01/09/2018 update: added a Report and another CIR.
01/12/2018 update: updated the script to use the current script version of today (1.0.4) > Download
Scriptchangelog from Microsoft:Added message directing users to explanation of output
Addressed feedback regarding multiple CPUs when setting $cpu
02/02/2018 update: corrected & updated the vulnerable report. Added a new report with secured devices.
Vulnerable Report: Download
Secured Report: Downlaod
For an official statement from quest please visit: https://support.quest.com/kb/237193
here a quick blog to check the hardware vulnarabilities CVE-2017-5715, CVE-2017-5753, CVE-2017-5754 or better known as Spectre and Meltdown.
I am using the Microsoft security guidance ADV180002 as base script with KACE modifications.
The outcome of this blog will be that you can easily see, filter, report and label all your Windows clients higher than Windows 7 SP1 or Server 2012 R2 which are vulnerable or secure against Spectre and / or Meltdown. To archive this we first need a script.
The script can be found in the downloaded "Spectre_Meltdown.zip".
If you need assistance to import it to your KACE SMA (K1000) please feel free to contact me.
The script will create the logfile: "C:\Windows\Logs\KACE_CPU_Check.log" and rewrite it every time.
To have the posibility to search, label and report these data we need a CustomInventoryRule.
The can be found in the downloaded "Spectre_Meltdown.zip".
After that you should be able to filter everything like you know to do it.
Enabled protections appear in the output as "true".
Example for filtering for vulnerable devices:
If you go to the details you would see that this device is vulnerable against both.
Now you want to check with one click which devices are vulnerable and compatible to get patches through patching. To do that we first need again a custom inventory which checks if the compatibility registry key is available.This can also be found in the downloaded "Spectre_Meltdown.zip".
The next step is to import the two reports which are stored in the the downloaded "Spectre_Meltdown.zip". The first report will show all vulnerable devices. The second report will list all devices which are secure.
You can modify / add / delete everything wihtin the scripts, custom inventories or SQL-Reports.
If you rename your custom inventory rules change the names in the SQL query too.