Issues with January Security updates for Windows Desktops and Servers released today to Windows Update.
- Anti-Virus and CPU compatibility that may cause:
- Security updates to not install
- Cause blue screens and boot issues if installation of updates are forced
- User performance will be impacted on older systems when security updates are installed successfully.
Microsoft has released security updates to address the Meltdown and Specter vulnerabilities disclosed last week. However there are certain scenarios where these updates may not be installed, or may cause system issues. Additionally these updates when they are applied will impact system performance on older systems.
Scenario 1 – Incompatible anti-virus solution
Microsoft has found some anti-virus solution that were not operating in a supported manner. When the security updates were applied it would render the system “unbootable”. The majority of the major vendors on the market have since updated their solutions, but may not yet be reporting compatibility to windows and require manual system changes to enable Security updates.
Microsoft guidance and registry information is listed in this support article: https://support.microsoft.com/en-us/help/4072699/january-3-2018-windows-security-updates-and-antivirus-software
Compatible – no action required if running the latest version
Compatible vendors but require manually setting registry key
Not yet confirmed compatible
|360 Total Security||No vendor information currently available|
Scenario 2- AMD Processors.
If systems utilize AMD processors, Microsoft has delayed delivery of January security updates. Even if a system has a compatible anti-virus configuration these updates will not be advertised to those systems. If these updates are applied to AMD systems it may result in an system that is “unbootable”.
Microsoft support article regarding the issue with updates and AMD processors are available here: https://support.microsoft.com/en-us/help/4073707/windows-os-security-update-block-for-some-amd-based-devices
NOTE: AMD has responded saying their processors are not at high risk due to limited exposure. There response is available here: https://www.amd.com/en/corporate/speculative-execution
Scenario 3 – Updates installed but system performance impacted.
There is no work around to this issue due to the nature of the threat that is being mitigated. Microsoft has identified older systems (pre-2015) with older Operating Systems (pre-Windows 10) the most at risk to performance degradation. This is notable as any slowdowns from the application of updates will not be related to your AV solution – but impacted by the real operations of the CPU and Operating system.
General performance behavior
|Windows 10||2016 era PC (skylack, kabylack)||Unnoticeable – single digit performance impact to CPU|
|Windows 10||2015 era PC (Haswell or older)||Decrease notice in performance, users may or may not notice depending on model and business tasks being executed|
|Windows 8.1 / Windows 7||2015 era PC (Haswell or older)||Significant impact to performance due to the way older OSes use the kernel. All users will notice the decrease in performance.|
More details is available from Microsoft here: https://cloudblogs.microsoft.com/microsoftsecure/2018/01/09/understanding-the-performance-impact-of-spectre-and-meltdown-mitigations-on-windows-systems/