To add to the advice @AlanM provides, there is actually a lot that needs to happen to secure a system against the Meltdown and Spectre families of speculative execution vulnerabilities. Some good guidance on the Microsoft side at https://support.microsoft.com/en-us/help/4072698/windows-server-speculative-execution-side-channel-vulnerabilities-prot
So you have a third-party scanner saying your system is vulnerable. It probably is correct.
Full remediation (at least, as full as what’s available now) requires steps as detailed in the referenced MS KB article:
- Apply updated BIOS Firmware
- Apply OS patch(es)
- Enable the functionality of OS Patches (which, by default, are disabled for Windows Server but enabled for Windows Client operating systems).
If this is on a virtual machine, there are a couple of additional steps to take. I’ve only researched VMWare but there’s probably something similar for Hyper-V or others.
4) Apply updated BIOS firmware on the Host machine
5) Update ESXi hypervisor with the version released November 2017 at minimum (there may be newer ones now, been a while since I looked)
6) Apply VMWare Hardware Compatibility level 11 (ESXi 6.5) or higher to each virtual machine
Items 4-6 basically update the firmware of a virtual machine, I’ll ignore that for now.
The Powershell script hosted in the Microsoft Gallery checks all three items - BIOS updated, patches applied, and mitigations enabled in the registry. Your third-party scanning tool may be doing the same.
The first thing is to check whether the patches have actually been applied. As Alan says, the patches were coded to not install, and Bigfix made them not be relevant, until your antivirus product indicates it is compatible with the patch. This is because the first deployment of the Spectre patches blue-screened a lot of Microsoft’s customers due to antivirus issues. Check whether your machine has applied any of the Microsoft rollup patches since March 2018. If so, you have the patches.
Next check whether the mitigations are enabled in the registry. You can manually check the keys listed in the KB article. Microsoft does not recommend enabling the mitigations on Server operating systems, and I don’t think BigFix has provided content to enable the mitigations on Server. I think there is content for that over on bigfix.me, or, once you determine you want/need the registry updates on Server, post back here and we can help you write it. (I really think this should have been made available in the default Patches for Windows content, maybe as a Task with some specific warnings)
Third check is whether your system BIOS is updated to a version that actually provides the new microcode instructions that the mitigations are leveraging. For a certain set of chipsets and on the latest builds of Windows 10, Microsoft is delivering microcode updates on-the-fly. For the broadest compatibility, you’d need to flash the system firmware yourself.