How should I deploy 2 MSUs from Microsoft to block the PrintNightMare Vulerability?

I currently have KACE 11.0.19 managing an environment of Windows ```10 1809 x64 clients, that need the vulnerability patch kb5004947, which as a standalone download comes as an MSU. In order to install this update, I need to update the June 21 SSU for Windows 10 1809 KB5003711, which is also an MSU file. I need to update the SSU, then install the patch to close the vulnerability identified in CVE-2021-34527. I'm not sure what the best approach would be to install the MSU's back to back, or in one installation session? I'm currently testing running both of them without a reboot in between.

I've used Managed Installations before for standalone MSU's, but not sure if this will work for a two patch scenario, where one is dependent on the other. The kb5004947 will error out stating "This update is not applicable to your computer" Unless you run KB5003711 first. Any thoughts on the best approach for running these back to back, with a reboot in between? Is this better scripted, or using a patch vulnerability process? We use KACE for both software deployment and patch management. Thank you!

0 Comments   [ + ] Show comments

Answers (1)

Posted by: Kiyolaka 2 years ago
Third Degree Green Belt

Weird, my original comment got deleted.

Do you have patching enabled for your appliance? Doing it via the patch management module is probably the easiest way to go about things...

If not you could consider using task chains. But I've not had 100% success with them when a reboot is involved, it requires adding a couple of workarounds  and dummy wait tasks into the chain to get a ~94% success rate.  It's also a bit more challenging to schedule and execute then a managed install is. 

I you haven't already done so you may want to consider deploying the policy that blocks inbound remote printing as a stopgap against the RCE until you can get all important systems (high value, IT admin computers, etc) and  most of the general fleet patched.

Also is this the standard 1809 or the special LTSC? I would advise upgrading to 20H2 asap if you're not using 1809 ltsc as 1809  sac has been EOL for a few months now, making it amazing that Microsoft released a patch for it.

Heck, you could probably do two birds with one stone and deploy the 20H2 update With the dynamic update flag to have it pull in the July CU (haven't tested this)

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login

View more:


This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ