Today Microsoft released a PowerShell script that can be run on any Windows system to detect if the system is vulnerably to Meltdown and Spectre. If you haven't heard about it yet, go here: https://support.microsoft.com/en-us/help/4073119.
Building on this, I created a PowerShell script (download below) that will find every Windows computer in your domain and run the Microsoft script and return the results. This allows you to see the status of the patch deployment for your entire domain run from a single PC.
- PowerShell 5 - This will basically work out of the box for Windows Server 2016 and Windows 10. This may be a problem for some organizations that have not deployed PowerShell 5 yet for older operating systems. The good news is that PowerShell 5 is available for Windows Server as old as 2008 R2 and Windows 7. The script makes use of Install-PackageProvider and Install-Module which reach out to NuGet to retrieve the latest bits of the package Microsoft deployed. There may be workarounds, hopefully if so somebody can build upon what I have here.
- PowerShell Remoting - You must have set up PowerShell remoting so that Invoke-Command can run against other systems from wherever you execute this from. It's not hard, but depending on your organization's security requirements, this might also be a blocking issue.
- Run as a domain administrator or other account which has administrator access on all target computers.
How to use:
Just download it and run it (link is at the bottom of this post). It's really that simple. For systems that don't meet the prerequisites, you will see an entry in the output status showing "Error." You can then go back to that machine and try running portions of the script manually if you want to troubleshoot, but at least in my environment, the most common issue is just not having PowerShell 5 installed. If you want to export it to a CSV, which can then be opened in Excel, add the command line switch -csv followed by the path, like below.
- .\Get-SpeculationControlSettingsOnAllComputersInDomain.ps1 -CSV C:\Users\YourName\Desktop\SpeculationControlOutput.csv
Examining the output:
The first two columns are the computer name and the script execution status. The script execution status can be OK, Error, or Offline. I think this is pretty self explanatory. It either worked, didn't, or the computer wasn't online so the script couldn't be run.
The next columns are as follows (note: they are abbreviated since there are so many and it needs to fit on the screen).
- BTIHWPr - BTIHardwarePresent - Hardware support for branch target injection mitigation is present.
- BTIWinPr - BTIWindowsSupportPresent - Windows OS support for branch target injection mitigation is present.
- BTIWinEn - BTIWindowsSupportEnabled - Windows OS support for branch target injection mitigation is enabled.
- BTIDisSP - BTIDisabledBySystemPolicy - Windows OS support for branch target injection mitigation is disabled by system policy.
- BTINoHWSup - BTIDisabledByNoHardwareSupport - Windows OS support for branch target injection mitigation is disabled by absence of hardware support.
- KVAShdwRq - KVAShadowRequired - Hardware requires kernel VA shadowing.
- KVIWinPr - KVAShadowWindowsSupportPresent - Windows OS support for kernel VA shadow is present.
- KVIWinEn - KVAShadowWindowsSupportEnabled - Windows OS support for kernel VA shadow is enabled.
- KVIPcidEn - KVAShadowPcidEnabled - Windows OS support for PCID performance optimization is enabled. (Not required for security.)
According to the guidance the main things you want to look for is to have the following columns all show TRUE: BTIHWPr, BTIWinPr, BTIWinEn, KVAShdwRq, KVIWinPr, KVIWinEn.
This script is public domain. Also, ABSOLUTELY NO WARRANTY. I do not guarantee at all that the script works correctly in your scenario and I am not responsible for damage!
Here's example output of what it looks like when it's running. I obfuscated my system names, but you can see how I have systems that are not yet patched below. The patches are deploying tonight. :-) You will also notice that quite a few don't have PowerShell 5 installed.
Computer Status BTIHWPr BTIWinPr BTIWinEn BTIDisSP BTINoHWSup KVAShdwRq KVIWinPr KVIWinEn KVIPcidEn
-------- ------ ------- -------- -------- -------- ---------- --------- -------- -------- ---------
SRVMAIL1.nc.us... OK False False False False False True False False False
SRVTFSBUILD2.n... OK False False False False False True False False False
SRVTFSBUILD1.n... OK False False False False False True False False False
SRVTFSBUILD3.n... OK False False False False False True False False False
DESKTOP251.nc.... OK False False False False False True False False False
SRVDC2.nc.us.d... OK False False False False False True False False False