Web Reports shows TRUE as green, but that doesn’t mean TRUE is good. It entirely depends on what TRUE means for the given property.

This is because the choice was made to report TRUE as meaning that the powershell has the suggested action in the output. TRUE means it recommends that action.

In hindsight the true/false values could have been the opposite and that might have been more clear.

did you run it with the bigfix action? If you run it outside of the bigfix action, then the reporting will not update in the console / webreports.

@cstoneba @ResolverBob @jbruns2017

I just updated the fixlet to use v1.0.3 of the powershell module:

• https://github.com/bigfix/content/blob/master/fixlets/Run%20Microsoft%20Meltdown%20and%20Spectre%20Detection%20Tool%20-%20Windows.bes

I didn’t notice any changes that would require updating the analysis.

Great work on getting this out to the community - it has been very helpful in our environment. Thanks a TON!

Looks like v1.0.4 of the powershell module is now available.

Thanks for letting me know!

I see the release notes here: https://www.powershellgallery.com/packages/SpeculationControl/1.0.4

Release Notes

1.0.4

• Added message directing users to an explanation of output
• Addressed feedback regarding multiple CPUs when setting $cpu
  • if ($cpu -is [array]) { $cpu = $cpu[0] }

1.0.3

• Signed files using SHA2 certificate

Glad to know I wasn’t missing something as far as 1.0.3 because it didn’t change the code from 1.0.2 at all. I’ll have to take a closer look at 1.0.4 to see what it changes, but I’m glad it fixes the multiple CPU bug.

One addition to 1.0.4 not mentioned in the release notes is that it is also letting you know if PCID optimizations are available, which doesn’t affect security but if present means the performance impact will be less for the mitigations, which is good to know.

I just updated the published Task to version 1.0.4 (link doesn’t change)

Any code present to properly detect Hyper-V or VMware?

image1338×138 14.3 KB

i am running 1.0.4

The code comes from microsoft directly, so it is up to them to fix it. There was some fixes in 1.0.4 but it may not have addressed it for all cases.

How often are you seeing this error with 1.0.4 ?

You might consider adding a comment to the module on the powershell gallery about this issue.

You could use relevance to exclude VMWare VMs from being applicable. Is that what you want to do?

I would think we would want it to work for all physical and virtual machines. Hyper-V and VMware guests have to be cold booted to pick up the changes so we do want this detection tool to work for all types.

image1338×138 14.3 KB

The unsupported processor manufacturer was mentioned above in #6 through #10 and was supposedly fixed with 1.0.2

I have roughly 2600 HyperV guests in my environment, and not a single Unsupported result after 1.0.4. Here are just a few examples:

image1433×690 13.8 KB

Same thing for VMWare, with over 2700 guests:

image1433×716 12.5 KB

Even prior to 1.0.4, I only had roughly 800 Unsupported results.

Are you sure you are running the updated tasks and analysis on github? They should report what version of the tool was run. If you put the task in a baseline, you may have to remove and readd it.

We’ve had this Report enabled from the start, running the script every day. We’re at the latest PowerShell version.

When we kicked off our patching cycle on Jan 17, we noticed, as expected, that the Windows Update Suggested graph started to change from True to False.

I just looked this morning and it seems it is starting to run backwards.

The last time I looked was on Jan 18 and we had 3,097 endpoint returning False.
Looking now (Jan 26), 2,282 are returning False.

I wanted to ask if anyone else has noticed this behavior.

I’ve got 1.0.4 running every 6 hours on everything in our Windows environment with PowerShell 1.0 and higher, and I have not noticed a drop in False results. Day-on-day since yesterday to this morning we’re up roughly 1k endpoints.

Thanks for confirming… I’m fairly certain that many of my users are not uninstalling patches on their own… Hmmm.

Is your fixlet relevance for the MS18 OOB patches increasing? You can easily chart it something like this:

image943×702 22.6 KB

I hope I did the chart correctly. I did this in Web Reports > Content:

MS181012×703 32.1 KB

Yep, that looks correct. So the fixlet relevance remains false, but for some reason your SpeculationControl script detection is now change from False to True. That’s odd.

Any other explanation that could explain the drop in numbers? Have you actually seen an equivalent rise in True results? If not, do you have any filters on reporting date or some other property, causing systems to not be included in the overall report and therefore making it seem like the numbers are lower/higher than they actually are?

I can’t think of a reason why the script results would suddenly change without the fixlet relevance for the patches changing similarly.

Yeah… I’m going to have to leave this as a mystery for now. Too much stuff changing this month with all of this Spectra/Meltdown business.

This is interesting. Thanks for letting us know. I’m not really sure what the deal is, unless MS changed the effect of the patches some how.

The Spectre/Meltdown stuff is definitely unusual and all over the map in terms of effects and problems.

Have you looked at the raw results of the output of the script on a system that flipped to make sure they are still valid?

It could be that the script is outputting garbage results or that somehow the language of the output has changed dramatically somehow.

Ha! I found the problem. You’ll laugh. I forgot that Web Reports swaps colors of the majority. Take a look:

Jan 18

Meltdown-Spectre-Report-201801181411×492 33.4 KB

Jan 26

Meltdown-Spectre-Report-201801261414×493 36.6 KB