IBM BigFix Patch: Content Released: Patches for Windows published 2018-01-05

Release Announcements Patch (Release Announcements)
1

Content in the Patches for Windows site has been modified:

New Fixlets:

[Major] 4072698: Disable mitigations to help protect against speculative execution side-channel vulnerabilities - Windows Server 2008 / Windows Server 2008 R2 / Windows Server 2012 / Windows Server 2012 R2 / Windows 2016 (ID: 407269803)
[Major] 4072698: Enable mitigations to help protect against speculative execution side-channel vulnerabilities - Windows Server 2008 / Windows Server 2008 R2 / Windows Server 2012 / Windows Server 2012 R2 / Windows 2016 (ID: 407269801)

Reason for Update:

BigFix provides Fixlets to assist users to manage mitigations as stated in https://support.microsoft.com/kb/4072698 .

Actions to Take:

None

Published site version:

Patches for Windows, version 2901.

Additional links:

None

Application Engineering Team
IBM BigFix

2

Is anyone else seeing issues with having either of these jobs relevant? I went to take a look and neither job is showing relevant. I ran qna and everything came back true. Just wondering if others are seeing this?

2 Likes
3

You are not alone. :slight_smile: I have a note out to dev about it and it is being looked into.

4

we just released a fix

5

Thanks, Just checked and the Enable job is now slowly starting to show relevant.

1 Like
6

The TechNet article sited at the top of the thread (KB4072698: Windows Server and Azure Stack HCI guidance to protect against silicon-based microarchitectural and speculative execution side-channel vulnerabilities - Microsoft Support) shows 3 registry keys to be added. “reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization” /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d “1.0” /f” appears to be missing from the Enable Mitigations fixlet.

1 Like
7

That was added by Microsoft recently to that page. Things are evolving rapidly. The discussion is mostly here: January Intel Meltdown Patches

I think that setting may only be applicable if the host machine is running Hyper-V, so I think it doesn’t need applied otherwise. I haven’t tested this at all: https://github.com/jgstew/bigfix-content/blob/master/fixlet/Enable%20Meltdown%20Mitigations%20-%20MinVmVersionForCpuBasedMitigations%20-%20Windows.bes

Related: