
Microsoft disables Windows Update when Meltdown/Spectre registry key isn't set - graystevens
https://doublepulsar.com/important-information-about-microsoft-meltdown-cpu-security-fixes-antivirus-vendors-and-you-a852ba0292ec
======
mesofile
It's worth noting that Windows Update may also fail to apply the
Meltdown/Spectre patch if other conditions aren't met. Some are mentioned on
the KB page [1] but they don't mention another common scenario, which is that
if your system firmware is not ready to accept the update, Windows Update will
not apply it, and _it won't tell you_ that it's not applying it -- it will
simply say 'Your device is up to date'.

I had to dig around to find a page [2] that had some useful instructions
allowing me to find out what the actual status of my Windows install was. I'm
grateful to the author of that page, they provided critical info that neither
Microsoft nor my machine's manufacturer did. I wish I could say that it
boggles my mind that they could be so hushmouthed on the subject of a
vulnerability this severe. Of course, my OEM (Lenovo) has not released an
update for my Windows laptop (Yoga 900) since 2016, and as of today their
support page [3] on Meltdown/Spectre does not indicate that they plan to do
so.

I'm posting this partly in anger/despair, partly in the hope that I'm wrong
and that someone will pop up to comment and tell me there's a fix. There is a
Linux BIOS for this machine but it's old and I don't know if it will actually
address this issue.

[1] [https://support.microsoft.com/en-
us/help/4056892/windows-10-...](https://support.microsoft.com/en-
us/help/4056892/windows-10-update-kb4056892) [2]
[https://www.bleepingcomputer.com/news/security/list-of-
meltd...](https://www.bleepingcomputer.com/news/security/list-of-meltdown-and-
spectre-vulnerability-advisories-patches-and-updates/) [3]
[https://support.lenovo.com/us/en/solutions/len-18282](https://support.lenovo.com/us/en/solutions/len-18282)

~~~
Karnickel
I know I won't get any updates for the system for my 2012 Dell XPS 8500 (256
GB SSD, 16 GB RAM, i7 CPU - I don't see a need for an upgrade, it's all
there).

Does that mean I'll just be left out cold? That's how I understand it.

When I run the Microsoft Powershell plugin that they made available to check
the protection status (`Get-SpeculationControlSettings`) I get a "True" for 3
of 8 items (only showing those 3):

    
    
      Windows OS support for branch target injection mitigation is present: True
      Windows OS support for kernel VA shadow is present: True
      Windows OS support for kernel VA shadow is enabled: True

~~~
mey
Same boat for my XPS 8700, also kept around for same reason. 24gb ram i7 4th
gen. Great for development, including VM work. Unless I was regularly doing
video transcoding or heavy CAD work, it's more than fast enough.

Contacted Dell support and confirmed they will not be releasing a BIOS update
for the system.

First harm to me from this issue. Not sure if it means I will have to join a
class action against Dell or Intel

~~~
ac29
Might want to check again tomorrow. My Dell Desktop (Ivy Bridge/3rd Gen era)
received a BIOS update today, specifically noting "Update to the latest CPU
microcode to address CVE-2017-5715." It updates the ME firmware too for those
recent bugs.

~~~
mey
Thanks for the heads, I'll keep an eye out, but it's not listed on the
following consumer systems list

[http://www.dell.com/support/article/us/en/19/sln308587/micro...](http://www.dell.com/support/article/us/en/19/sln308587/microprocessor-
side-channel-vulnerabilities--cve-2017-5715--cve-2017-5753--cve-2017-5754---
impact-on-dell-products?lang=en)

------
gtirloni
“Customers will not receive the January 2018 security updates (or any
subsequent security updates) and will not be protected from security
vulnerabilities unless their antivirus software vendor sets the following
registry key”

Another incentive to stop using questionable AV software (since this was
implemented because they can't get their act together).

~~~
craftyguy
No, another incentive to stop using Windows. 3rd party applications should NOT
be responsible for insuring that the OS can receive critical security updates,
and Microsoft should not be relying on 3rd party applications to determine
whether or not their customers receive critical OS security updates (and of
all things, hilariously defaulting to 'no')

~~~
bitwize
Windows isn't going anywhere, if for no other reason than because Microsoft
Excel is basically electronic paper to the business world -- and there is
simply no adequate substitute for it. (No, neither OpenOffice Calc nor any of
the Web-based offerings -- including Microsoft's own -- count.)

Coping with Windows is a fact of life. Get used to it.

~~~
viraptor
There's MS Excel (and office) for Mac and Wine supports Office 2013. The
situation is getting better every year.

~~~
petecox
And MS Office for Android.

------
photon-torpedo
So finally there's a way to disable updates on Windows 10... ;)

------
cube2222
I think at this time if you're on windows 10 you should really just use
Defender.

It works well, they are actively developing it, and the new white list based
directory protection is kinda neat if you're scared of ransomware.

~~~
lostmsu
What feature are you talking about specifically?

~~~
cube2222
Here you are:
[https://blogs.technet.microsoft.com/mmpc/2017/10/23/stopping...](https://blogs.technet.microsoft.com/mmpc/2017/10/23/stopping-
ransomware-where-it-counts-protecting-your-data-with-controlled-folder-
access/)

------
discreditable
> The compatibility registry key exists for a reason. I know. I can also see
> it’s a messy hacky fix. But it needs an end of life date

I couldn't agree more. As I've been devising a patching plan over the past few
days I couldn't help but wonder "how long will I have to do this"? My hope is
that in future OS releases (say, Windows Client/Server 1803) the mitigations
will be default-on for clean installations (minimally).

------
zengid
Do I have to do anything if I'm just using Windows Defender?

~~~
graystevens
Nope, Windows Defender has already set the registry key, and you should be
good to go. For the rest of you, there is a good public document[0] that is
being regularly updated on the status of each of the AV products out there.

[0][https://docs.google.com/spreadsheets/d/184wcDt9I9TUNFFbsAVLp...](https://docs.google.com/spreadsheets/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview?usp=sharing&sle=true)

~~~
Multicomp
Does Microsoft Security Essentials fall under Windows Defender for the
purposes of this article?

------
ENOTTY
Wow using a hypervisor to inject below the kernel to avoid KPP is nuts. Never
knew the AVs did that. What are they going to do when Microsoft begins to use
Hyper-V to enforce CredGuard[1]?

[1]:
[https://blogs.technet.microsoft.com/ash/2016/03/02/windows-1...](https://blogs.technet.microsoft.com/ash/2016/03/02/windows-10-device-
guard-and-credential-guard-demystified/)

~~~
ENOTTY
Turns out nested virtualization is a thing. Jesus.

------
hungerstrike
My windows 10 machines will not receive the update automatically for some
reason. I think it is because I had defender completely disabled via group
policy since it interferes with some of my development activities surrounding
node.JS.

However I was able to install the security update manually from the Microsoft
Windows update catalog download site. I did this after enabling defender
briefly and updating it to ensure that the registry key was written.

~~~
inetknght
I'm real curious what kind of development you're doing with node.JS where
Windows Defender causes trouble.

~~~
Arnavion
The real-time scanning slows down processes that access a large number of
files, like code compiles in general and importing node modules in particular.

~~~
inetknght
I haven't noticed Windows Defender causing significant slowdowns for processes
which access lots of files except when it does a full system scan (which is
_not_ often). Even then, it's only barely noticeable.

~~~
serf
I've disabled defender due to high CPU usage on machines that had to slice
mpegs into jpegs with near constant work.

The machine was slicing up 11 channels of 24fps videos into jpegs, so 264
jpegs/s at 720p and 24 bit color.

I've had friends and coworkers that have hit the same CPU issues with big git
repos and defender.

It seems like Defender has problems with getting hit with tons of small files
in quick succession, but really I know very little about it.

------
unstatusthequo
Finally a fix for forced reboots!

~~~
B1FF_PSUVM
You could still get the reboots without updates ... which is what I've been
getting for a few weeks now on a cheap tablet: loads update, reboots in the
night, update fails. Rinse, repeat.

(I don't care, an update took down the sound last year. For all I know the
next one will make the gizmo totally malfunction ... MS don't care for that
cheapo segment either, the wanton demands for disk space are astounding, and
they refuse to use their own exFat format on additional storage. Truly ready
to ascend to Oracle level, they are.)

~~~
Feniks
Throw Enterprise LTSB on old/low spec hardware. Thats my preferred Win10:
stable, bloat free and it only gets the updates beta tested by the regular
users.

~~~
Piskvorrr
"Windows 10 LTSB is only available as part of Windows 10 Enterprise. And
Windows 10 Enterprise is only available to an organization with a volume
licensing agreement, or through a new $7 per month subscription program."

Seriously? An OS of which you need an obscure, hard-to-get version, special
messing around in power tools, and still might break randomly? This role
reversal happening in the last 10 years is sad, really.

------
kabdib
Yeah, had me confused for a while. Easy to set with a group policy, though.

Still, could have been better communicated.

------
j-c-m
Another consequence of this is that windows will disable updates when you do
not have any anti-virus software running as well.

------
medlazik
Slightly OT if I may: Is there any reason to use anything else than Defender
these days? Chrome+uBlock, good email security and update practices, Defender
just in case, do we need more?

~~~
0xfeba
No, not that I am aware of. 3rd party AV are liabilities at this point.

[https://www.pcworld.com/article/3020327/antivirus-
software-c...](https://www.pcworld.com/article/3020327/antivirus-software-
could-make-your-company-more-vulnerable.html)

~~~
the8472
Defender can be seen as merely being the lesser evil.

Consider CVE-2017-0290[0], which was caused by the MsMpEng process running a
custom unsandboxed javascript interpreter with system privileges to evaluate
untrusted code for maliciousness. Remotely exploitable over many unsolicited
channels. Pretty much the worst kind of exploitability. Of course other AVs
have done quite similar mistakes.

[0] [https://bugs.chromium.org/p/project-
zero/issues/detail?id=12...](https://bugs.chromium.org/p/project-
zero/issues/detail?id=1252&desc=5)

