So on a 1703 Win10 workstation Symantec appears to be writing the “QualityCompat” into the standard registry and not Wow6432Node. So on the relevance for all of the related KB4056891 fixlets the last relevance clause
“exists value “cadca5fe-87d3-4b96-b7fb-a231484277cc” whose (it as integer = 0) of keys “QualityCompat” of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion” of registry”
Returns false, but if this is changed to “Native register” it works correctly.
Though I’m not sure if that was simply an accident or if Symantec should be writing it out to both locations or if this was an oversight in the rush to get these fixlets into production. Hopefully this helps.
Which fixlets are you talking about? So far I only see the IE cumulative updates, not the Windows server updates, in BigFix. Also, is this thread really the place we’re all waiting for info from IBM in? I know it’s a complex issue, but there’s been complete radio silence from IBM on this. I’m not even seeing anything on the main IBM site.
I’m referring to the server updates such as:
MS18-JAN_ Security Only Quality Update - Security Only - Windows Server 2012 R2 - KB4056898 (x64)
As I run alternative protection (not mainstream AV) on most of my servers, the QualityComp reg key was missing altogether. Initially I set it, but the fixlets still weren’t relevant. To make them relevant, I either had to change to ‘native registry’ as @Shannon mentioned or set the Wow6432Node version of the AV reg key. Once relevant, the installs ran fine on 2008 R2 and 2012 R2.
I’m still having issues specifically on non-internet connected Win 10 1607 LTSB clients. The Trusted Installer keeps complaining about lack of access to the Windows Update Cloud.
Ah, I thought the fixlet hadn’t come out, and it turns out it’s a relevance issue. So, I guess I need to troubleshoot why none of these updates are relevant in our environment.
Edit: Ah, I didn’t realize the fixlet relevance required the QualityCompat regkey. In case anyone else is on McAfee like us, it looks like you’ll have to set the regkey manually. According to their KB, they are “evaluating automated mechanisms to deploy this registry key and will update the KB as testing concludes and such a mechanism is available.”
the KB405689* fixlets are not showing relevant for 99% of our Windows servers (the long Relevance statement is FALSE), but I’d expect it to be TRUE. Anyone else see this and know why? It’s be difficult to try and dissect that relevance statement to find the particular cause of FALSE.
those 3 registry values are not required for the fixlets to become relevant, they are only required to enhance the mitigations that the patches provide. 1 is available already for 2 of those settings. I’m not sure if the new setting is available yet.
This could be because of the QualityCompat reg key. If it is missing, which it will be if you have no AV installed, then the fixlets are not relevant on purpose because these updates cause bluescreens on systems with incompatible AV. You must set this key yourself if you know there is no AV installed at all, and you must be very careful if you do have AV installed and it is not compatible. You may need to update or replace your AV before installing these fixes.
I’ll have to open a PMR. Nearly all of our servers are not showing relevant for the meltdown fixlets (i.e. MS18-JAN: Security Only Quality Update - Security Only - Windows Server 2012 R2 - KB4056898 (x64)). All relevance are TRUE except for the massive rel #6
FYI: The bigfix content to run microsoft’s powershell module for getting the status of windows in regards to these patches and mitigations has been updated and published:
Microsoft released an updated version of the powershell module.