Today Microsoft released a PowerShell script that can be run on any Windows system to detect if the system is vulnerably to Meltdown and Spectre. If you haven't heard about it yet, go here: https://support.microsoft.com/en-us/help/4073119.
Building on this, I created a PowerShell script (download below) that will find every Windows computer in your domain and run the Microsoft script and return the results. This allows you to see the status of the patch deployment for your entire domain run from a single PC.
Prerequisites:
How to use:
Just download it and run it (link is at the bottom of this post). It's really that simple. For systems that don't meet the prerequisites, you will see an entry in the output status showing "Error." You can then go back to that machine and try running portions of the script manually if you want to troubleshoot, but at least in my environment, the most common issue is just not having PowerShell 5 installed. If you want to export it to a CSV, which can then be opened in Excel, add the command line switch -csv followed by the path, like below.
Examining the output:
The first two columns are the computer name and the script execution status. The script execution status can be OK, Error, or Offline. I think this is pretty self explanatory. It either worked, didn't, or the computer wasn't online so the script couldn't be run.
The next columns are as follows (note: they are abbreviated since there are so many and it needs to fit on the screen).
According to the guidance the main things you want to look for is to have the following columns all show TRUE: BTIHWPr, BTIWinPr, BTIWinEn, KVAShdwRq, KVIWinPr, KVIWinEn.
This script is public domain. Also, ABSOLUTELY NO WARRANTY. I do not guarantee at all that the script works correctly in your scenario and I am not responsible for damage!
Here's example output of what it looks like when it's running. I obfuscated my system names, but you can see how I have systems that are not yet patched below. The patches are deploying tonight. :-) You will also notice that quite a few don't have PowerShell 5 installed.
Computer Status BTIHWPr BTIWinPr BTIWinEn BTIDisSP BTINoHWSup KVAShdwRq KVIWinPr KVIWinEn KVIPcidEn -------- ------ ------- -------- -------- -------- ---------- --------- -------- -------- --------- SRVDC1.nc.us.d... Error SRVCA1.nc.us.d... Error SRVSCOM1.nc.us... Error SRVMAIL1.nc.us... OK False False False False False True False False False SRVCCS1.nc.us.... Error SRVTFS2.nc.us.... Error SRVWeb2.nc.us.... Error SRVSQL3.nc.us.... Error SRVMail2.nc.us... Offline SRVSQL4.nc.us.... Error SRVWEB1.nc.us.... Error SRVWEB3.nc.us.... Error SRVTFSBUILD2.n... OK False False False False False True False False False SRVTFSBUILD1.n... OK False False False False False True False False False SRVTFSBUILD3.n... OK False False False False False True False False False DESKTOP138.nc.... Offline SRVWEB1A.nc.us... Error SRVCACHE1.nc.u... Error SRVCACHE2.nc.u... Error DESKTOP923.nc.... Offline DESKTOP251.nc.... OK False False False False False True False False False SRVDC2.nc.us.d... OK False False False False False True False False False