none
Slowness showing Spectre/Meltdown compliance? RRS feed

  • Question

  • Hey all - i'm having trouble getting SCCM to report correctly on Spectre/meltdown compliance.
    SCCM is showing that we are 90% compliant with the update, however when I use a real-time 3rd party tool to do a scan for the updates it comes back as 65% compliant. 

    I believe the issue is that SCCM considers you "compliant" if you haven't gotten the registry key change from your AV provider yet. However, we got the registry key change already and devices that do not have the spectre/meltdown patches installed are still showing "compliant" in SCCM. 

    Any ideas on how to re-scan or more thoroughly/aggressively scan systems for the regkey + patch?
    I need to get these 30% or so devices to rescan, but doing all the client actions + update summarization + update compliance hasn't fixed the problem. 

    Anyone else having this problem? 

    SCCM Current Branch, Windows 10 1703

    Thanks

    Edit
    I'm only specifically referring to the KB side of this vulnerability. Specifically KB4056891 shows only 133 devices "require" the update. It should be closer to 1000 per our real-time monitoring tool. 


    • Edited by ltyler Thursday, February 1, 2018 6:11 PM
    Wednesday, January 31, 2018 10:31 PM

All replies

  • Hi,

    Have you seen this:

    https://blogs.technet.microsoft.com/configurationmgr/2018/01/08/additional-guidance-to-mitigate-speculative-execution-side-channel-vulnerabilities/


    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, February 1, 2018 6:54 AM
  • report correctly on Spectre/meltdown compliance.



    What are you using to detect that? There is nothing out of the box. So we need more Information otherweise your question cannot be answered.

    Torsten Meringer | http://www.mssccmfaq.de

    Thursday, February 1, 2018 7:38 AM
  • Hey there - sorry, I'll update the original post. 
    I am only speaking in regards to the windows update piece of the vulnerability. 

    So when I check the update compliance for January 2018 Windows Security update KB4056891, it shows only 133 devices "need" the update. However around 1000 devices have the registry change from our AV, and should now show as "require" in SCCM but they don't. 

    Thursday, February 1, 2018 6:10 PM