Purpose

The purpose of this document is to discuss the behaviors when deploying the Windows Security out-of-band updates that were released on January 3, 2018.

The following document contains information on the changes to detection for the applicable patches: Important information on detection logic for the Intel 'Meltdown' security vulnerability

Description

Microsoft is requiring a registry key to be on every machine that has no Anti-Virus or outdated Anti-Virus. The following Windows Security OOB updates released January 3, 2018 are affected by this:

• MS18-01-IE Q4056568 - Cumulative Updates for Internet Explorer
• MS18-01-SO7 Q4056897 - Security Only Update for Windows 7 and Server 2008 R2
• MS18-01-SO8 Q4056899 - Security Only Update for Server 2012
• MS18-01-SO81 Q4056898 - Security Only Update for Windows 8.1 and 2012 R2
• MS18-01-W10 Q4056888, Q4056890, Q4056891, Q4056892, Q4056893 - Cumulative Update for Windows 10 and Server 2016

Below is what the expected behavior when scan and deploying these patches without and with the registry key in place.

This is what to expect for scan and deployments when the registry key does not exist on the target machine:

When scanning machines without the registry key in place, you will be offered detection of the updates, but will not be able to download or deploy the update. This will be noted in the Ivanti Comments section for the patch:

In Protect 9.2, the error 'Patch is not available for the language selected' may also appear when the registry key is not detected.

Detection only support means the following:

The patch is not downloadable. If you try to download the patch, a message stating 'None of the selected patches need to be downloaded'.

This patch cannot be deployed, this is what the  Deployment Tracker will look like during the attempt. The download patches will not turn green as the patch cannot be downloaded and deployed until the registry key is detected.

This is what to expect for scan and deployments when the registry key exists on the target machine:

When scanning a machine that has the required registry key in place, the patches will be offered with full deployment support. This means the patch is now able to be downloaded from Microsoft and to be deployed to the endpoints.

The patch will now be downloaded and then packaged as normal.

The patch will now be scheduled and then start the deployment execution process.

Additional Information

Security Tool: Implement the QualityCompat registry key that enables Windows security updates released on January 3, 2018

How To: Use Custom Action To Add Required Registry Key For Deploying Microsoft Patches as of January 3rd, 2018

Affected Product(s)

Shavlik Protect 9.2

Ivanti Patch for Windows Servers 9.3