Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Says No More Windows Security Updates Unless AVs Set a Registry Key (bleepingcomputer.com)

Posted by msmash on from the my-way-or-highway dept.

Catalin Cimpanu, reporting for BleepingComputer: Microsoft has added a new and very important detail on the support page describing incompatibilities between antivirus (AV) products and the recent Windows Meltdown and Spectre patches. According to an update added this week, Microsoft says that Windows users will not receive the January 2018 Patch Tuesday security updates, or any subsequent Patch Tuesday security updates, unless the antivirus program they are using becomes compatible with the Windows Meltdown and Spectre patches. The way antivirus programs become compatible is by updating their product and then adding a special registry key to the Windows Registry. The presence of this registry key tells the Windows OS the AV product is compatible and will trigger the Windows Update that installs the Meltdown and Spectre patches that address critical flaws in the design of modern CPUs.

5 of 136 comments (clear)

  1. Windows Server by DigiShaman · · Score: 4, Informative

    Remember,

    For Windows Server, you will need to also set the following three registry keys to enable post patch install. With Windows Home/pro, it's already enabled after installation.

    For Windows Server.

    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f

    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f

    To Validate status, you can run the PowerShell command Get-SpeculationControlSettings.

    If Windows 10 or Server 2016, you can skip the first step.

    1. Set-ExecutionPolicy Bypass
    2. Install-Module SpeculationControl
    3. Get-SpeculationControlSettings
    You will now see results.
    4. Set-ExecutionPolicy Restricted (to protect the system via securing powershell again)

    Good luck. Be sure to apply BIOS updates when and if applicable to stave off Spectre

    --
    Life is not for the lazy.
  2. Re:Something wrong here by dkone · · Score: 3, Informative

    You do know that you can just disable the Windows Update service right? That was a 'feature' that you were able to implement from day one.

  3. Re:Something wrong here by StormReaver · · Score: 5, Informative

    You do know that you can just disable the Windows Update service right?

    Microsoft frequently ignores that setting.

  4. Re:Something wrong here by thegreatbob · · Score: 3, Informative

    Disable wuauserv, dosvc, and bits.... it's going to have an awfully hard time doing anything after that. I haven't found it to be able to re-enable itself under those conditions. Exception might be if it had updates queued during the next shutdown, though I'm not certain.

    --
    There is no XUL, only WebExtensions...
  5. Re:Now windows malware will mess with that key to by Skuld-Chan · · Score: 4, Informative

    If malware can set this reg key - your machine is already done (its only writable by system/admin).