CCE and Speculative Execution

Update 11th April 2018: The "A/V Gate" (registry requirement) has now been removed. This means that CCE guest VM's will now have the updates installed. Panic over :-)




Just a heads up that by default Cloud Connector Edition for Skype for Business Online will not automatically download and install the January or February 2018 Windows Updates as they don't have Anti-Virus installed and therefore do not get the QualityCompat reg key as detailed here: https://support.microsoft.com/en-us/help/4072699/

Documentation for AV on CCE only mentions the Host and not the Guest VMs: https://technet.microsoft.com/en-us/library/mt740658.aspx (so therefore you can add the key to the Host machine if no AV is present)

I suppose I could create a new base VHDX that has the QualityCompat key set (the same way that you can pause the update to add in a Proxy), but seems a bit pointless when this is supposed to be a managed update service (fire and forget).

I can see three (official) solutions that Microsoft might go with:
  1. Roll out a new version of CCE that will add the key during the build process (hopefully in a new build they will fix my Draining Calls issue: www.tobiefysh.co.uk/2017/12/cce-210-draining-calls.html)
  2. Wait for the key to no longer be required (leaves CCE guests vulnerable until then). This is a scenario that will happen eventually: "
    • "Q3: How long will Microsoft require setting a registry key to receive the Windows  security updates?
    • A3: Microsoft added this requirement to ensure customers can successfully install the January and February 2018 security updates. Microsoft will continue to enforce this requirement until there is high confidence that the majority of customers will not encounter device crashes after installing the Windows security updates."
      Source: https://support.microsoft.com/en-us/help/4072699/
  3. Tell customers that they need to manually add the key in (this is the worst option as the idea is that these VMs don't need feeding and watering like "regular" Windows servers).
Once I have an official response back from Microsoft I'll update this post.

Update 1st March 2018
After logging this via O365 Support and also via Partner Advisory support I've had back an update that this should be logged on the Skype for Business Feedback forum as it is a design change.....

I've logged it here: https://www.skypefeedback.com/forums/299913-generally-available/suggestions/33492559-cce-and-speculative-update I'd appreciate votes.

And yes - I'm aware I called it Speculative Update (not Speculative Execution) on the feedback  

We discussed this internally and from the great contacts we have at Modality Systems we have now got an escalation into the Product Group. One late night phone call later and the problem is understood internally at Microsoft. Looking forward to getting some traction on this now. :-)

No comments:

Post a Comment