How to deploy the required registry key via automated executable

Environment

Multiple McAfee products
For information on McAfee product compatibility for Meltdown and Spectre, see KB90167.

Summary

This article is intended to be used as a guide for deploying a custom EEDK for Microsoft patch readiness.

NOTE: For information on McAfee product compatibility for Meltdown and Spectre, see KB90167.

Content

This EEDK packaged script contains an applet which is used to deploy a registry key to systems as required by Microsoft to indicate compatibility with certain versions of their “Spectre” and “Meltdown” mitigations patch. This is an ePO-deployable package (KB90167000.zip) provided in the Attachments section of this article. No machine restart is required. The applet does no operating system checks by itself, but if deployed via ePO, will only be deployable to Windows versions 6.0-10.0 (see "System Requirements" below). It is signed by McAfee and the .exe also contains McAfee version information.

Considerations and System Requirements

The following should be considered prior to running the EEDK package client task.
  • The applet must be run as an Administrator (or deployed via ePO). It will not function properly if renamed.
  • The ePO-deployable applet is an archive and can be extracted to reveal the standalone executable. For standalone or third-party use: The applet does not outwardly indicate a failure when not run as Administrator; it just fails silently.
  • There is no logging or temporary files associated with this utility, it executes its job and then exits.
  • To verify the package has run successfully, examine the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat. The key should contain a REG_DWORD value cadca5fe-87d3-4b96-b7fb-a231484277cc with data 0x00000000.
  • The registry settings are overwritten each time the applet is executed.
  • We recommend that the applet is thoroughly tested by the customer in the intended environment prior to mass deployment.
  • System requirements:
    • Windows 6.0-10.0. [http://msdn.microsoft.com/en-us/library/windows/desktop/ms724832(v=vs.85).aspx]
    • x86 and x64.
    • Administrative permissions are required to run.
    • If run manually with UAC enabled, elevation will also be required: http://msdn.microsoft.com/en-us/library/windows/desktop/aa511445.aspx.
    • If deploying to systems with McAfee AppControl deployed, take one of the following approaches for successful deployment.
  • Create an ePO Policy rule and apply to any endpoint. [Recommended]
  • Configure AppControl to be in update mode before running this applet in standalone, or before deploying via ePO. The user must disable update mode afterward.
  • Authorize this applet with a remote task command (“sadmin attr -add Setup_KB90167.exe”).

Recommended Steps

  1. Check the package in to the master repository. It should appear as follows:
  2. NOTE: If you have distributed repositories, run the repository replication task (incremental is sufficient).
  3. Create a task in the task catalog for eventual deployment. Click on the Task Catalog applet under the main menu, Policy. Select McAfee Agent, choose Product Deployment as the type, and click New Task. Confirm the type in the drop-down list and click OK as shown:
  4. In the New Task dialogue, create a task similar to the one below:
  5. Click OK to save the new task. Use the new task in any of the ePO supported deployment methods. For example, shown below is an assigned Client Task. From a selected machine or machines, use the Action menu, Agent, and Modify Tasks on a Single System. On the new screen you can select the Actions menu and New Client Task Assignment. Choose Run Immediately or schedule it for a time that works for your environment.

BACK