CCE and Speculative Update
CCE VM's do not have AV installed and as per https://support.microsoft.com/en-us/help/4072699/ they therefore will not get any Windows Security updates past December 2017.
Adding the QualityCompat registry key in manually is not a sustainable option for what is supposed to be a closed box, auto-updating system.
Full details are documented on http://www.tobiefysh.co.uk/2018/02/cce-and-speculative-execution.html
Tobie Fysh commented
In the April 2018 updates the requirement for the registry entry has been removed. As such this is now fixed.