January Intel Meltdown Patches

So on a 1703 Win10 workstation Symantec appears to be writing the “QualityCompat” into the standard registry and not Wow6432Node. So on the relevance for all of the related KB4056891 fixlets the last relevance clause

“exists value “cadca5fe-87d3-4b96-b7fb-a231484277cc” whose (it as integer = 0) of keys “QualityCompat” of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion” of registry”

Returns false, but if this is changed to “Native register” it works correctly.

Though I’m not sure if that was simply an accident or if Symantec should be writing it out to both locations or if this was an oversight in the rush to get these fixlets into production. Hopefully this helps.

Which fixlets are you talking about? So far I only see the IE cumulative updates, not the Windows server updates, in BigFix. Also, is this thread really the place we’re all waiting for info from IBM in? I know it’s a complex issue, but there’s been complete radio silence from IBM on this. I’m not even seeing anything on the main IBM site.

I’m referring to the server updates such as:
MS18-JAN_ Security Only Quality Update - Security Only - Windows Server 2012 R2 - KB4056898 (x64)

As I run alternative protection (not mainstream AV) on most of my servers, the QualityComp reg key was missing altogether. Initially I set it, but the fixlets still weren’t relevant. To make them relevant, I either had to change to ‘native registry’ as @Shannon mentioned or set the Wow6432Node version of the AV reg key. Once relevant, the installs ran fine on 2008 R2 and 2012 R2.

I’m still having issues specifically on non-internet connected Win 10 1607 LTSB clients. The Trusted Installer keeps complaining about lack of access to the Windows Update Cloud.

Ah, I thought the fixlet hadn’t come out, and it turns out it’s a relevance issue. So, I guess I need to troubleshoot why none of these updates are relevant in our environment.

Edit: Ah, I didn’t realize the fixlet relevance required the QualityCompat regkey. In case anyone else is on McAfee like us, it looks like you’ll have to set the regkey manually. According to their KB, they are “evaluating automated mechanisms to deploy this registry key and will update the KB as testing concludes and such a mechanism is available.”

https://kc.mcafee.com/corporate/index?page=content&id=KB90167

Well that’s helpful.
Symantec did it in a definitions update, I think most of the other AV vendors are probably doing something similar.

1 Like

There is an update to the Patches for Windows site now (v2903) which we will have a formal announcement on but has the QueryCompat detection updated.

2 Likes

the KB405689* fixlets are not showing relevant for 99% of our Windows servers (the long Relevance statement is FALSE), but I’d expect it to be TRUE. Anyone else see this and know why? It’s be difficult to try and dissect that relevance statement to find the particular cause of FALSE.

KB4072698: Windows Server and Azure Stack HCI guidance to protect against silicon-based microarchitectural and speculative execution side-channel vulnerabilities - Microsoft Support now lists 3 registry values. Will the fixlets be updated to account for these 2 new values?

Switch | Registry Settings

To enable the fix

reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” /v FeatureSettingsOverride /t REG_DWORD /d 0 /f

reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization” /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d “1.0” /f

If this is a Hyper-V host: fully shutdown all Virtual Machines.

Restart the server for changes to take effect.

See fixlets 3433501 & 3433502

I don’t see any fixlets with those IDs. Patches for Windows site version = 2,904

1 Like

those 3 registry values are not required for the fixlets to become relevant, they are only required to enhance the mitigations that the patches provide. 1 is available already for 2 of those settings. I’m not sure if the new setting is available yet.

I did make one here, though i think this only applies to a HyperV host: bigfix-content/fixlet/Enable Meltdown Mitigations - MinVmVersionForCpuBasedMitigations - Windows.bes at 655b83d5d4c21dfe7594335faf9b9a728fdf5d6d · jgstew/bigfix-content · GitHub

This could be because of the QualityCompat reg key. If it is missing, which it will be if you have no AV installed, then the fixlets are not relevant on purpose because these updates cause bluescreens on systems with incompatible AV. You must set this key yourself if you know there is no AV installed at all, and you must be very careful if you do have AV installed and it is not compatible. You may need to update or replace your AV before installing these fixes.

It’s not the QualityCompat key.

We used fixlet debugger on all entries and the relevance that is dying is the mile long one.

We manually set the QualityCompat key since our A/V has not given a good response yet.

1 Like

Hint. Update fixlet debugger to highlight what is causing the false return when you have mile long relevancies.

1 Like

If the OS is x64, be sure to set the Wow6432Node version of the QualityCompat key. Then the fixlets should become relevant.

The updated fixlets should not require the key be set in that location anymore.

You may need to open a PMR about this so it can be investigated.

I’ll have to open a PMR. Nearly all of our servers are not showing relevant for the meltdown fixlets (i.e. MS18-JAN: Security Only Quality Update - Security Only - Windows Server 2012 R2 - KB4056898 (x64)). All relevance are TRUE except for the massive rel #6

1 Like

That is the hardest one to address as well.

FYI: The bigfix content to run microsoft’s powershell module for getting the status of windows in regards to these patches and mitigations has been updated and published:

Microsoft released an updated version of the powershell module.

Anyone having problems with BigFix components after patching? Just saw this and became more curious BigFix Agent disappears after KB4056892

Heads-Up!

2 Likes