Organizations must consider their strategy for deploying Windows Updates to mitigate the Meltdown and Spectre Spectre/Meltdown vulnerabilities. This blog is specifically related to a new gotcha clients may need to address in order to successfully deploy the Microsoft hotfixes that help mitigate these vulnerabilities. It’s important to call out a key behavioral change in the way Microsoft is distributing updates, detailed in Microsoft KB4072699. Both server and workstation operating systems are affected by this behavior change. For more information about these vulnerabilities, see West Monroe’s previous post, “Meltdown and Spectre: What You Need to Know.”
Starting with the January updates, each machine installing updates must have a specific registry key; without this registry key in place, a machine is not eligible to install January or subsequent updates whether installing from Microsoft directly or from a source such as WSUS or Configuration Manager. The registry key requirement is intended to address compatibility issues between some antivirus products and the January updates – effectively, Microsoft is expecting any non-problematic antivirus software to set the required registry key on machines, which indicates it is not affected by the compatibility issue, thus enabling the machine to install the January updates. This community maintained list provides the compliance status of many popular antivirus products.
Antivirus software, even if compliant, may need updates or patches to properly set the required registry key. If your antivirus product is not compliant, or if your antivirus clients have not been updated to set the registry key described in KB4072699, then workstations and servers in your environment may not be eligible to receive the January update or any later updates. This could affect an organization’s ability to deploy the proper mitigating updates for Spectre and Meltdown. This is especially true given that the current batch of updates has experienced some problems and may be revised or superseded in the future – we expect revised update packages to require this same registry key.
Please note that West Monroe Partners does not recommend setting this registry key without ensuring that your antivirus software is compatible with the January updates. We recommend working with your antivirus vendor to understand how and when they plan to update their product to be compatible and put this registry key in place. Anecdotally, West Monroe is seeing that some antivirus vendors may not be setting this key even though they are compatible – you should manually set the registry key only after confirming with your vendor that the product is compatible and that the product will not put the key in place on its own. If needed, organizations will ideally be able to deploy this registry key by leveraging software deployment tools such as Configuration Manager to deploy it broadly and enable updates in your environment. Also, keep in mind that if you have chosen not to have any antivirus software installed – as we see clients choose for some server workloads – then there would be nothing installed that would set the registry key.
Our security team assists clients in remediation planning and execution. If you have already been compromised, we have threat hunting capabilities. Contact a member of our Security team to have a discussion, we are here to help. As information on these vulnerabilities continues to become available, our team will be updating our Spectre and Meltdown posts. Be sure to check back for updates.