Microsoft has released guidance for patching endpoints against the CPU (mainly Intel) set of vulnerabilities known as Spectre, Meltdown, F’WIT, Kaiser, KPTI, among other names.
Endpoint patching is not likely to be the extent of the mitigation required, there may be firmware patches, server patching, application patching, hypervisor (Azure, AWS, Hyper-V, VMWare, among others.) patching, etc., depending on your environment.
These Microsoft patch(es) will not be applied to an endpoint unless the following registry key exists, which should be set by Anti-Virus vendors to confirm compatibility with the mitigation presented by the patch(es), or set manually by an administrator after confirming compatibility with your Antivirus vendor.
DO NOT SET THIS KEY MANUALLY WITHOUT CHECKING WITH YOUR AV VENDOR IF THEY ARE COMPATIBLE OR YOU MAY BREAK STUFF.
Dword value of: cadca5fe-87d3-4b96-b7fb-a231484277cc
Rename to .reg to be able to double-click or deploy to set this registry key. No warranties implied or expressed.
I will show how I am monitoring endpoints for the creation of this key using an SCCM Configuration Item and Configuration Baseline.
- Open the SCCM Console, navigate to Assets and Compliance>Overview>Compliance Settings, right-click Configuration Items and select “Create Configuration Item”.
- Give this configuration item a name, a description, select appropriate device types, click Next.
- Select the appropriate versions of Windows for your environment, then click Next again.
- On the settings screen, click New to bring up the Create Setting window.
- Give the setting a name, and a description. The setting type can remain as “Registry value”, the Data type can be set to “String”. Click browse to find the registry key above on your own workstation, or enter it in manually. The compliance rule should be set as “Must exist” by default. Change the severity and remediation as you deem fit for your environment. Click OK once satisfied with these settings.
- Click Next at the settings window.
- Click Next again at the Compliance Rules window.
- Review the settings in the summary window, and click Next once satisfied with these settings.
- Hopefully, this succeeds and you see the window detailing what was done. Click close.
We now have a Configuration Item, which is useless until we create a Configuration Baseline and deploy it. To do this:
- Right-click Configuration Baselines, Create Configuration Baseline.
- Give this baseline a name and a description.
- Click the “Add” button in the Configuration Data section, and select the Configuration Item we created in the last section. Select/create a category if you desire, then click OK.
- To deploy this Configuration Baseline, right-click on it and select Deploy.
- I chose to not remediate noncompliant assets. (Untested, use at your own peril.)
- I did not set alerting.
- I chose to deploy this Configuration Baseline to my own device for testing purposes. (Since this is a registry key, deploy to device collections.)
- Set a schedule of your choosing that best suits your environment.
- Click OK.
Monitor in the Configuration Baseline window.
Now we have a deployed Configuration Item and Configuration Baseline. SCCM is not a “right-now” piece of management software, but to speed up the deployment and evaluation of this baseline, you can right-click on the Configuration Baseline and select “Run Summarization”. If you’re super impatient, this can be run manually on the endpoint by going to Control Panel, Configuration Manager, Actions Tab, and executing the various actions by left-clicking them, and selecting Run Now. These can also be run remotely from the command line if you’re super-duper impatient.