Hi Folks,
To add to Rafeeq's comment, I have just spent almost the last 4 days banging my head on a Windows Update issue that related to the above registry key. I was going to raise this as an informational post to all, but it seems to fit here.
While looking at deploying this months Windows security updates from WSUS, a noticed a bunch of servers not showing any updates available. Plenty of other servers were showing the correct updates being available. VERY strange.
Initially I thought this was a mix of SEP and non-SEP Windows machines, but further checks showed only those systems without SEP were detecting zero updates. I ran several of the problem systems via proxy so they could get to the Windows Update site to see the difference. Well bugger me - the only important update detected from the Windows Update site was the Malicious Software Removal Tool - none of the important security patches.
The WindowsUpdate.log showed nothing out of the ordinary, and also showed it was indeed detecting zero updates from WSUS. I ran through the normal processing of resetting WSUS components on several servers - stil no joy. A couple of the systems showed some component corruption with SFC /scannow so I cleaned these up with Dism.exe - still no joy.
Then it dawned on me that all the problem systems did NOT have SEP installed. I tested this by installing SEP on one of these systems...magically WSUS updates are working correctly again. I then took another problem system and instead of installing SEP, I just added the registry key and value as described in the link Rafeeq posted (as well as KB4056898). Magic - this works too, although that key is only supposed to be added by AV vendors when needed.
Nowhere in the Microsoft article does it say all security updates will stop working without this registry setting. After solving this issue by myself (Google was no help with this particular problem), I checked the Endpoint Protection forum to see if anyone else was reporting it and found this post. I re-read the article Rafeeq linked to above (I had skimmed it previously), and found that this is mentioned in one bullet point under the side effects:
- If the managed end-point has no AV software the registry key check detailed above will fail and the updates will not target
The article also says that you should NOT create the registry entries if there is no AV installed as you may end up with a BSOD. In my case, I've proved that it can be done, but test and do it at your own risk. I've done this with Server 2008 R2 64-bit and Server 2012 R2 64-bit (all VMware VM's) with no issues (although those servers are now getting AV installed).
Hope this helps someone,
Steve