A Rundown of Microsoft’s New Patch Deployment Process

On January 3, Microsoft issued an emergency security update for Windows 10 ahead of its monthly Patch Tuesday, which addresses the recently disclosed design flaws found in Intel processor chips. The updates also featured a new prerequisite in the patch process: a registry key is now required for deploying and applying them. Here’s what Trend Micro customers and users need to know:

What’s the new patch process?

The registry key enables automated Windows updates. Microsoft’s advisory notes, “Due to an issue with some versions of Anti-Virus software, this fix is only being made applicable to the machines where the Anti virus ISV has updated the ALLOW REGKEY.” This means vendors need to verify their software's compatibility with the system/OS.

Why did Microsoft implement this change?

During their tests, they uncovered that third-party security applications were making calls in the system’s kernel memory, resulting in bluescreen errors. To mitigate this and other unforeseen scenarios, Microsoft now requires third-party AV software to verify their software’s compatibility with the system/OS via a registry key.

Is there a tool that can automatically enable patch delivery?

Microsoft does not provide the tools to add this registry key. AV vendors need to ensure they can deliver the registry key needed to download and deploy updates/patches to their customers.

I don’t use Windows 10. Will I still need a registry key to apply patches?

Yes. All succeeding patch deployments will follow Microsoft’s new implementation and thus need a registry key.

Is this related to a bug in Trend Micro’s security products?

I use Trend Micro products. Am I affected?

No. Microsoft’s new compatibility process check affects all endpoint security vendors. Trend Micro’s security software are not vulnerable and don’t need a patch. The updates in the security bulletin are mainly related to the design flaws in Intel processors.

Trend Micro is currently developing a tool that can let customers automatically install the registry key needed to roll out the Windows patch. This will be released along with Microsoft’s own monthly patch cycles, starting January 9. A product update will deliver the tool, which will help customers by streamlining patch deployment.

I don’t use third-party AV software or Trend Micro products, do I still need a registry key?

Even those without active/running third-party AV software may still be required to have the specific registry key before patches can be applied via Windows Update.

How can I apply Microsoft’s patch now?

There are several options available to ensure the patches are applied as quickly as possible:

IT/system administrators can manually create and deploy the registry key (ALLOW REGKEY) to unblock the delivery of patches

Trend Micro customers and users can download the update packages directly from the Windows Update Catalog if they are unavailable via Windows Update

Apply a specific patch for the Trend Micro security product that will enable the ALLOW REGKEY needed through Windows Update

Trend Micro customers can also find additional product-specific information and solutions –such as adding specific registry key—via these technical support articles for Home and Home Office users, and Businesses.