Jump to content

Windows updates stopped ? - The solution is bizarre!


Recommended Posts

Due to anti virus vendors having a need to get hooks deep into the windows kernel (which has in the past led to them ironically being an enabler for malware to also get deeper into the system), microsoft is making an effort to try and get them to change that and protect the kernel from being accessed by anything.

The solution is a bit bizarre, but when you understand it and the objective it does make sense. Thought I would bring this up though because unless you go searching MS Knowledge base for issues you may never find out about it.

 

TL : DR - From the January 3rd 18 windows updates forward .. Those updates will only happen if your system has a special Registry Key set.

If you use Windows Defender (or for older windows 7 you use Microsoft Security Essentials instead .. Which is the same thing as Windows Defender with a different name), then the registry key will have been set by that software, and windows updates will progress as usual automatically.

If you use a third party anti virus which comply with Microsoft and also sets the same registry key, again updates will proceed as usual.

However if you have no anti virus solution (you chose not to have any sometime in the past), or you have an anti virus which does not comply with microsoft (possibly causing Blue Screen errors due to the anti virus behaviour) and not setting the registry key .. You will not get anymore updates until something has set the registry key

It can also happen that Windows Updates (probably due to being halted by one of the above reasons, or a bug in windows updates) can get stuck and not apply a necessary update for things to roll onwards : If thats the case for you, go and grab Windows Update KB4056892 manual installer (scroll down to where it says "How to get this update", click the link to go to Microsoft Update Catalogue, and one of the files there should be the one you need .. For windows 10 anyway with the Fall Creators update Windows version 1709 already installed)

 

Personally I just use Windows Defender on Win 10, and I have Malwarebytes Antimalware installed (but not resident), so I can run that for a second opinion occasionally.

And otherwise stick to some basic rules - Dont use "adult sites", dont use cracks / warez / pirate software and sites.

Updates continued and I was blissfully unaware that this issue even existed

 

More info : Read on ..

Microsoft:

"Important: Windows security updates released January 3, 2018 & antivirus software"

https://support.microsoft.com/en-us/help/4072699/january-3-2018-windows-security-updates-and-antivirus-software

Overview Microsoft has identified a compatibility issue with a small number of antivirus software products. The compatibility issue arises when antivirus applications make unsupported calls into Windows kernel memory.

These calls may cause stop errors (also known as blue screen errors) that make the device unable to boot. To help prevent stop errors that are caused by incompatible antivirus applications, Microsoft is only offering the Windows security updates that were released on January 3, 2018, to devices that are running antivirus software that is from partners who have confirmed that their software is compatible with the January 2018 Windows operating system security update.

If you have not been offered the security update, you may be running incompatible antivirus software, and you should consult the software vendor. Microsoft is working closely with antivirus software partners to ensure that all customers receive the January Windows security updates as soon as possible. More information Windows Defender Antivirus, System Center Endpoint Protection, and Microsoft Security Essentials are compatible with the January 2018 security updates and have set the required registry key. Windows 10, Windows 8.1, Windows Server 2012 R2 and Windows Server 2016 Customers Microsoft recommends all customers protect their devices by running a compatible and supported antivirus program.

Customers can take advantage of built-in antivirus protection, Windows Defender Antivirus, for Windows 8.1 and Windows 10 devices or a compatible third-party antivirus application. The antivirus software must set a registry key as described below in order to receive the January 2018 security updates.

Windows 7 SP1 and Windows Server 2008 R2 SP1 Customers In a default installation of Windows 7 SP1 or Windows Server 2008 R2 SP1, customers will not have an antivirus application installed by default. In these situations, Microsoft recommends installing a compatible and supported antivirus application such as Microsoft Security Essentials or a third-party anti-virus application.

The anti-virus software must set a registry key as described below in order to receive the January 2018 security updates. Customers without Antivirus In cases where customers can’t install or run antivirus software, Microsoft recommends manually setting the registry key as described below in order to receive the January 2018 security updates.

Setting the Registry Key

Caution Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing keys and values" help topic in Registry Editor (Regedit.exe) or view the "Add and delete information in the registry" and "Edit registry data" help topics in Regedt32.exe.

Note: Customers will not receive the January 2018 security updates (or any subsequent security updates) and will not be protected from security vulnerabilities unless their antivirus software vendor sets the following registry key:

Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat"

Value="cadca5fe-87d3-4b96-b7fb-a231484277cc"

Type="REG_DWORD”

Data="0x00000000”

 

Frequently asked questions

Q1: Why are some antivirus solutions incompatible with the January 3, 2018, security updates?

A1: During testing, we discovered that some third-party applications have been making unsupported calls into Windows kernel memory that cause stop errors (also known as bluescreen errors) to occur.

Microsoft has assembled the following resources to help potentially impacted customers:

Troubleshoot blue screen errors in Windows 10

Resolving Blue Screen errors in Windows 8.1

Resolving stop (blue screen) errors in Windows 7

Q2: What is Microsoft doing to help mitigate issues caused by these unsupported applications?

A2: To help protect our customers from "blue screen" errors and unknown scenarios, Microsoft is requiring all antivirus software vendors to attest to the compatibility of their applications by setting a Windows registry key.

Q3: How long will Microsoft require setting a registry key to receive the January 3, 2018, security updates?

A3: Microsoft added this requirement to ensure customers can successfully install the January 2018 security updates. Microsoft will continue to enforce this requirement until there is high confidence that the majority of customers will not encounter device crashes after installing the security updates.

Q4: I have a compatible antivirus application but I’m not being offered the January 3, 2018, security updates. What do I do?

A4: In some cases, it may take time for security updates to be delivered to systems, particularly for devices that have been turned off or not connected to the Internet (offline). After they are turned on again, these systems should receive updates from their antivirus software providers. Customers who still experience problems 24 hours after ensuring that their devices have proper Internet connectivity should contact their antivirus software vendor for additional troubleshooting steps.

Q5: My antivirus software is not compatible. What should I do?

A5: Microsoft has been working closely with antivirus software partners to help all customers receive the January 2018 Windows security updates as soon as possible. If you are not being offered this month’s security update, Microsoft recommends that you contact your antivirus software provider.

Q6: I have a compatible antivirus software application, but I still experienced a bluescreen. What should I do?

A6: Microsoft has assembled the following resources to help potentially impacted customers:

Troubleshoot blue screen errors in Windows 10

Resolving Blue Screen errors in Windows 8.1

Resolving stop (blue screen) errors in Windows 7

Link to post
Share on other sites
  • 2 weeks later...

Good stuff, Alt.  But it's not 100% all the time.  I have W10 x64 1709 that has never run any 3rd party AV--Windows Defender only--and I haven't been getting updates.  I had to download the Spectre/Meltdown Microsoft patch manually and apply it.  All went smooth for the install, but it was not delivered via WU.  Maybe, like new builds, I'm delayed to not tax Microsoft's servers--I don't know.  I have that registry key though, exactly as shown. :shrug:

Link to post
Share on other sites

Yep I had a similar experience on one of the four machines in our house, could have been a corrupt update, or maybe something to do with what Steve Gibson has found in Release #6 of InSpectre, the bug in MS Updates :

"

  • Release #6 — Worked around a Microsoft bug and more . . .
    Users of an earlier version of Windows 10 (version 1703 ‑ the non-Fall Creator's Update) reported that InSpectre did not believe that their system had been patched for the Spectre vulnerability. Upon analysis, a bug was discovered in that version of Windows which affected the way 32-bit applications, such as InSpectre, viewed the system. This was apparently fixed in the later “Fall Creator's Update” (version 1709) but not in the earlier version. A 64-bit “probe” was added to the 6th release of InSpectre to work around this bug in version 1703 so that InSpectre would accurately reflect any system's true protection.

    And, while we were at it, the language presented in the summary was changed from “vulnerable” to “protected” so that “YES” was the good answer and “NO!” was the bad answer. :)

"

I have seen WU get stuck on older machines in the past, and found the best way to solve such issues which the Microsoft Knowledge Base cannot solve is to roll back all updates one by one until you get past the issue and rolling forward starts to work correctly again, that method also means rolling back in sequence any minor patches (dirty tuesday patches) which have occurred between major update collections, because one of those out of turn could be the cause ..

.. Or - Sometimes the above procedure can be way too long a process if you are not sure that the problem lies within a few updates, then you may aswell backup your documents and go for a fresh install of windows from the Recovery Partition or OS Discs, wiping the HD, and then just let the machine roll on the subsequent updates.

 

Anyway thank you for the poke on that issue, I just added another paragraph to the OP reference manually applying KB4056892 ( having already installed the Fall Creators Update Windows version 1709 ) if Windows Updates are not rolling forward still.

Link to post
Share on other sites

Those are some big fixes... Both may work, but it's like using a shotgun to swat a fly (I think--the reason could be deeply rooted in my OS).  If I don't get subsequent Microsoft updates, I'll probably bite the bullet and ask them for help.  If it comes to that, and they fix it, I'll definitely post the solution.

Link to post
Share on other sites

For anyone with Windows 10 x86 - 32 bit OS (instead of 64) :

You guys if you want microsofts fixes to meltdown after having the Fall Creators update 1709 installed, need this https://www.catalog.update.microsoft.com/Search.aspx?q=kb4073291

But beware it may have unanticipated consequences - Apparently that will not be getting installed via Windows Updates because ..

Quote

 Microsoft’s Security Advisory ADV180002 :


details in the fine print, point 7:


Q: I have an x86 architecture and the PowerShell Verification output indicates that I am
not fully protected from these speculative execution side-channel vulnerabilities. Will Microsoft
provide complete protections in the future?
A: Addressing a hardware vulnerability with a software update presents significant
challenges and mitigations for older operating systems that require extensive architectural
changes. The existing 32 bit update packages listed in this advisory fully address
CVE-2017-5753 and CVE-2017-5715, but do not provide protections for CVE-2017-5754 at this
time. Microsoft is continuing to work with affected chip manufacturers and investigate the best
way to provide mitigations for x86 customers, which may be provided in a future update.


It appears as if this is the first 32-bit version of Windows that has a patch for the Meltdown
vulnerability.


Like most of the patches I talked about yesterday, this one is available only through the Update
Catalog — it won’t be pushed onto your machine.

https://www.computerworld.com/article/3249767/microsoft-windows/patching-meltdown-windows-fixes-sloppy-net-warnings-about-word-and-outlook.html

:(

Sounds to me like it could break things on 32 bit OS which is why its not automatic.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...