Introduction


There are some scenarios, where we need to change the registry settings of multiple Windows systems. If the number of servers or workstations are less, you can change it manually. However, for large number of systems, manually changing registry settings is not a feasible option and also it is time consuming.

Moreover, in case we need to revert the change, it will take time to revert it from large number of systems.

In an Active Directory domain environment, this can be easily achieved by leveraging the power of Group Policy. Using Group Policy, we can change the registry settings of a large number of systems within a very sort span of time and minimum effort.

In this article, we will cover an use case, where the system administrator needs to change some of the registry settings in order to combat a sudden malware outbreak.


The Scenario

You are probably aware of a publicly disclosed class of vulnerabilities that are referred to as “speculative execution side-channel attacks” that affect many modern processors and operating systems, including chipsets from Intel, AMD, and ARM.

Microsoft has published an article which describes what actions need to be performed to protect your servers. At a high level the actions are as follows:

  1. Apply the Windows operating system update. For details on how to enable this update, see Microsoft Knowledge Base Article 4072699.
  2. Make necessary configuration changes to enable protection.
  3. Apply an applicable firmware update from the OEM device manufacturer.

In this article, we are going to implement step no 2: Make necessary configuration changes to enable protection.


Enabling protection on servers

Microsoft suggested below registry changes to enable or disable the protection.

To enable the Protection


  • reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f
  • reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

To disable the Protection

  • reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f
  • reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

However, how can we create or update these registry values quickly on hundreds (or probably thousands) of servers in our environment?

The answer is Group Policy!

Warning: Before implementing this policy for the first time, backup your registry and test with a small number of systems.


Use Group Policy to Create/Update Registry Values

1. Create a new group policy

Ex: Test Registry Edit.

Note: DO NOT link the group Policy at this time.

2. Create registry item

Navigate to Computer Configuration > Preferences > Windows Settings > Registry. 

Create a new Registry Item.

 

3. Locate the key path for memory management

"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management."

 

4. Value Name: FeatureSettingsOverride    

Action: Create

Hive: HKEY_LOCAL_MACHINE.      

key path : "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management."

Hive : HKEY_LOCAL_MACHINE. Value Name: FeatureSettingsOverrideMask

Value Type : REG_DWORD

Value Data :
  0

Here also you can enable item level filtering based on your requirement.

 

 So now we have created below two registry values on the GPO.

 

5. Link the GPO to appropriate OUs

Note: Since there are registry changes involved, test it with small number of non critical systems, before you link it to a large number of systems and critical servers. For Group Policy deployment, always take a phased approach, so that you can minimize any adverse impact.

For any information related to Group Policy linking, filtering and permission, please visit my other article :
Group Policy: Filtering and Permission

Link the GPO to appropriate OUs, run GPUPDATE  and the keys should reflect in the registry.

Please also validate that keys are not reflecting for those systems which you have filtered out using security filtering, item level targeting or using any other method.

 


Summary

In this article, we have discussed how to change the registry settings of multiple systems with the help of Group Policy.

We have discussed this in the context of the speculated vulnerability of Intel Chipsets, but you can use the same method for any other registry change.