none
Meltdown and Spectre RRS feed

  • Question

  • Hello,

    Regarding the recent chip flaw reported for intel processors. I have synced the latest updates already and they are visible in SCCM console. However, for some reasons, none of them are reporting any compliance, i.e. none of them are showing as "Required" for any system across the hierarchy.

    Could it be due to the fact that the ALLOWREG key is not yet set on clients and servers as is required by Microsoft, i.e. machines need to have this key implemented on them before they start reporting the compliance back to the SCCM server?

    Since this key is not yet set on machines in my hierarchy, I am suspecting if that is the reason. Here is a screenshot for the same.


    Friday, January 5, 2018 5:14 AM

All replies

  • Looking at the same issue as you, 

    Wish i knew the answer to this.

    I already pushed out the reg key, but that didnt seem to make a difference much.

    Friday, January 5, 2018 1:39 PM
  • Hi,

    Once the key has been added have you ran machine policy, software update scan cycle, then a software update deployment evaluation?

    https://blogs.technet.microsoft.com/configmgrdogs/2014/06/29/configmgr-2012-windows-update-client-process/

    Note: it might be worth holding off patching SQL for Configuration Manager

    https://twitter.com/djammmer/status/949122372384141312

    Friday, January 5, 2018 2:12 PM
  • Hi,

    Yes, that's probably the reason because that key have to be applied via antivirus software (or manually) in order for the client to receive the January 2018 Security Updates.

    Antivirus software from Microsoft (Defender, SCEP, Security Essentials) have already set the Required registry key and should already be able to receive such Security Updates.

    So if you're using other vendor's antivirus software, make sure that you've applied latest definition or updates to set this registry in order to receive January 2018 Security Updates.

    Found below useful doc listing of vendors which you can take a look, for your reference:

    https://docs.google.com/spreadsheets/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview?usp=sharing&sle=true


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Monday, January 8, 2018 7:04 AM
    Moderator
  • Hi All

    Does someone have any additional info about SCCM and SQL according to

    Note: it might be worth holding off patching SQL for Configuration Manager

    https://twitter.com/djammmer/status/949122372384141312

    Regards

    Johan

    Monday, January 8, 2018 11:03 AM
  • Hi,

    Yes, that's probably the reason because that key have to be applied via antivirus software (or manually) in order for the client to receive the January 2018 Security Updates.

    Antivirus software from Microsoft (Defender, SCEP, Security Essentials) have already set the Required registry key and should already be able to receive such Security Updates.

    So if you're using other vendor's antivirus software, make sure that you've applied latest definition or updates to set this registry in order to receive January 2018 Security Updates.

    Found below useful doc listing of vendors which you can take a look, for your reference:

    https://docs.google.com/spreadsheets/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview?usp=sharing&sle=true


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Just made the Registry key and snyced once again. This seems to be reporting now for KB4056897 and KB4056894.

    In another test, I did not create the registry key for a machine and installed KB4056894 manually. This installed without any issues and there are no problems. So, does that mean that for the scan and installation to work, only for these scenarios, the registry creation is needed, otherwise the manual install will work?

    Tuesday, January 9, 2018 8:23 AM
  • Hi,

    Manual installation works because it does not need windows update agent to scan against catalogs to identify if the update is needed. 

    So in this case, the registry is required for the update agent to scan and report that the update is required. As it's truly required, manual install will surely work.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, January 9, 2018 8:53 AM
    Moderator
  • Hi,

    Manual installation works because it does not need windows update agent to scan against catalogs to identify if the update is needed. 

    So in this case, the registry is required for the update agent to scan and report that the update is required. As it's truly required, manual install will surely work.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Hello Frank,

    Yes, that is what looks like. I believe the registry is required for these updates as well as for the January patch Tuesday updates to be visible for compliance, since January 2018 updates also show the same thing, i.e. "0" everywhere. So,

    1) I am suspecting, the registry key has to be applied in order to get any future updates
    2) Is the same registry key applicable for desktop, laptops and servers as well or is there any different process required for servers?

    Wednesday, January 10, 2018 5:13 AM
  • > " I am suspecting, the registry key has to be applied in order to get any future updates"

    That's correct. See this snip from the article explaining the regkey. No key, no future updates.

    > "Is the same registry key applicable for desktop, laptops and servers as well or is there any different process required for servers?"

    Same key for all Windows OS'es; Workstation, Server.

    https://support.microsoft.com/da-dk/help/4072699/january-3-2018-windows-security-updates-and-antivirus-software


    Martin Bengtsson | www.imab.dk

    Wednesday, January 10, 2018 5:23 AM
  • Hi,

    Seems to be bad.

    ADV180002 - Speculative Execution Side-Channel Vulnerabilities (Invalid reference in content)
    Configuration Items (2)
    CVE-2017-5754 - Rogue Data Cache Load (The Cl contains a missing or invalid Cl reference)
    CVE-2017-5715 - Branch Target Injection (The Cl contains a missing or invalid Cl reference)

    Thursday, January 11, 2018 3:01 PM
  • > " I am suspecting, the registry key has to be applied in order to get any future updates"

    That's correct. See this snip from the article explaining the regkey. No key, no future updates.

    > "Is the same registry key applicable for desktop, laptops and servers as well or is there any different process required for servers?"

    Same key for all Windows OS'es; Workstation, Server.

    https://support.microsoft.com/da-dk/help/4072699/january-3-2018-windows-security-updates-and-antivirus-software


    Martin Bengtsson | www.imab.dk

    There is another article which talks about mitigation on servers and to set a registry key to enable it. Do we also need to do this?

    Snippets from the link - https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution

    Switch | Registry Settings

    To enable the fix

    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f

    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f

    Tuesday, January 16, 2018 4:18 AM
  • Hi,

    Install monthly patches give part of the protection. In addition, applying above registry fix will provide more protection. As the adjustment of the registry may affect performance. So Microsoft recommends that customers assess the performance impact for their systems and make adjustments if necessary.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, January 18, 2018 7:17 AM
    Moderator
  • I'm still having the same issue. Our 3rd party AV shows it has updated 95% of our clients, and spot-checking the devices show the correct registry key.

    However, even after triggering Hardware inventory, machine policy, software update scan cycle, and software deployment evaluation cycles manually via Recast RCT, i'm still only showing 900 devices needing January's windows updates. (Should be 1800-2200). 

    Any other suggestions on how to expedite this process or troubleshoot why devices aren't reporting their update readiness correctly? 

    Thanks

    Thursday, January 18, 2018 5:10 PM
  • Any other suggestions on how to expedite this process or troubleshoot why devices aren't reporting their update readiness correctly?

    If a previous cumulative update is in pending reboot the current cu might show as not required.

    Rolf Lidvall, Swedish Radio (Ltd)

    Thursday, January 18, 2018 9:42 PM
  • Hi,

    Install monthly patches give part of the protection. In addition, applying above registry fix will provide more protection. As the adjustment of the registry may affect performance. So Microsoft recommends that customers assess the performance impact for their systems and make adjustments if necessary.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Hello Frank,

    So, even if we bypass the above registry and only continue with the monthly updates, that will still work? Though you mentioned above will provide more protection but even if we do not do that, that will still work for servers etc.?

    Friday, January 19, 2018 4:09 AM
  • We are having the same issues, Symantec Endpoint Protection has added the Registry key.  

    Still the 2018-01 Cumulative Update for Windows 10 does not appear.  We have tried on several devices, rebooted several times, ran Machine Policy evaluation, Software Update Scan Cycle, Software Update Deployment Evaluation and Hardware Inventory Scan.  Every other update appears except for the 2018-01 Cumulative Update.  We ever tried one one device deleting the Registry Key and re-adding it.  

    Installing the patch manually of course works, but it is not working at all through SCCM.

    Tuesday, January 23, 2018 2:20 PM
  • This does not apply to our situation as we have a vendor who has made the registry change, however the update still does not appear.
    Wednesday, January 24, 2018 3:29 PM
  • Hi there,

    Did you manage to find our what causes that?  I am running into the same situation where my 2018-02 Cumulative updates are not showing up on Windows 10 clients even thought they are targeted.

    Saturday, February 24, 2018 6:09 AM
  • Hi there,

    Did you manage to find our what causes that?  I am running into the same situation where my 2018-02 Cumulative updates are not showing up on Windows 10 clients even thought they are targeted.

    I'd like to know this too. Have 1 W10 client out of 3 that is updating since the January patch. All 3 have the registry fix. All 3 have current versions of AV (Avast and/or Defender). The 1 that works is on W10 Pro; the others are on Home. Would that make a difference? The Pro machine downloads & applies cumulative updates normally. The Home machines do not - only Flash and VCRT updates come through. Applying the cumulative updates manually results in only security updates being applied, not the "cumulative" update, according to WU updates list, and WU has failed to find a cumulative update since December. Running the Powershell script reports that all Windows mitigations are installed (though no microcode support is, given the age and oddness of the CPUs). Is this a known issue with Home? Is it fixable in any practical way short of reinstalling Windows?

    The one thing different about the machines is that the Pro machine had the registry entry done before installing the January update. The Home machines had it added by manual installation of the Meltdown patch. Would that make a difference?

    Friday, March 2, 2018 7:43 AM