How to Monitor Spectre / Meltdown Workstation Vulnerability using SCCM

Benoit LecoursSCCM31 Comments

This new year brings a new challenge for us SCCM administrator. The Speculation Control vulnerability (aka Spectre and Meltdown) affects many modern processors and operating systems and is considered critical to patch. The first challenge is to monitor who is vulnerable in your organization. The second one is to understand this beast and to remediates it. The important thing to know here is that a machine needs more than only a Windows OS patch to be compliant. There’s also a hardware level firmware updates to apply. This blog post will focus on the monitoring part to be able to show your management if you’re compliant or not.

We also included a free report to download in order to track your Spectre and Meltdown compliance level. You can jump at the end of this post if you want to download it and skip the reading.

SCCM Spectre Meltdown Configuration Baseline Creation

Luckily for us, Microsoft PFEs, Ken Wygant make the dirty work for us and has created an incredible job in turning a detection Powershell script into a ready-to-import SCCM Configuration Item and Baseline. They did a pretty good blog post explaining their work and we’ll use their CAB file in order to show you the step-by-step process in order to use it in your organization.

  • The first step is to download the CAB file. 
  • [Edit  01/15] Microsoft has released a new Configuration Baseline available on Technet Gallery. The new cab file will create only 2 CIs instead of 8 but the blog post is still relevant.

  • In the SCCM Console, go to Assets and Compliance / Compliance Settings / Configuration Items
  • Right-Click Import Configuration Data

SCCM Spectre Meltdown Configuration Baseline

  • In the Import Configuration Data Wizard, click on Add

SCCM Spectre Meltdown Configuration Baseline

  • On the security warning, click Yes

SCCM Spectre Meltdown Configuration Baseline

  • The Configuration Baseline appears in the file window, click Next

SCCM Spectre Meltdown Configuration Baseline

  • Review the Summary, click Next and complete the wizard

SCCM Spectre Meltdown Configuration Baseline SCCM Spectre Meltdown Configuration Baseline

  • Back in the Configuration Item pane, the 8 CI are created

SCCM Spectre Meltdown Configuration Baseline

  • In the Configuration Baseline pane, the Baseline is created. This baseline contains the 8 CI and is ready to be deployed

SCCM Spectre Meltdown Configuration Baseline

SCCM Spectre Meltdown Configuration Baseline Deployment

We will now deploy the Configuration Baseline to a test collection in order to validate it.

  • In the SCCM Console, go to Assets and Compliance / Compliance Settings / Configuration Baseline
  • Right-Click the ADV180002 – Speculative Execution Side-channel Vulnerabilities Baseline and select Deploy

SCCM Spectre Meltdown Configuration Baseline

  • Select the collection which contains your test machines by clicking Browse, select your compliance evaluation schedule and click Ok

SCCM Spectre Meltdown Configuration Baseline

SCCM Spectre Meltdown Workstation Validation

On a machine that receives the configuration baseline :

  • In Control Panel, open the Configuration Manager Properties application
  • Initiate a Machine Policy Retrieval & Evaluation Cycle to receive the baseline

SCCM Spectre Meltdown Configuration Baseline

  • In the Configuration tab, click Refresh until the baseline appears

SCCM Spectre Meltdown Configuration Baseline

  • Once the baseline is available, select the ADV18002 Baseline, click Evaluate and wait a couple of minutes

SCCM Spectre Meltdown Configuration Baseline

  • Once the Last Evaluation Date get populated, click View Report
  • Your browser will open the report showing the compliance state of this machine. In our screenshot, my machine has a compliant state in 4 out 8 CIs. This is because I’ve applied the Windows 10 OS patches but the hardware level has not been patched

SCCM Spectre Meltdown Configuration Baseline

  • In the SCCM console, the compliance statistics will begin to populate. This will confirm that your work has been well made.

SCCM Spectre Meltdown Configuration Baseline

SCCM Spectre Meltdown Configuration Baseline Report

The console statistics are basic and doesn’t permit to know which machines are compliant or not. We’ve created a simple report to let you know the list of machines and their compliance state. This report will ask which Baseline to show, just select the baseline we just created in this blog post to see you Spectre / Meltdown statistics.

 

You can download this free report by visiting our product page. The Asset – Compliance State report is available in the Report / Asset Section.

Share this Post

How to Monitor Spectre / Meltdown Workstation Vulnerability using SCCM
5 - 3 votes

Founder of System Center Dudes. Based in Montreal, Canada, Senior Microsoft SCCM Consultant, 4 times Enterprise Mobility MVP. Working in the industry since 1999. His specialization is designing, deploying and configuring SCCM, mass deployment of Windows operating systems, Office 365 and Intunes deployments.

31 Comments on “How to Monitor Spectre / Meltdown Workstation Vulnerability using SCCM”

  1. When I open the report in SCCM 1802 I get an error:

    Microsoft.Reporting.WinForms.MissingParameterException
    Im Baseline-Parameter fehlt ein Wert.

    Stack Trace:
    bei Microsoft.Reporting.WinForms.RSParams.ValidateReportInputsSatisfied()
    bei Microsoft.Reporting.WinForms.RSParams.EnsureParamsLoaded(Boolean forceCredentialsShown, ReportParameterInfoCollection parameterInfos)
    bei Microsoft.Reporting.WinForms.RSParams.EnsureParamsLoaded()
    bei Microsoft.Reporting.WinForms.ReportViewer.RenderReportWithNewParameters(Int32 pageNumber, PostRenderArgs
    postRenderArgs)

    ——————————-

  2. Is there any way to breakdown the reporting to show the Firmware and OS layer vulnerabilities separately?
    I need to be able to show my leadership when the Windows update patches are applied and when the firmware patches are applied to show our progress.

  3. Hello Benoit,
    Using Baselines, affected clients will be reported as compliant. Do you use any remediation method to be targeted to collection with status “Compliant”
    Thanks,
    Sushant

  4. Any obvious reason why this would be showing the “invalid reference in content” $ “The CI contains a missing or invalid CI reference”?

  5. Weird, My system is patched and the Intel detection tool shows “system is not vulnerable, it has already been patched”

    Both Windows and hardware were updated and patched here so what gives? Are the patches not fixing the issue or is the baseline wrong?

  6. Just shows up as an “error” on my test system. Ideas? While Powershell is free to run on my workstations, our users desktops not at all, so how would I get around that as well.

    1. The database used by your SCCM server. (Usually : /ConfigMgr_XXX/{5C6358F2-4BB6-4a1b-A16E-8D96795D8602})

  7. My Compliance State is “Error” , I”m using the new 2 item baseline. Do you think that’s also a powershell execution setting problem?

  8. I got the error: 0x87d00327 Script is not signed

    any idea??

    Type d’erreur Code d’erreur Description de l’erreur Source de l’erreur
    Erreur de découverte d’élément de configuration 0x87d00327 Script is not signed CCM
    Nom : 3 – CVE-2017-5715 Windows OS support for branch target injection mitigation is enabled
    Type : Configuration de l’application
    Révision : 6
    État de conformité : Erreur
    Gravité de la non-conformité : Critique
    Description : https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002

    1. Hi Philip,
      What is your PowerShell execution policy in your Client Settings? (Computer Agent).

      Try setting it to Bypass

      1. Hi Benoit, the execution policy was set to signed…

        after changing it to Bypass, everything work!

        thanks

        Philippe

  9. Hi,
    baseline has been created successfully and since Powershell is blocked in our environment not able to evaluate this baseline can you please suggest what I can do in this case. or can you give me with VB script? it will be the grate help.
    Thanks in advance

    1. Hello,
      We are not the editor of the script. We instruct how to add the baseline (script) into SCCM.

Leave a Reply

Your email address will not be published. Required fields are marked *