258, any model
- Lenovo Flex System x880 X6 Compute Node, Type 7196, any model
- Lenovo NeXtScale nx360 M5 AC, Type 5465, any model
- Lenovo NeXtScale nx360 M5 WC, Type 5467, any model
- Lenovo System x3250 M6, Type 3633, any model
- Lenovo System x3250 M6, Type 3943, any model
- Lenovo System x3500 M5, Type 5464, any model
- Lenovo System x3550 M5, Type 5463, any model
- Lenovo System x3550 M5, Type 8869, any model
- Lenovo System x3650 M5, Type 5462, any model
- Lenovo System x3650 M5, Type 8871, any model
- Lenovo System x3850 X6, Type 6241, any model
- Lenovo System x3950 X6, Type 6241, any model
Lenovo offers for the machines enlisted above an UEFI update that can be updated by using the IMM web interface or by using the OneCLI tool from a management system.
Similar articles:
Microsoft Patchday November 8, 2016
Uninstalling 'uninstallable' Windows Updates
Windows 10: Updates KB3200970, KB3198586, KB3198585
Windows Rollup Update Previews Nov 2016 (KB3197868, KB319787, KB3196686)
Rollup Updates KB3197867, KB3197868 (Windows 7), and KB3197873, KB3197874 (Windows 8.1)