Deploy Intel Meltdown-Spectre patches with Ivanti Automation

Introduction:
The beginning of 2018 has been all about the Intel Meltdown and Spectre vulnerabilities…….and cryptocurrency. These vulnerabilities take advantages of features that modern processors have to operate more efficiently. These features are ‘out-of-order execution’ (Intel Meltdown) and ‘branch prediction’ (Spectre).

Out-of-order execution allows a processor to execute instructions in a non-sequential manner, which will result in less time spent idle. Branch prediction is a feature that predicts what instructions will be executed and where. So in a way it will execute some instructions before they even are received from the running application.

There are several patches/updates that need to be done to mitigate these vulnerabilities. These range from new BIOS/UEFI updates, Firmware updates, driver updates and of course: patches.
There are patches from Microsoft, Red Hat, CentOS, VMware, etc. Basically just about every IT administrator has some work ahead of him/her (or he/she is already done and drinking his/her earned beer). The focus of this blogpost is the patches from Microsoft.

Which Microsoft patches?
In long-running MS tradition there will be a load of different patches to cover the different versions of every (supported) Windows operating system. If you don’t include the ARM and Itanium processors you end up with the following list:

KB4056897 – Windows 7 SP1 (x64 / x86) & Windows Server 2008 R2 (x64)
KB4056898 – Windows 8.1 (x64 / x86) & Windows Server 2012 R2 (x64)
KB4056893 – Windows 10 build 1507 (x64 / x86)
KB4056888 – Windows 10 build 1511 (x64 / x86)
KB4056890 – Windows 10 build 1607 (x64 / x86) & Windows Server 2016 build 1607 (x64)
KB4056891 – Windows 10 build 1703 (x64 / x86)
KB4056892 – Windows 10 build 1709 (x64 / x86) & Windows Server 2016 build 1709 (x64)
(The server x64 versions also work for the corresponding client OS)

That’s right, no patches for Windows Server 2008 & 2012 and Windows 8.0. But shame on you if you are still running those. Check this page for more information:
https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution
According to Microsoft, these are patches for the Enterprise edition of Windows 7/8.1/10. I have not tested them on other editions (Professional, Home, etc.)

If you download all these updates for 64-bit as well as 32-bit you end up with 14 different files. Next up would be installing those files on all your machines. Sure, you could use Windows Server Update Services (WSUS) or System Center Configuration Manager (SCCM). But some organizations want to use a more direct approach.

Deployment with Ivanti Automation
So on to the point of this blogpost: Deploying these patches with Ivanti Automation. If you have the full version of Automation, you could add all patches as a resource and create a module with 14 ‘Microsoft Update’ tasks with the correct conditions. But this would lead to a severe case of repetitive strain injury and you would be unable to lift the aforementioned beer.
If your organization does not have the money for the full version or does not see the benefits of automation, you might be running the new PoSh edition of Ivanti Automation. This version only has the ‘Windows PowerShell Script’ task and the use of Resources is not supported.
That would mean you would need to create a script that calls the .msu file from a central share and use conditions to determine which version you would need to install.

Since I had some time to kill, I did exactly that. I wanted to make an Ivanti Automation module that works in the Full version as well as the PoSh version of Ivanti Automation. However, I wanted to keep it simple from an Automation point of view. So I created a script that checks which version of Windows you have and shows the correct update file for your system. The name of the update is then added to a module parameter for use in the next task, which will install the patch for you.
You can define if you want the machine to automatically reboot or not.
After that it will make the recommended registry changes. Use the module parameters when scheduling the module to define which machines should receive the registry changes. These registry settings will enable the actual vulnerability mitigation.

Beware that there are reports of a 30% performance hit after installing (and enabling) these patches.

How to import
Download the building block I have provided at the bottom of this post. Import it into your Ivanti Automation (Passkey is included in the zip-file) and it will ask you to provide a location (CIFS or SMB share) where it can find the patches. You would need to download all these patches for the systems you have and put them in that share. I have added download links to the list I provided earlier, so it should not be much of a hassle. After that just run it on all your affected systems.
For each patch I chose the cumulative update (when available) rather than the delta update, because I had some issues with dependencies on Windows Server 2016?

Keep in mind that this is not the only change you need to do to your systems to mitigate these vulnerabilities. This can be firmwares, drivers, configuration adjustments, etc. So be sure to read up about these vulnerabilities (which I thought was really interesting, because you can also learn a bit about how your processor approaches the instructions it receives) and check your vendors for any updates and recommendations.

Also check these sites for more information:
https://meltdownattack.com/
https://www.ivanti.com/blog/meltdown-spectre-need-know/
https://www.kb.cert.org/vuls/id/584653
https://support.microsoft.com/en-ca/help/4073757/protect-your-windows-devices-against-spectre-meltdown

I have added the scripts below for anyone who is just interested in the scripts and not the building block.

DISCLAIMER: And again, as with the other building blocks I have posted: This is just my take on it. I am not saying this is the best way to go in your situation. So be sure to make a list what needs to be done in your IT environment and make a plan for deployment.

Building block:



PowerShell scripts:
Determine correct Intel Meltdown/Spectre update

# SCRIPT INFO -------------------
# --- Determine correct Intel Meltdown/Spectre update ---
# By Chris Jeucken
# v0.1
# -------------------------------------------------------
# Run on target machine
# -------------------------------

# SCRIPT ------------------------
    # Check if 64-bit
    $OSArchitecture64 = [Environment]::Is64BitOperatingSystem

    # Get Windows version
    $OSVersion = (Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion" -Name ProductName).ProductName

    # Get ReleaseId (if Windows Server 2016 or Windows 10)
    if ($OSVersion -like "Windows Server 2016*" -and "Windows 10*") { 
        $OSReleaseId = (Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion" -Name ReleaseId).ReleaseId
    }

    # Set correct update for Windows version
    if ($OSArchitecture64 -eq "True") {
        if ($OSVersion -like "Windows Server 2008*" -and "Windows 7*") { $Update = "windows6.1-kb4056897-x64_2af35062f69ce80c4cd6eef030eda31ca5c109ed.msu" }
        if ($OSVersion -like "Windows Server 2012*" -and "Windows 8*") { $Update = "windows8.1-kb4056898-v2-x64_754f420c1d505f4666437d06ac97175109631bf2.msu"}
        if ($OSVersion -like "Windows Server 2016*" -and "Windows 10*") {
            if ($OSReleaseId -eq "1709") { $Update = "windows10.0-kb4056892-x64_a41a378cf9ae609152b505c40e691ca1228e28ea.msu" }
            if ($OSReleaseId -ne "1709") { $Update = "windows10.0-kb4056890-x64_1d0f5115833be3d736caeba63c97cfa42cae8c47.msu" }
        }
    }
    
    if ($OSArchitecture64 -eq "False") {
        if ($OSVersion -like "Windows 7*") { $Update = "windows6.1-kb4056897-x86_bb612f57e082c407b8cdad3f4900275833449e71.msu" }
        if ($OSVersion -like "Windows 8*") { $Update = "windows8.1-kb4056898-v2-x86_f0781f0b1d96c7b12a18c66f99cf94447b2fa07f.msu" }
        if ($OSVersion -like "Windows 10*") {
            if ($OSReleaseId -eq "1709") { $Update = "windows10.0-kb4056892-x86_d3aaf1048d6f314240b8c6fe27932aa52a5e6733.msu" }
            if ($OSReleaseId -ne "1709") { $Update = "windows10.0-kb4056890-x86_078b34bfdc198bee26c4f13e2e45cb231ba0d843.msu" }
        }
    }

    # Print update    
    Write-Host $Update
# -------------------------------



Install Intel Meltdown/Spectre update

# SCRIPT INFO -------------------
# --- Install Intel Meltdown/Spectre update ---
# By Chris Jeucken
# v0.1
# -------------------------------------------------------
# Run on target machine
# -------------------------------

# VARIABLES ---------------------
    # Create variable with update (with full path)
    $UpdateFile = "$[Update]"
    $UpdateLocation = "$[UpdateLocation]"
    $Update = $UpdateLocation + "\" + $UpdateFile
    $KBNumber = ($UpdateFile -split "-")[1]

    # Include reboot after update?
    $Reboot = "$[IncludeRebootPatch]"

    # Show variables (for troubleshooting)
    Write-Host --- Used Variables ---
    Write-Host Update: $Update
    Write-Host Include Reboot: $Reboot
    Write-Host ----------------------
# -------------------------------

# SCRIPT ------------------------
    # Check if hotfix is already installed
    if (!(Get-HotFix -id $KBNumber -ErrorAction SilentlyContinue)) {

        # Determine if 64-bit or 32-bit
        if (!(Test-Path $env:systemroot\SysWOW64\wusa.exe)) {
            Write-Host 32-bit Windows Update Standalone Installer will be used
            $Wusa = "$env:systemroot\System32\wusa.exe"
        } else {
            Write-Host 64-bit Windows Update Standalone Installer will be used
            $Wusa = "$env:systemroot\SysWOW64\wusa.exe"
        }

        # Run actual update
        if ($Reboot -eq "Yes") { 
            Write-Host Running update with automatic reboot
            Start-Process -FilePath $Wusa -ArgumentList ($Update, "/quiet", "/log:C:\Windows\Temp\Wusa.log") -Wait
        }
        if ($Reboot -eq "No") {
            Write-Host Running Update without automatic reboot
            Start-Process -FilePath $Wusa -ArgumentList ($Update, "/quiet", "/noreboot", "/log:C:\Windows\Temp\Wusa.log") -Wait
        }
    } else {
        Write-Host Hotfix $KBNumber is already installed.
    }
# -------------------------------



Install Intel Meltdown/Spectre registry settings

# SCRIPT INFO -------------------
# --- Install Intel Meltdown-Spectre registry updates ---
# By Chris Jeucken
# v0.1
# ------------------------------------------------------
# Run on target machine
# -------------------------------

# VARIABLES ---------------------
    # Create variable with update (with full path)
    $Targets = "$[RegistryUpdateTargets]"

    # Include reboot after script?
    $Reboot = "$[IncludeRebootRegistry]"
# -------------------------------

# SCRIPT ------------------------
    # Check if Hyper-V is installed
    $HyperV = (Get-WindowsOptionalFeature -FeatureName Microsoft-Hyper-V-All -Online).State

    # Check if Remote Desktop Services is installed
    $OSVersion = (Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion" -Name ProductName).ProductName
    if ($OSVersion -like "Windows Server*") {
        $RDS = (Get-WindowsFeature -Name Remote-Desktop-Services).InstallState
    }

    # Create Function for performing the actual registry updates
    Function PerformRegistryUpdates {
        Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" -Name FeatureSettingsOverride -Value 0 -Type Dword -Confirm:$false -Force
        Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" -Name FeatureSettingsOverrideMask -Value 3 -Type Dword -Confirm:$false -Force
        if (Test-Path -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization") {
            Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" -Name MinVmVersionForCpuBasedMitigations -Value "1.0" -Type String -Confirm:$false -Force
        }
        # Reboot if allowed
        if ($Reboot -eq "Yes") {
            Write-Host Rebooting system
            Restart-Computer -Force
        }
    }
    
    # Determine if registry updates should be done
    if ($Targets -eq "OnlyHyperV") {
        if ($HyperV -eq "Enabled") { 
            Write-Host Hyper-V detected, performing registry updates
            PerformRegistryUpdates 
        }
    }
    
    if ($Targets -eq "OnlyRDS") {
        if ($RDS -eq "Installed") { 
            Write-Host Remote Desktop Services detected, performing registry updates..
            PerformRegistryUpdates 
        }
    }

    if ($Targets -eq "OnlyHyperVRDSH" ) {
        if ($HyperV -eq "Enabled") { 
            Write-Host Hyper-V detected, performing registry updates...
            PerformRegistryUpdates 
        }
        if ($RDS -eq "Installed") { 
            Write-Host Remote Desktop Services detected, performing registry updates...
            PerformRegistryUpdates 
        }
    }

    if ($Targets -eq "AllServers") {
        Write-Host Performing registry updates...
        PerformRegistryUpdates
    }
    
    if ($Targets -eq "None") {
        Write-Host Not performing registry updates...
    }

# -------------------------------

 6,706 total views,  1 views today

1 thought on “Deploy Intel Meltdown-Spectre patches with Ivanti Automation

  1. Pingback: Scan Spectre and Meltdown Compliancy with Ivanti/ RES Automation - Workspace Guru

Leave a Reply

Your email address will not be published.