Computerworld

Microsoft lifts update embargo on Windows 10

But Windows 7 and 8.1 PCs must still contain approved antivirus to receive post-Spectre/Meltdown patches.

Microsoft this week lifted the security update blockade on Windows 10 PCs that do not have approved antivirus software, but kept the no-patches-for-you rule in place for the more popular Windows 7.

The update roadblock was assembled in early January, when Microsoft issued mitigations against the Spectre and Meltdown vulnerabilities. Those vulnerabilities stemmed from design flaws in virtually all modern processors made by Intel, AMD and ARM. According to Microsoft, the security updates could brick PCs equipped with antivirus (AV) software that had improperly tapped into kernel memory.

To prevent customers' machines from encountering "stop errors" - Microsoft's euphemism for "Blue Screen of Death" or BSOD - during installation of the security updates, the Redmond, Wash. company said that AV vendors had to self-certify that their code was compatible with the Spectre/Meltdown patches. Microsoft also required AV developers to signal that compatibility by writing a new key to the Windows Registry.

If the key was not present, the updates would not download and install.

Bottom line, a Windows PC sans an approved antivirus package would not be patched. Microsoft put it in stark terms: "Customers will not receive the January 2018 security updates (or any subsequent security updates) and will not be protected from security vulnerabilities unless their antivirus software vendor sets the following registry key [emphasis added]."

At the time, Microsoft would not say how long the AV rule would be maintained. Instead, it offered a nebulous until-we-say-so timeline. "Microsoft will continue to enforce this requirement until there is high confidence that the majority of customers will not encounter device crashes after installing the security updates," a support document stated.

Chris Goettl, product manager with client security and management vendor Ivanti, said of the block, "I think it will be at least a few patch cycles."

Goettl nailed it, at least for Windows 10, because on Tuesday Microsoft said it had lifted the embargo. "Our recent work with our antivirus (AV) partners on compatibility with Windows updates has now reached a sustained level of broad ecosystem compatibility," the firm said in a different support document. "Based on our analysis of available data, we are now lifting the AV compatibility check for the March 2018 Windows security updates for supported Windows 10 devices via Windows Update."

In cases where Microsoft knows that the antivirus software was incompatible with the updates, it will continue to block the latter from reaching affected PCs.

Though the update barrier was removed for Windows 10, it will remain in place for Windows 7 and Windows 8.1. Users of those editions must continue to have a compatible AV package on board, one that sets the registry key. Alternately, customers can add the registry key themselves by following the "Setting the Registry Key" instructions here.

Because the Windows 10 security updates are cumulative - they include not just the current month's patches, but all patches issued previously - by applying the March collection, users will again have an up-to-date system.

It was unclear how long Microsoft would maintain the update restriction on Windows 7 and Windows 8.1. In a FAQ refreshed this week, the company repeated its vague timeline. "Microsoft will continue to enforce this requirement for older versions of Windows until there is high confidence that the majority of customers will not encounter device crashes after installing the Windows security updates," one answer read.

"I'll share more details in the weeks ahead on AV compatibility for older versions of Windows," added John Cable, director of program management on the Windows servicing and delivery team, in a blog post Tuesday.

Windows 7 has been the most affected by the update stoppage; it was the only edition that did not come with a Microsoft-made AV package. And by blocking security updates from reaching Windows 7 systems, Microsoft affected the biggest-possible audience: During February, Windows 7 powered 48% of all Windows PCs, a user share larger than either Windows 10's (39%) or Windows 8/8.1's (8%).

And as part of this week's Patch Tuesday rollout, said Microsoft's Cable, Windows 7 x86 and Windows 8.1 x86 were patched against the Meltdown vulnerability. Only the systems with compatible AV software, and a properly-set registry key, will receive those updates, however.