Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Windows Privacy Security

Microsoft Says No More Windows Security Updates Unless AVs Set a Registry Key (bleepingcomputer.com) 136

Catalin Cimpanu, reporting for BleepingComputer: Microsoft has added a new and very important detail on the support page describing incompatibilities between antivirus (AV) products and the recent Windows Meltdown and Spectre patches. According to an update added this week, Microsoft says that Windows users will not receive the January 2018 Patch Tuesday security updates, or any subsequent Patch Tuesday security updates, unless the antivirus program they are using becomes compatible with the Windows Meltdown and Spectre patches. The way antivirus programs become compatible is by updating their product and then adding a special registry key to the Windows Registry. The presence of this registry key tells the Windows OS the AV product is compatible and will trigger the Windows Update that installs the Meltdown and Spectre patches that address critical flaws in the design of modern CPUs.
This discussion has been archived. No new comments can be posted.

Microsoft Says No More Windows Security Updates Unless AVs Set a Registry Key

Comments Filter:
  • Now windows malware will mess with that key to stop updates

    • Re: (Score:2, Interesting)

      by jawtheshark ( 198669 ) *
      I came to say exactly this. I have no idea how they are going to protect it from a program that acquires root (Admin) privileges somehow. A Malware program that installs itself, has these kind of rights.
      • by bondsbw ( 888959 ) on Tuesday January 09, 2018 @10:18AM (#55893319)

        You have bigger problems than a registry key if the malware has root.

        • True enough.
        • You can actually make a case that a lot of security/antivirus products rather than protecting from malware, are actually malware.


          1) Cause other programs to stop working or even the OS not to start
          2) Run with very high privilege levels
          3) Are unnecessarily hard to remove
          4) Disable Windows Defender
          5) Often mess with Windows Update.

          It's like this sad tale [slashdot.org] of becoming what you most fear and are trying to stop.


      • by lgw ( 121541 )

        Once a machine has a root kit installed , the game is lost. You can't remove rooted malware from the same machine. You might be able to clean the disk from a different machine, maybe, if it's low-rent malware. Of course, the Snowden leaks included NSA malware that lives in the BIOS of the drive, so it might just root the second system. Thanks NSA.

    • Apparently This is a temporary solution according to Microsoft.
      https://support.microsoft.com/... [microsoft.com]

      Q3: How long will Microsoft require setting a registry key to receive the January 3, 2018, security updates?

      A3: Microsoft added this requirement to ensure customers can successfully install the January 2018 security updates. Microsoft will continue to enforce this requirement until there is high confidence that the majority of customers will not encounter device crashes after installing the security updates.

    • So the better solution is to let the AV trash the OS so the user gets a BSOD on reboot? The reason they are requiring this is because if the AV isn't patched it trashes the update and leaves the OS unbootable. I'm sure once the majority of AVs push out a patch (which lets be honest an AV that doesn't push out some updates to deal with Meltdown is a truly shit AV) they will simply remove this requirement from the patch.
    • by Skuld-Chan ( 302449 ) on Tuesday January 09, 2018 @12:22PM (#55894343)

      If malware can set this reg key - your machine is already done (its only writable by system/admin).

    • by Arbitary5664 ( 1979712 ) on Tuesday January 09, 2018 @12:40PM (#55894551)
      Fuck windows malware... people will put this key in to finally have a way to stop Windows 10 from auto patching / rebooting.
    • by ruir ( 2709173 )
      I thought Windows was THE malware.
  • Something wrong here (Score:4, Interesting)

    by onyxruby ( 118189 ) <onyxrubyNO@SPAMcomcast.net> on Tuesday January 09, 2018 @09:09AM (#55892753)

    Microsoft finally comes up with a way for the user to potentially have some level of control over their patches. All you have to do is mess around with a registry key and forgo all patches altogether. People have been demanding to have some level of control and this is what Microsoft comes up with...

    • by dkone ( 457398 ) on Tuesday January 09, 2018 @09:24AM (#55892857)

      You do know that you can just disable the Windows Update service right? That was a 'feature' that you were able to implement from day one.

      • by StormReaver ( 59959 ) on Tuesday January 09, 2018 @09:32AM (#55892925)

        You do know that you can just disable the Windows Update service right?

        Microsoft frequently ignores that setting.

        • by thegreatbob ( 693104 ) on Tuesday January 09, 2018 @09:42AM (#55892991) Journal
          Disable wuauserv, dosvc, and bits.... it's going to have an awfully hard time doing anything after that. I haven't found it to be able to re-enable itself under those conditions. Exception might be if it had updates queued during the next shutdown, though I'm not certain.
          • Re: (Score:2, Interesting)

            by Anonymous Coward
            I do the same, but Windows does periodically reenable them.
          • And what if you use BITS (or one of your applications does)?

          • it's going to have an awfully hard time doing anything after that.

            Maybe, but it's entirely possible that there is code in Windows that will re-enable any or all of those things. There is no way for you, or anyone not employed by Microsoft, to know for sure. You could very well disable every known entry point to Windows Update, and still miss many more that are not known.

            For all we know, Microsoft embeds versions of those files in Windows itself, ready to be re-created if Windows finds them missing at some heretofore unpublished juncture. There is no way to know, and no

        • Windows Update Service being disabled is not an ignorable setting. It is something that would generate a system error if another service or task attempts to start it.

  • Windows Server (Score:5, Informative)

    by DigiShaman ( 671371 ) on Tuesday January 09, 2018 @09:10AM (#55892765) Homepage


    For Windows Server, you will need to also set the following three registry keys to enable post patch install. With Windows Home/pro, it's already enabled after installation.

    For Windows Server.

    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f

    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f

    To Validate status, you can run the PowerShell command Get-SpeculationControlSettings.

    If Windows 10 or Server 2016, you can skip the first step.

    1. Set-ExecutionPolicy Bypass
    2. Install-Module SpeculationControl
    3. Get-SpeculationControlSettings
    You will now see results.
    4. Set-ExecutionPolicy Restricted (to protect the system via securing powershell again)

    Good luck. Be sure to apply BIOS updates when and if applicable to stave off Spectre

    • Edit: All steps apply. It's just that you will need to install the PowerShellGet module. However, it's included with Windows10 and 2016.

    • According to this page, only clients (WinX, 8.1, 8,7) need these 2 registry entries:

      https://support.microsoft.com/... [microsoft.com]

      Thoughts? Still applies to all windows OS's?

      • The 3rd entry is for servers that host HyperV. I'm certain that enabling the registry keys is mandatory for Windows Server. But, for Home/Pro, it's not. Though I'm curious as to why it's documented; so that it can be enforced via CPU and/or disabled if needed??

        • I know that 3rd is for HyperV. and I previously was enabling the first 2 for servers. But then I ran across the linked article today and was like "WTFF? Clients too??"

          • Yeah, "WTF" was my initial reaction too. Again, maybe it's for GPO enforcement. Anyways, i'll test later with the Get-SpeculationControlSettings PS command after I found a client that has the latest BIOS available. If both Meltdown and Spectre are fully patched, well, you now have your answer :). Otherwise, plug in the reg values, reboot, and re-run the command to validate.

            I'm fairly confident BTW, that the reg values are a requirement for server, but not for client. Let me know if you can confirm either wa

            • I think I've found the answer!

              Here is the companion document:
              https://support.microsoft.com/... [microsoft.com]
              https://support.microsoft.com/... [microsoft.com]

              https://support.microsoft.com/... [microsoft.com]
              At the bottom:
              BTIWindowsSupportEnabled: True -> on client, no action required. On server, follow guidance.
              KVAShadowWindowsSupportEnabled: True -> on client, no action required. On server, follow guidance.

              So it seems that the client document just has that same info, but on client, no action required.

              What a documentation craz

            • Alright, I have good news for you: the 2 links don't need manually enabled! They are enabled by default and MS talks about it for orgs that want to switch them off and on without dealing with uninstalling the update.

              Note By default, this update is enabled. No customer action is required to enable the fixes. We are providing the following registry information for completeness in the event that customers want to disable the security fixes related to CVE-2017-5715 and CVE-2017-5754 for Windows clients.

              http [microsoft.com]

    • At least windows is easy, imagine how hard the linux patch must be to install! ;)

  • by Anonymous Coward on Tuesday January 09, 2018 @09:11AM (#55892775)

    Who runs AV's anyway?

  • Call me crazy, but I don't want to spend money on a subscription. I practice safe web.

    • So you're not worried about the dozens of exploits fixed in browsers every month, in image decoding libraries, media libraries, etc.? Even sometimes in the SSL/TLS libraries.

      What are you browsing the web with, PuTTY?

      Must be quite the experience.

      • Given that the web as it was originally design is a lot like DOS and everything that's been grafted on top of it is crap like Windows, I'd almost rather surf in pure text mode.

        • by lgw ( 121541 )

          I'd almost rather surf in pure text mode.

          It looks like the text-only browsers have vanished, though I guess you can do like RMS and surf with wget and emacs. Links [wikipedia.org] has very-little grafted-on crap, though.

      • But here's a much better question: Why the f*ck isn't it the responsibility of the OS and browser companies to patch their security holes for free and provide their own anti-malware capability? They are the ones making the problems possible.

        • by Dog-Cow ( 21281 )

          The browser devs have patched and MS has Windows Defender. How about you learn something before posting shit?

          • Then why do programs like McAfee, Kaspersky, PCMatic, etc, even exist?

            • by dwywit ( 1109409 )

              FUD and ignorance. Those programs came about as a response to vulnerabilities in DOS. They continue to be successful as a business model because they use fear as a marketing tactic.

              As I explain to my customers - suite "X" won't stop working if you let the subscription expire, it just won't get any updates. Yes, your risk increases, but that annoying pop-up is just trying to scare you. Call me when your subscription is about to expire and we can discuss alternatives.

              Some of the free suites are OK but it's a

              • After dealing with yet another rash of viruses, I can attest that an antivirus is not purely FUD.

                Any time I can avoid spending mopping up after the average joe is a good thing.

                Furthermore, a subscription expiring does not automatically mean that the anti-virus will no longer recieve updates. When AVG's subscription expires it switches to the free mode, and receives the same updates as the free version.
  • Considering that some Antivirus programs are using undocumented API's and aren't compatible with the Windows Meltdown patch, this isn't really a bad idea. This isn't a great idea, but it's better than your system getting stuck in a crash/reboot loop after installing the patch. I hope that they throw up a warning to the end user to update your damn antivirus software as well, and then make the registry key go away once it is.

    I also hope that they just use this as a temporary fix, or hackers will use this reg

  • Legitimate decision. (Score:5, Interesting)

    by Gravis Zero ( 934156 ) on Tuesday January 09, 2018 @09:21AM (#55892835)

    It pains me to side with Microsoft but their decision here is a good and legitimate one.

    The key to it's legitimacy is this quote:

    There is a problem where some anti-virus vendors are using techniques to bypass Kernel Patch Protection by injecting a hypervisor which they use to intercept syscalls and make assumptions about memory locations — memory locations which are now changing with the Meltdown fixes.

    • Fine, fine...

      Now explain to us:
      a) how this works out if you change AV software (to one not compatible), and
      b) how this works if you do not use an AV product at all.


  • So we finally got an easy way to disable automatic updates on Windows 10 ?
    • Re: (Score:1, Redundant)

      by dkone ( 457398 )

      Yes finally... oh wait you could just disable the Windows Update service and you could have done so forever ago.

      • by Anonymous Coward

        There are several other services which also have to be disabled. It's not as simple as you claim.

        • by Cederic ( 9623 )

          No, really, it's trivial to block updates.

          What's a real pain in the arse is remembering how you did it so that you can re-enable them when you do want to update.

    • Just this one patch ;).

  • this was known on the weekend, when I did a couple windows boxes and the windows partition on my AMD II laptop (which went fine by the way, however even if you get BSOD you can go into repair mode and uninstall the KB)

    So I've known about this for 3 days and I'm a freakin Linux desktop user at home and mac pro user at work!

    • 1. Since when was Slashdot ever timely?

      2. I've skimmed a bunch of Spectre and Meltdown articles, haven't seen the registry key mentioned before now.

  • So what happens if I don't install any AV-product and also don't use the Microsoft AV-Solution?
    Since nothing could set the RegKey, I also don't get updates?

  • It seems a legitimate question: I've somehow managed to live through the last thirty years without _ever_ getting an infection - well, at least none that was detected by Norton, Avira, MSE, Checkpoint, or Antimalwarebytes, all of which I used at one time or another. Living without antivirus, then, seems quite well possible. Would I really have to go and set a registry key myself just to get updates again?

    • by zuki ( 845560 )
      From what I can gather, and as others have said... this would only apply if you have an AV app installed.

      And if you don't, the patch should just install normally.
    • >> Would I really have to go and set a registry key myself just to get updates again?

      If you have manually removed the AV software that ships with the OS and have no other AV product installed, then yes you will need to set the registry key yourself.

  • Damn that's gonna make it hard to get the Linux ladies now.

  • by xlsior ( 524145 ) on Tuesday January 09, 2018 @02:54PM (#55895695) Homepage
    ... Going forward the end user (or whatever malware on their machine) can permanently disable windows updates by setting registry security to prevent such a key from getting created in the first place?
  • What if you don't run AV SW -- so of course the key isn't set. Seems like this is another case of MS withholding updates to "encourage" (or discourage) various behaviors.

    Remember MS claimed it wouldn't update Win7 for those who update their CPU. I wonder if that will change due to the Intel CPU security bugs?

If bankers can count, how come they have eight windows and only four tellers?