Update: 15. March 2018
Starting with the March 2018 Updates, Microsoft has removed the QualityCompat Registry Key for getting further Windows Updates on newer Operating Systems.
Due to recent work with our antivirus (AV) partners, AV software has now reached a sustained level of broad compatibility with Windows updates. After analyzing the available data, we’re lifting the AV compatibility check for the March 2018 Windows security updates for supported Windows 10 devices through Windows Update. We’ll continue to require that AV software be compatible. Devices with known AV driver compatibility problems will be blocked from updates. We recommend that customers check installed AV software compatibility with their AV provider.
The above Text was included in the Changelog for the March 2018 Cumulative Update for Windows 10 1709. The same Statement can also be found on the Windows 10 1703 and Windows Server 2016 Changelog.
On older Operating Systems (e.g. Windows 7 and Server 2012 R2), the QualityCompat Registry Keys seem to be still required!
As you are probably aware, the very beginning of 2018 has brought IT-Admins things like Spectre and Meltdown. I won’t outline all the details here but the bottom line, as nearly always, is to patch your systems. Here specifically you will also need Firmware Updates, however this post is about the January Windows Updates and what those mean for things like Operating System Deployment (OSD) and Reference Image Creation.
The Windows Update and the Key Requirement for getting it
The Updates by Microsoft that are “fixing” the issue from a Windows perspective were released by Microsoft on January 3, 2018 for all supported Platforms. For Windows 10, this means a Cumulative Update as we get it every month.
Now, the Key Requirement for the Update to actually show up is the compatibility of your Antivirus Software. Technically, the Antivirus Software needs to set a Registry Value, telling Windows that it will support the changes that come with the January Update.
The Registry Key is located at below the following Location:
If this Registry Value is not present, the January 2018 Update will not be offered to the System.
The Problem for OSD / Reference Image creation
Let’s look at the Reference Image Creation of Windows 7. Usually, you will create a Reference Image, install some Applications and all Windows Updates until you perform a Sysprep & Capture. Later on, you will use something like ConfigMgr to deploy the Reference Image to a System during Operating System Deployment.
If we now take System Center Endpoint Protection for our Antivirus, then we would have the ConfigMgr Client installing SCEP after OSD is completed. After SCEP is installed it will then update its Definition and that is when the QualityCompat Key is being set.
I hope you see the problem by now. We pretty much have no chance of getting the January 2018 Update in a Reference Image, unless we would also have a fully updated Antivirus Client in the same Image.
For Windows 10, things are easier. Here we have Windows Defender preinstalled. It is fairly easy to provide the latest Definitions, either by WSUS or manually, and therefore triggering the January Update Installation.
To summarize this post in one sentence: Without an up-to-date Antivirus at the time of the Update Deployment, the January 2018 Update won’t get installed.
Does this leave you unprotected? No. As soon as your Management Solution is installing an Antivirus Software after or during OSD and that Antivirus Software is getting up-to-date, the Deployment of the Update will be triggered.
I really hope that this behavior with the mandatory Registry Value will get revised in the future. Currently, especially with older Operating Systems like Windows 7, things like OSD and Reference Image Creation are getting more complicated.
Creating the Registry Key manually (unsupported!)
The simplest thing to solve the Update Installation would probably be to manually create the QualityCompat Key during the Task Sequence. However, Microsoft has purposely made the Requirement that the Antivirus Software has to be compatible so you will probably run into issues when deploying the Antivirus Software, which won’t have the latest Definitions at the Time of the Installation. In the worst case, this would end in Bluescreens.
Installing the Antivirus Software during OSD / in the Reference Image
If you’re not using Windows Defender on newer Operating Systems, you could deploy the Antivirus Software during the Task Sequence. Additionally, you have to make sure that the Antivirus Software also get’s the latest Definitions so the January 2018 Updates will get triggered when the Task Sequence reaches the “Install Software Updates” Step.
If you decide to install the Antivirus Software in your Reference Image, make sure you remove any Device specific Configurations. If you take SCEP as an example, you’ll have to remove the following Registry Keys before sealing your Image:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\InstallTime
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Scan\LastScanRun
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Scan\LastScanType
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Scan\LastQuickScanID
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Scan\LastFullScanID
I will update the blog post as soon as new information regarding the Updates is becoming available.