This new year brings a new challenge for us SCCM administrator. The Speculation Control vulnerability (aka Spectre and Meltdown) affects many modern processors and operating systems and is considered critical to patch. The first challenge is to monitor who is vulnerable in your organization. The second one is to understand this beast and to remediates it. The important thing to know here is that a machine needs more than only a Windows OS patch to be compliant. There’s also a hardware level firmware updates to apply. This blog post will focus on the monitoring part to be able to show your management if you’re compliant or not.

We also included a free report to download in order to track your Spectre and Meltdown compliance level. You can jump at the end of this post if you want to download it and skip the reading.

SCCM Spectre Meltdown Configuration Baseline Creation

Luckily for us, Microsoft PFEs, Ken Wygant make the dirty work for us and has created an incredible job in turning a detection Powershell script into a ready-to-import SCCM Configuration Item and Baseline. They did a pretty good blog post explaining their work and we’ll use their CAB file in order to show you the step-by-step process in order to use it in your organization.

  • The first step is to download the CAB file. 
  • [Edit  01/15] Microsoft has released a new Configuration Baseline available on Technet Gallery. The new cab file will create only 2 CIs instead of 8 but the blog post is still relevant.

  • In the SCCM Console, go to Assets and Compliance / Compliance Settings / Configuration Items
  • Right-Click Import Configuration Data

SCCM Spectre Meltdown Configuration Baseline

  • In the Import Configuration Data Wizard, click on Add

SCCM Spectre Meltdown Configuration Baseline

  • On the security warning, click Yes

SCCM Spectre Meltdown Configuration Baseline

  • The Configuration Baseline appears in the file window, click Next

SCCM Spectre Meltdown Configuration Baseline

  • Review the Summary, click Next and complete the wizard

SCCM Spectre Meltdown Configuration Baseline SCCM Spectre Meltdown Configuration Baseline

  • Back in the Configuration Item pane, the 8 CI are created

SCCM Spectre Meltdown Configuration Baseline

  • In the Configuration Baseline pane, the Baseline is created. This baseline contains the 8 CI and is ready to be deployed

SCCM Spectre Meltdown Configuration Baseline

SCCM Spectre Meltdown Configuration Baseline Deployment

We will now deploy the Configuration Baseline to a test collection in order to validate it.

  • In the SCCM Console, go to Assets and Compliance / Compliance Settings / Configuration Baseline
  • Right-Click the ADV180002 – Speculative Execution Side-channel Vulnerabilities Baseline and select Deploy

SCCM Spectre Meltdown Configuration Baseline

  • Select the collection which contains your test machines by clicking Browse, select your compliance evaluation schedule and click Ok

SCCM Spectre Meltdown Configuration Baseline

SCCM Spectre Meltdown Workstation Validation

On a machine that receives the configuration baseline :

  • In Control Panel, open the Configuration Manager Properties application
  • Initiate a Machine Policy Retrieval & Evaluation Cycle to receive the baseline

SCCM Spectre Meltdown Configuration Baseline

  • In the Configuration tab, click Refresh until the baseline appears

SCCM Spectre Meltdown Configuration Baseline

  • Once the baseline is available, select the ADV18002 Baseline, click Evaluate and wait a couple of minutes

SCCM Spectre Meltdown Configuration Baseline

  • Once the Last Evaluation Date get populated, click View Report
  • Your browser will open the report showing the compliance state of this machine. In our screenshot, my machine has a compliant state in 4 out 8 CIs. This is because I’ve applied the Windows 10 OS patches but the hardware level has not been patched

SCCM Spectre Meltdown Configuration Baseline

  • In the SCCM console, the compliance statistics will begin to populate. This will confirm that your work has been well made.

SCCM Spectre Meltdown Configuration Baseline

SCCM Spectre Meltdown Configuration Baseline Report

The console statistics are basic and doesn’t permit to know which machines are compliant or not. We’ve created a simple report to let you know the list of machines and their compliance state. This report will ask which Baseline to show, just select the baseline we just created in this blog post to see you Spectre / Meltdown statistics.

 

You can download this free report by visiting our product page. The Asset – Compliance State report is available in the Report / Asset Section.

Comments (35)

Alan Yousif

05.21.2019 AT 09:03 AM
Will This be updated for ADV190013

Nate Bishop

02.13.2019 AT 04:07 PM
How do I set the configuration baseline to auto remediate any systems that report back in as non compliant?

hashmat

02.01.2019 AT 01:50 PM
can you guide how to enable remediation for this issue ?

daryl

06.06.2018 AT 02:46 PM
Followed guideline, and my machine is showing the configuration, but when I run the report I get "No Device Found". Mind you I did all this within 5 minutes. Is there something I missed?

Christoph von Wittich

04.20.2018 AT 02:02 AM
When I open the report in SCCM 1802 I get an error: Microsoft.Reporting.WinForms.MissingParameterException Im Baseline-Parameter fehlt ein Wert. Stack Trace: bei Microsoft.Reporting.WinForms.RSParams.ValidateReportInputsSatisfied() bei Microsoft.Reporting.WinForms.RSParams.EnsureParamsLoaded(Boolean forceCredentialsShown, ReportParameterInfoCollection parameterInfos) bei Microsoft.Reporting.WinForms.RSParams.EnsureParamsLoaded() bei Microsoft.Reporting.WinForms.ReportViewer.RenderReportWithNewParameters(Int32 pageNumber, PostRenderArgs postRenderArgs) -------------------------------

David Geiger

03.27.2018 AT 08:41 AM
So this just monitors- is there a baseline to add the keys?

Michael Sweeting

02.23.2018 AT 08:44 AM
Is there any way to breakdown the reporting to show the Firmware and OS layer vulnerabilities separately? I need to be able to show my leadership when the Windows update patches are applied and when the firmware patches are applied to show our progress.

Bill

04.24.2018 AT 12:30 PM
I second this.. the report would be more useful to have a break down of OS, Browser, Bios etc..

Sushant Shriram Narlawar

01.23.2018 AT 04:24 AM
Hello Benoit, Using Baselines, affected clients will be reported as compliant. Do you use any remediation method to be targeted to collection with status "Compliant" Thanks, Sushant

munzi

01.19.2018 AT 08:12 AM
Hi Guys Do you have a write up on how to use your reports after downloading?

Jonathan Lefebvre

01.22.2018 AT 10:23 PM
Hi Munzi, right here -> https://systemcenterdudes.com/upload-rdl-file-to-report-server/ thanks Jonathan

Ian

01.18.2018 AT 04:55 AM
Any obvious reason why this would be showing the "invalid reference in content" $ "The CI contains a missing or invalid CI reference"?

Benoit Lecours

01.18.2018 AT 10:39 AM
Look like a known issue. See the comment section of the script page. https://gallery.technet.microsoft.com/Speculation-Execution-Side-1483f621/view/Discussions#content

Mercury

01.18.2018 AT 04:06 AM
Weird, My system is patched and the Intel detection tool shows "system is not vulnerable, it has already been patched" Both Windows and hardware were updated and patched here so what gives? Are the patches not fixing the issue or is the baseline wrong?

Michele

01.17.2018 AT 04:26 PM
Just shows up as an "error" on my test system. Ideas? While Powershell is free to run on my workstations, our users desktops not at all, so how would I get around that as well.

Benoit Lecours

01.18.2018 AT 10:36 AM
See Monitoring / Deployment in the SCCM console and get the error code.

IlyaP

01.16.2018 AT 03:18 AM
report is giving strange error: https://i.imgur.com/UbKFjTE.png . What data source should be selected?

Benoit Lecours

01.18.2018 AT 10:32 AM
The database used by your SCCM server. (Usually : /ConfigMgr_XXX/{5C6358F2-4BB6-4a1b-A16E-8D96795D8602})

Rick

01.15.2018 AT 03:28 PM
Nevermind, I set powershell to bypass and it works now, "non-compliant" 🙂

Rick

01.15.2018 AT 03:26 PM
My Compliance State is "Error" , I"m using the new 2 item baseline. Do you think that's also a powershell execution setting problem?

Philippe Fournier

01.12.2018 AT 11:35 AM
I got the error: 0x87d00327 Script is not signed any idea?? Type d'erreur Code d'erreur Description de l'erreur Source de l'erreur Erreur de découverte d'élément de configuration 0x87d00327 Script is not signed CCM Nom : 3 - CVE-2017-5715 Windows OS support for branch target injection mitigation is enabled Type : Configuration de l'application Révision : 6 État de conformité : Erreur Gravité de la non-conformité : Critique Description : https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002

Benoit Lecours

01.12.2018 AT 02:31 PM
Hi Philip, What is your PowerShell execution policy in your Client Settings? (Computer Agent). Try setting it to Bypass

Philippe Fournier

01.18.2018 AT 10:51 AM
Hi Benoit, the execution policy was set to signed... after changing it to Bypass, everything work! thanks Philippe

sachinkpshinde

01.11.2018 AT 01:27 AM
Hi, baseline has been created successfully and since Powershell is blocked in our environment not able to evaluate this baseline can you please suggest what I can do in this case. or can you give me with VB script? it will be the grate help. Thanks in advance

Benoit Lecours

01.18.2018 AT 10:28 AM
Hello, We are not the editor of the script. We instruct how to add the baseline (script) into SCCM.

Russ Rimmerman

01.10.2018 AT 09:16 PM

Benoit Lecours

01.12.2018 AT 02:32 PM
I'll update the article soon to reflect the new Baseline Version. Thank you.

Benoit Lecours

01.15.2018 AT 08:49 AM
Post updated

Nazim

01.10.2018 AT 03:05 PM
Works like a charm !