How To: Deploy Windows Security OOB updates released January and February 2018

Version 10



    The purpose of this document is to discuss the behaviors when deploying the Windows Security out-of-band updates that were released on January 3, 2018.

    The following document contains information on the changes to detection for the applicable patches: Important information on detection logic for the Intel 'Meltdown' security vulnerability




    Microsoft is requiring a registry key to be on every machine that has no Anti-Virus or outdated Anti-Virus. The following Windows Security OOB updates released January 3, 2018 are affected by this:


    • MS18-01-IE Q4056568 - Cumulative Updates for Internet Explorer
    • MS18-01-SO7 Q4056897 - Security Only Update for Windows 7 and Server 2008 R2
    • MS18-01-SO8 Q4056899 - Security Only Update for Server 2012
    • MS18-01-SO81 Q4056898 - Security Only Update for Windows 8.1 and 2012 R2
    • MS18-01-W10 Q4056888, Q4056890, Q4056891, Q4056892, Q4056893 - Cumulative Update for Windows 10 and Server 2016


    Below is what the expected behavior when scan and deploying these patches without and with the registry key in place.

    See Additional Information for help creating the registry key using a custom action.

    This is what to expect for scan and deployments when the registry key does not exist on the target machine:


    When scanning machines without the registry key in place, you will be offered detection of the updates, but will not be able to download or deploy the update. This will be noted in the Ivanti Comments section for the patch:



    In Protect 9.2, the error 'Patch is not available for the language selected' may also appear when the registry key is not detected.


    User-added image


    Additionally in Protect 9.2, the Deployment tracker may show the following and when clicking on 'View Errors', the error will show 'Zero patches are available and properly signed'.



    Detection only support means the following:


    The patch is not downloadable. If you try to download the patch, a message stating 'None of the selected patches need to be downloaded'.


    This patch cannot be deployed, this is what the  Deployment Tracker will look like during the attempt. The download patches will not turn green as the patch cannot be downloaded and deployed until the registry key is detected.




    This is what to expect for scan and deployments when the registry key exists on the target machine:


    When scanning a machine that has the required registry key in place, the patches will be offered with full deployment support. This means the patch is now able to be downloaded from Microsoft and to be deployed to the endpoints.



    The patch will now be downloaded and then packaged as normal.



    The patch will now be scheduled and then start the deployment execution process.




    Additional Information


    Security Tool: Implement the QualityCompat registry key that enables Windows security updates released on January 3, 2018

    How To: Use Custom Action To Add Required Registry Key For Deploying Microsoft Patches as of January 3rd, 2018



    Affected Product(s)


    Shavlik Protect 9.2

    Ivanti Patch for Windows Servers 9.3