/bundles/itninjaweb/img/Breadcrumb_cap_w.png
Since the meltdown/spectre stuff has come out I've setup a GPO to push out the registry settings, but for our remote users I want to use kace.

Our Desktops run Cylance (which arent putting out the registry setting) but since our servers still use Trend we are just throwing out the below trend registry setting

RegKey="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat"
Value Name ="cadca5fe-87d3-4b96-b7fb-a231484277cc"
Type="REG_DWORD"
Data="0x00000000"

I'm doing this through the KACE scripting and have it set run as Local System (and have tested with Logged in user) with the below steps:

Verify

  1. Verify that “HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat!cadca5fe-87d3-4b96-b7fb-a231484277cc” does not exist.

On Success

  1. Log “Registry key does not exist... Creating registry key” to “status”.
  2. Set “HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat!cadca5fe-87d3-4b96-b7fb-a231484277cc” to “0”.

However this does not allow the patch to be installed. The registry entry gets created fine, and I can see it in the registry, but windows update reports the machine is up to date. If I delete the qualitycompat key, and create it manually, then all of a sudden windows updates finds the patch and goes to download/install it.

I have checked the permissions when kace runs the script vs me doing it manually and theres no difference at all, and even running the script as "logged in user" which in this test is my own usercode, it still doesnt seem to work.

I for the life of me can not understand how this is not working, is anyone else trying to something similar, or had this type of issue in the past?
3 Comments   [ - ] Hide Comments

Comments

  • After setting the registry key with KACE, reboot the computer, then try to scan it with Windows updates
  • I should have mentioned that I have restarted between these and it hasnt made a difference. When I enter it manually I do not need to do a restart though, it seems to read the key when you click "check for updates".
  • You should not be adding the key , unless you have confirmed that your AV software is compliant....

    Maybe push it via GPO if your machines are joined to a domain.

    You could also push a powershell script with the kace agent to register a key:

    If (-not (Test-Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat') ) {
    New-Item 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat'
    }
    New-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat' -Name 'cadca5fe-87d3-4b96-b7fb-a231484277cc' -PropertyType DWord -Value '0x00000000'


    The Agent can also registry keys reading from a BAT file like:

    reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat” /v cadca5fe-87d3-4b96-b7fb-a231484277cc /t REG_DWORD /d 0 /f
    • It is being pushed out by GPO, as I said in the original post, this is for remote users that dont talk to the domain. And I have verified its fine to use this patch with our desktop AV solution.

      I've changed it to run as a powershell script that you've provided above, and it doesn't even write the registry key. You do need admin rights to write this reg key, but once again, system has full control over this hive, and since kace is running this script as local system it should be working.

      I'm starting to wonder if maybe this is a bug...
      • Hi Ouytree, Did you find a solution ? I am having a similar issue.
Please log in to comment

There are no answers at this time
Answer this question or Comment on this question for clarity

Answers