SCCM Additional guidance to mitigate speculative execution side-channel vulnerabilities

Y

Yvette OMeally

Guest
#1
We are aware of a new publicly disclosed class of vulnerabilities that are referred to as speculative execution side-channel attacks as detailed in Microsoft Security advisory ADV180002. These vulnerabilities affect many modern processors and operating systems, including chipsets from Intel, AMD, and ARM.

This post is intended to centralize and share current guidance to help Enterprise Mobility + Security customers ensure their environments are protected against these vulnerabilities. We will continue to update as more information becomes available.

The post includes sections for the three main customer scenarios:

  • Configuration Manager – just the first section applies
  • Configuration Manager with Microsoft Intune (hybrid) – all three sections may apply
  • Microsoft Intune – just the third section applies
Configuration Manager

Windows Update


If you have Windows 10 devices receiving Windows Update for Business policy, or are using co-management and the Windows Update workload is switched to Microsoft Intune, these devices will automatically get the January cumulative update on the ring definition you define.

For traditional management of Windows 10 and other affected operating systems, use the software updates management feature of Configuration Manager to deploy the January cumulative update. For example, 2018-01 Cumulative Update for Windows 10 Version 1709 for x64-based Systems (KB4056892). For more information, see Windows client support article KB 4073119. (For more information about additional actions specifically for Windows Server, see “Configuration Manager infrastructure” section below.)

Compatibility issues may exist with a small number of antivirus software products. As a result, Microsoft is only offering the Windows security updates released on January 3, 2018, to devices running antivirus software from partners who have confirmed that their software is compatible with the January 2018 Windows security update. If your devices are not detecting the security update as applicable, you may be running incompatible antivirus software, and you should consult the antivirus software vendor. For more information, see Microsoft Support article KB 4072699.

Firmware update


Check for available firmware updates from your hardware vendor. For more information about an update for Microsoft Surface, see support article KB 4073065. Download the Windows Installer package for Microsoft Surface, and deploy using a Configuration Manager application. We recommend an application versus a package for the enhanced compliance reporting capabilities.

Customers running Configuration Manager current branch version 1706 or later can manage Microsoft Surface driver updates through the software update channel.

Some customers may experience devices prompting for BitLocker key entry after updating firmware, even if not normally required. If you are using BitLocker, we recommend testing this behavior, and then consider whether to suspend BitLocker during this process. If needed, you can use a custom task sequence to order these events. For example,

  • Disable BitLocker step
  • Install Application step: reference the application for the firmware update
  • Restart Computer step

When using the Disable BitLocker step in a task sequence, protection resumes after restart.

Updates for other managed devices


For information about Apple macOS devices, see Apple support article HT208394.

Install the latest updates for Linux and UNIX. For more information, check with your specific Linux distro vendor and UNIX operating system vendor.

Verify protection on Windows devices


To verify protection against these vulnerabilities, both the software updates management and application management features have compliance reporting capabilities. Use these capabilities to determine device compliance for the January Windows update and the firmware update application.

Additionally, there is a new Windows PowerShell module, SpeculationControl, which you can use to verify protections are enabled. For more information, see the “Verifying protections are enabled” section of Microsoft Support article KB 4073119. We recommend downloading the version from the TechNet ScriptCenter as it works offline without further prerequisites. (Using the Install-Module process requires Internet access, trusting the PSGallery repository, and installing a NuGet package.)

Customers running Configuration Manager current branch version 1706 or later can use the Run Scripts feature to deploy a script and receive near real-time response from active clients. The following PowerShell code snippet is an example of what you can use to automate running the Get-SpeculationControlSettings cmdlet at scale:

# The SpeculationControl module is signed; default ‘Restricted’ policy won’t work

Set-ExecutionPolicy AllSigned -Scope Process -Force



# Pull the cert from the module

$cert = Get-AuthenticodeSignature .\SpeculationControl.psd1



# Add the CA cert to the Trusted Publishers store

$store = New-Object System.Security.Cryptography.X509Certificates.X509Store “TrustedPublisher”,”LocalMachine”

$store.Open(“ReadWrite”)

$store.Add($cert.SignerCertificate)

$store.Close()



# Import the module and run the cmdlet

Import-Module .\SpeculationControl.psd1

Get-SpeculationControlSettings



The final cmdlet returns a list of settings and their states. While the Run Scripts feature will report this output, a script to wrap and return a single value makes for easier reporting across many devices.

For example, save the Get-SpeculationControlSettings output into a variable, then access each setting as a property:

$SpecSettings = Get-SpeculationControlSettings
If ($SpecSettings.BTIHardwarePresent) { write-host “BTI hardware present”}


We are working on providing alternative solutions for verifying protection.

Configuration Manager infrastructure


As well as deploying the Windows and firmware updates to servers, also review Microsoft Support articles KB 4072698 for Windows Server and KB 4073225 for SQL Server.

For Windows Server, there are additional actions necessary to enable protections. (For Windows Clients, the protections are enabled by default. For Windows Servers, the protections need to be enabled.) Based on feedback from Microsoft IT, we recommend the following order of operations to optimize the number restarts:

  • Enable protections (see the “Enabling protections on server” section of KB 4072698)
  • Install Windows update
  • Restart
  • Install firmware update
  • Restart

(And remember to possibly disable BitLocker if in use on servers. When using the Disable BitLocker step in a task sequence, protection resumes after restart.)

KB 4073225 outlines customer guidance for SQL Server, which is a critical part of any Configuration Manager system. Currently, we recommend following the SQL guidance for Configuration Manager site database servers, except the following suggested steps which may impact Configuration Manager functionality and performance. Do not perform the steps for these two categories at this time:

  • Running SQL Server with CLR enabled (sp_configure ‘clr enabled’, 1)
  • Using Linked Servers (sp_addlinkedserver)

For customers that run their Configuration Manager environment in Microsoft Azure, or are using connected Azure services like the Cloud Management Gateway, see this blog post for information.

Configuration Manager with Microsoft Intune (hybrid)


For more information about Apple iOS and macOS devices, see Apple support article HT208394.

For more information about Android devices, see Google’s blog post and support FAQ.

Microsoft Intune


Windows 10 devices will automatically get the January cumulative update on the ring definitions you define. For example, 2018-01 Cumulative Update for Windows 10 Version 1709 for x64-based Systems (KB4056892). For more information, see Windows client support article KB 4073119.

For information on classic Intune PC management, see the software update documentation.

Compatibility issues may exist with a small number of antivirus software products. As a result, Microsoft is only offering the Windows security updates released on January 3, 2018, to devices running antivirus software from partners who have confirmed that their software is compatible with the January 2018 Windows security update. If your devices are not detecting the security update as applicable, you may be running incompatible antivirus software, and you should consult the antivirus software vendor. For more information, see Microsoft Support article KB 4072699.

For more information about Apple iOS and macOS devices, see Apple support article HT208394.

For more information about Android devices, see Google’s blog post and support FAQ.



We will continue to update this post as more information becomes available.

If you have any feedback, please use the Windows 10 Feedback Hub.



The System Center Configuration Manager Team

Continue reading...
 
Top