Microsoft has published the following article:
That article states that there is a known issue with their patch for the recent Intel security vulnerability (Meltdown) with AV vendor products. Microsoft says to check with your vendor to see if they are affected and if so what the vendor's response is. As well, the vendor is expected to set a registry key on compliant systems which allows the Microsoft patch to be offered for install.
What is McAfee's official response? Does it depend on McAfee's AV product? If so what is the matrix of compatibility (McAfee AV product, version, notes, etc.)?
Looking for an official corporate response from McAfee on this one. Appreciate the help!
I see nothing yet. There might be some discussion in the McAfee blogs, I'll monitor those and let you know if I see anything relevant.
My WSUS server has the patches but isn't installing them without the registry key. Looks like an McAfee update is needed.
Yes, the Microsoft article states that in order for the update to install (or be offered is what they wrote) the registry key must be set. One could do that themselves or an AV product might be able to do it if it has the ability and access to do so on the target systems.
What matters though is whether McAfee's products are compatible already or if a hotfix/new release is needed to be installed before installing the Microsoft Update.
One can simply set the registry key but if the installed McAfee product is not compatible expect the system to BSOD as published by Microsoft.
FYI: We did some tests on a Win7 & Win 10 both with the VSE 8.8
The Ms patch doesn't get provided via the normal distribution processes (WSUS and/or direct from Microsoft) but manually downloading & installing the Ms patches worked fine (and without the registry key).
That sounds promising! Did you (have to) manually add the registry key first before installing the MS update? Which release of VSE 8.8 are you running (e.g. Patch 9)?
From the way Microsoft worded its bulletin, it said that without the registry key the update "would not be offered". That makes me think that the Windows Update process checks for it when it enumerates what all is installed and to determine what to pull down to install. However, if we manually download the patch and manually install the patch, does the patch have a check coded into it to look for the registry key (too) and prevent the install if the key is not correct/found?
We're running VSE8.8 with Patch9.
We simply ran a downloaded KB manually WITHOUT the regkey, so that that the installation process of the patch itself doesn't verify against the regkey.
The keycheck seems to only happen during the missing patches verification and is "not offered" (listed) if the key is missing.
I've applied the registry key to a test VM (Win7) and WSUS is pushing the patch now (kb4056897).
Rebooted ok, no bluescreen although I'm using Endpoint Security 10.5 rather than VSE.
Thanks for the info - that is what I expected, based on Microsoft's bulletin wording.
No blue screens? Nice! How many systems have you upgraded so far?
Curious to hear from McAfee officially. Wondering if it is VSE version dependent?
Which version of Agent are you running? 5.0.6.220?
Appreciate your collaboration on this!
Great evidence Ollyrice! Thanks! Curious to know of a Windows Server system that has been upgraded.
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.
Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership: