14 DAY TRIAL // The March 2018 monthly rollup for Windows 7 (KB4088875) introduces a new behavior that was borrowed from Windows 10 and which brings new antivirus checks in the operating system.
With these checks, Microsoft tries to make sure that Windows 7 machines are running compatible antivirus solutions, as the company says that compatibility issues between security software and the latest updates could substantially impact system performance and stability.
This is exactly what happened on Windows 10 back in January when Microsoft released Meltdown and Spectre mitigations, so in order to prevent these issues from occurring on Windows systems, the company turned to antivirus checks.
In other words, Windows needs to check if your system is running whitelisted antivirus software, and depending on the result of this verification, it decides whether security updates are pushed to the computer or not.
If your security product is compatible, you’re perfectly fine, otherwise you can’t get any new security patches. This means the system remains unpatched, and consequently, exposed to attacks trying to exploit vulnerabilities that might otherwise be addressed in recent updates.
Fortunately, there’s an easy way to bypass these checks and enable security updates on a Windows 7 system regardless of the antivirus solution running on your machine. Needless to say, the best thing you could do is actually install whitelisted antivirus software, but if this isn’t a solution, then this little hack is your second best option.
Microsoft recommends getting in touch with your antivirus vendor to enable security updates, and explains its decision to block patches with the following message:
“Because of an issue that affects some versions of antivirus software, this fix applies only to computers on which the antivirus ISV updated the ALLOW REGKEY.”
On Windows 10, despite this restriction being lifted, Microsoft warns that security updates could still be blocked on computers with unsupported antivirus.
“We’ll continue to require that AV software be compatible. Devices with known AV driver compatibility problems will be blocked from updates. We recommend that customers check installed AV software compatibility with their AV provider,” Microsoft says.
Enabling security updates on a Windows 7 system without supported antivirus software is easy and it all comes down to the Registry Editor. This means you’re going to edit the registry, so first of all you need to make sure you’re logged in with an administrator account. Then, you have to create a backup because if anything goes wrong, you can be sure you can roll back to a working configuration in no time.
First of all, launch the Registry Editor by hitting Windows key + R and typing regedit. Navigate to the following path in the Registry Editor (you have to do this manually, so check the full patch carefully):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\QualityCompat
If this path does not exist, it’s most likely because you aren’t running whitelisted antivirus software. This means you have to create it manually, but that’s not such a big issue because it takes only a few clicks.
Once you reach this address, you have to create a new entry. Select the QualityCompat entry, right-click the right panel and go to New > DWORD (32-bit) Value and call it cadca5fe-87d3-4b96-b7fb-a231484277cc. Press OK, close the Registry Editor, and then reboot the system to have all changes saved.
The next time you check for updates in the Control Panel, new patches should be waiting for download, though you need to be sure that such updates have indeed been released. The next updates for Windows 7 are projected to land on the April Patch Tuesday rollout, so for the time being, even if no updates are available, you’re on the safe side.
Most likely, Microsoft will lift this restriction in the coming months, but till then, this small registry hack is the best way to go if running other security software isn’t possible.