Microsoft released the following Software Updates on January 3, 2018:
These Software Updates were made available for download on 1/5/18 per HOWTO73079 and INFO4731 release notes via the Import Patch Data for Windows (PMImport) through the Console.
Caution: Found some AMD devices getting into an unbootable state after installation of recent Windows operating system security updates as detailed by Microsoft:
- Following this initial release, Patch Management Solution added KB4073576 which resolves this issue for AMD based computers:
- Note: This update was developed by Patch Dev and provided in PMImport 7.2.122 in MSNS18-01-4073576
- Workaround: Exclude all AMD devices through static filters as targeted by the individual Software Update Policy for deployment of these specific Software Updates
- Optional: Utilize the attached process to isolate: Endpoints with AMD Report.zip to import into the ITMS Console 8.1 RU4 . Create the custom Hardware Inventory Job and schedule/run on targeted filter, and then import and run the Endpoints with AMD Report to see which listed endpoints have an AMD CPU and need to be excluded from deployment
Caution: These Software Updates are known to cause the Blue Screen of Death (BSOD) on Intel CPU systems as detailed on TECH248545:
- The following registry check below was implemented for Patch Management rule logic, for this is similar to when the Microsoft Windows Update Tool is run it will check for similar prerequisites prior to installing these updates, and Patch Management will only deploy updates which have updated Antivirus (AV) software
- The following check for the presence of this registry key has been added to the Assessment Scan as part of the applicability rule check as directed by Microsoft to antivirus vendors to indicate their compatibility with these recent changes:
- NOTE: This check has the following side effects and these Software Updates won't be detected as applicable/vulnerable for systems that have the CPU vulnerability for they do not pass the initial check of the registry key outlined above:
- If the AV software is not updated; the registry key check detailed above will fail, so the AV needs to be updated before these Software Updates will be applicable
- If the vendor of the AV software in the environment didn't release the update that sets the registry key detailed above then the updates will not target for the registry key check detailed above will fail and the updates will not target
- If the managed endpoint has no AV software the registry key check detailed above will fail and the updates will not target
- Note: Microsoft suggests to use Group Policies (or other methods available in your environment) to update the registry key and enable application of updates for cases 2 and 3 above; however, it is Strongly Advised NOT to create the registry key above to satisfy the prerequisite check, for that will generate a false positive on the applicability rule check and would most likely result in the BSOD as the AV software is not really current
- Additionally, following this initial release, Patch Management Solution added these updates:
- KB4072699 which sets the QualityCompat registry key on computers without Antivirus, or with Antivirus which doesn't update that key for compatibility:
- This was provided in PMImport 7.2.123 in IVA18-002
- KB4072698 which enables fixes of this issue on Server Operating Systems
- This was provided in PMImport 7.2.122 in IVA18-001
- Note: Both KB4072698U & KB4072698U are unsupported by Patch Management Solution per HOWTO42396.
- Further notes of this Security Advisory provided by Microsoft for review.
- Optional: Attached customized process in Meltdown - Antivirus Compatibility Reporting.zip to import into the ITMS Console 8.1 RU4; run the custom Inventory Job QualityCompat, and then view the results in the AV Compatibility Report to isolate Windows Clients with the registry marked above (true/false) and have an Intel CPU.
- This custom report displays the Clients with the Intel CPU and if they don't have the registry key detailed by Microsoft above then they will need their Antivirus upgraded to be compatible to the recently released Microsoft Software Updates.
Symantec recommends following Change Control, deployment testing, and other business continuity best practices.