fyi, a Baseline with ConfigItems has been created to assist us ConfigMgr admins with some of the items that are detectible.
https://blogs.technet.microsoft.com/configmgr_geek_speak/2018/01/09/configmgr-speculation-control-baseline-ftw/ That, plus this: https://blogs.technet.microsoft.com/configurationmgr/2018/01/08/additional-guidance-to-mitigate-speculative-execution-side-channel-vulnerabilities/ and I think I'm STARTING to wrap my head around what needs to be done. Maybe. After I have more coffee. On Tue, Jan 9, 2018 at 9:59 AM, Kent, Mark <[email protected]> wrote: > Yeah I see them at the bottom of https://support.microsoft.com/ > en-us/help/4073119/protect-against-speculative-execution- > side-channel-vulnerabilities-in > > > > And they don’t really say what they are for. > > > > Keep refreshing the page, wait for an edit J > > > > Mark Kent > > Manager, Client Systems Engineering > > Technology Support Services > > Resources for Information, Technology and Education (RITE) > > http://rite.buffalostate.edu > > > > *From:* [email protected] [mailto:listsadmin@lists. > myitforum.com] *On Behalf Of *SCCM FUN > *Sent:* Tuesday, January 9, 2018 10:02 AM > *To:* [email protected] > *Subject:* [mssms] Confused - Spectre / Meltdown > > > > Can anyone confirm the following? > > > > Workstation/Servers - both need the AV key in order to do any patching > going forward > > > > Workstation > > At one point in the MS article for workstation patching (4073119) I could > of sworn there wasn't anything about having to making registry settings > (except for AV) but now it looks like they added 2 registry keys. Were > these 2 reg keys always in the KB/needed? > > > > reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session > Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f > > reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session > Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 > /f > > > > Server > > 3 reg keys need to be added for the server patch to take effect. Are you > enabling this on all your servers or just the 3 use cases they list in > their article (4072698). > > > > reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session > Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f > > reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session > Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 > /f > > reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" > /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f > > > > Thanks > > > > -- Thank you, Sherry Kissinger My Parameters: Standardize. Simplify. Automate Blog: http://mnscug.org/blogs/sherry-kissinger
