Since the meltdown/spectre stuff has come out I've setup a GPO to push out the registry settings, but for our remote users I want to use kace.Our Desktops run Cylance (which arent putting out the registry setting) but since our servers still use Trend we are just throwing out the below trend registry settingRegKey="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat"Value Name ="cadca5fe-87d3-4b96-b7fb-a231484277cc"Type="REG_DWORD"Data="0x00000000"I'm doing this through the KACE scripting and have it set run as Local System (and have tested with Logged in user) with the below steps:VerifyVerify that “HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat!cadca5fe-87d3-4b96-b7fb-a231484277cc” does not exist.On SuccessLog “Registry key does not exist... Creating registry key” to “status”.Set “HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat!cadca5fe-87d3-4b96-b7fb-a231484277cc” to “0”.However this does not allow the patch to be installed. The registry entry gets created fine, and I can see it in the registry, but windows update reports the machine is up to date. If I delete the qualitycompat key, and create it manually, then all of a sudden windows updates finds the patch and goes to download/install it.I have checked the permissions when kace runs the script vs me doing it manually and theres no difference at all, and even running the script as "logged in user" which in this test is my own usercode, it still doesnt seem to work.I for the life of me can not understand how this is not working, is anyone else trying to something similar, or had this type of issue in the past?

Scripting : Does KACE do something different when applying Registry settings? (Meltdown/Spectre specific)

Does KACE do something different when applying Registry settings? (Meltdown/Spectre specific)

Since the meltdown/spectre stuff has come out I've setup a GPO to push out the registry settings, but for our remote users I want to use kace.

Our Desktops run Cylance (which arent putting out the registry setting) but since our servers still use Trend we are just throwing out the below trend registry setting

RegKey="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat"

Value Name ="cadca5fe-87d3-4b96-b7fb-a231484277cc"

Type="REG_DWORD"

Data="0x00000000"

I'm doing this through the KACE scripting and have it set run as Local System (and have tested with Logged in user) with the below steps:

Verify

Verify that “HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat!cadca5fe-87d3-4b96-b7fb-a231484277cc” does not exist.

On Success

Log “Registry key does not exist... Creating registry key” to “status”.
Set “HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat!cadca5fe-87d3-4b96-b7fb-a231484277cc” to “0”.

However this does not allow the patch to be installed. The registry entry gets created fine, and I can see it in the registry, but windows update reports the machine is up to date. If I delete the qualitycompat key, and create it manually, then all of a sudden windows updates finds the patch and goes to download/install it.

I have checked the permissions when kace runs the script vs me doing it manually and theres no difference at all, and even running the script as "logged in user" which in this test is my own usercode, it still doesnt seem to work.

I for the life of me can not understand how this is not working, is anyone else trying to something similar, or had this type of issue in the past?

3 Comments [ + ] Show comments

After setting the registry key with KACE, reboot the computer, then try to scan it with Windows updates - Channeler 6 years ago
I should have mentioned that I have restarted between these and it hasnt made a difference. When I enter it manually I do not need to do a restart though, it seems to read the key when you click "check for updates". - Ouytree 6 years ago
You should not be adding the key , unless you have confirmed that your AV software is compliant....

Maybe push it via GPO if your machines are joined to a domain.

You could also push a powershell script with the kace agent to register a key:

If (-not (Test-Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat') ) {
New-Item 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat'
}
New-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat' -Name 'cadca5fe-87d3-4b96-b7fb-a231484277cc' -PropertyType DWord -Value '0x00000000'

The Agent can also registry keys reading from a BAT file like:

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat” /v cadca5fe-87d3-4b96-b7fb-a231484277cc /t REG_DWORD /d 0 /f - Channeler 6 years ago
- It is being pushed out by GPO, as I said in the original post, this is for remote users that dont talk to the domain. And I have verified its fine to use this patch with our desktop AV solution.
  
  I've changed it to run as a powershell script that you've provided above, and it doesn't even write the registry key. You do need admin rights to write this reg key, but once again, system has full control over this hive, and since kace is running this script as local system it should be working.
  
  I'm starting to wonder if maybe this is a bug... - Ouytree 6 years ago
  - Hi Ouytree, Did you find a solution ? I am having a similar issue. - endlessknot 6 years ago

Answers (0)

Be the first to answer this question

Answer this question

Posted by:

View more:

Scripting Questions

question

Does KACE do something different when applying Registry settings? (Meltdown/Spectre specific)

Verify

On Success

Answers (0)

Posted by:

View more:

Related Questions

Related Links

Related Posts

Scripting

Does KACE do something different when applying Registry settings? (Meltdown/Spectre specific)

Verify

On Success

Answers (0)

Posted by:

Don't be a Stranger!

View more:

Related Questions

Related Links

Related Posts

Share