Need some help with a relevance

Content Authoring
1

We are starting to see the Spectre/Meltdown Variant 4 on our WIZ/QUALYS reporting. I have exported the correct settings from a server not on the naughty list which are below. Microsoft are now saying that we need these three registry settings. I believe I am making this way to complicated. I might need to create the task from the start and not use exported registry keys

  • \HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\FeatureSettings
    DWORD: 0x00000001

  • \HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\FeatureSettingsOverride
    DWORD: 0x00002048

  • \HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\FeatureSettingsOverrideMask
    DWORD: 0x00000003

I have the task created but I want to only show the servers that are relevant to have these settings. I have seen some that have the 1st two but not the third and I have see servers with only the first entry or I have seen servers with all of these entries. I could wait until the servers come up on the report and change them because I will have their DNS names. I would prefer to be more proactive.

My Relevance statements are:

  1. (name of operating system = “Win2019” OR name of operating system = “Win2022”) AND (TRUE)
  2. not exists value “FeatureSettings” of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” of registry
  3. not exists value “FeatureSettingsOverride” of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” of registry
  4. not exists value “FeatureSettingsOverrideMask” of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” of registry

What I need to do is find out what entries are in the Registry. If one is true but the others come back as false it still needs to be applied just not all of the settings.

I am hoping I am explaining this properly

2

Are these fixlets in the ‘Patches for Windows’ site giving incorrect results? Is there something we should add?

407269801 4072698: Enable mitigations to help protect against speculative execution side-channel vulnerabilities CVE-2017-5715 (Spectre Variant 2) and CVE-2017-5754 (Meltdown) - Windows Server 2008 / 2008 R2 / 2012 / 2012 R2 / Windows 2016/ Windows 2019 Unspecified Patches for Windows Security Advisory Microsoft KB4072698 1/4/2018
407269809 4072698: Enable mitigations for additional protection against speculative execution side-channel vulnerabilities CVE-2017-5715 (Spectre Variant 2) for AMD Processors - Windows Server Operating Systems Unspecified Patches for Windows Security Advisory Microsoft KB4072698 1/4/2018
407269817 4072698: Enable mitigations for speculative execution side-channel vulnerabilities CVE-2017-5715 (Spectre Variant 2) and CVE-2017-5754 (Meltdown) and (CVE-2022-21123, 21125, 21127, 21166) - Windows Server Operating Systems Unspecified Patches for Windows Security Advisory Microsoft KB4072698 1/4/2018
3

One potential issue relates to the Registry Value \HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\FeatureSettings as the current Fixlets make no reference to this one.

4

I didn’t realize that I had the latter one. & I should not take the others by their words. It turns our that only 7 of the servers in the list were still in an open state.
But another question is for the setting “FeatureSettingsOveride” is being set to dword=0 other than dword=2048. Are these one in the same or different settings. If different then I will just need to adjust the action script copy.