01/09/2018 update: added a Report and another CIR.
01/12/2018 update: updated the script to use the current script version of today (1.0.4)  > Download
                                Scriptchangelog from Microsoft:
                                        Added message directing users to explanation of output
                                        Addressed feedback regarding multiple CPUs when setting $cpu 
02/02/2018 update: corrected & updated the vulnerable report. Added a new report with secured devices.
                                Vulnerable Report: Download
                                Secured Report: Downlaod

For an official statement from quest please visit: https://support.quest.com/kb/237193

Hi all, 

here a quick blog to check the hardware vulnarabilities CVE-2017-5715, CVE-2017-5753, CVE-2017-5754 or better known as Spectre and Meltdown.
I am using the Microsoft security guidance ADV180002 as base script with KACE modifications. 

The outcome of this blog will be that you can easily see, filter, report and label all your Windows clients higher than Windows 7 SP1 or Server 2012 R2 which are vulnerable or secure against Spectre and / or Meltdown. To archive this we first need a script. 

The script looks like this and can be downloaded here
If you need assistance to import it to your KACE SMA (K1000) please feel free to contact me. 
cpu01.png

The script will create the logfile: "C:\Windows\Logs\KACE_CPU_Check.log" and rewrite it every time. 

To have the posibility to search, label and report these data we need a CustomInventoryRule.
Here you have a screenshot and can find the export as a download here.
cpu02.png
ShellCommandTextReturn(cmd /c type ""C:\Windows\Logs\KACE_CPU_Check.log"")

After that you should be able to filter everything like you know to do it. 
Enabled protections appear in the output as "true".

Example for filtering for vulnerable devices:
cpu03.png
If you go to the details you would see that this device is vulnerable against both.
cpu04.png


Now you want to check with one klick which devices are vulnerable and compatible to get patches through Patching. To do that we first need again a custom inventory which checks if the compatibility registry key is available. You can download the ready to use package here.

RegistryValueReturn(HKEY_LOCAL_MACHINE64\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat, cadca5fe-87d3-4b96-b7fb-a231484277cc, REG_DWORD) 

The next step is to import a report which shows all vulnerable devices. The package can be downloaded here
Additionaly i have created a report which will list you all devices which are secure. You can downoad it here.

You can modify / add / delete everything wihtin the scripts, custom inventories or SQL-Reports. 
If you rename your custom inventory rules change the names in the SQL query too.


Cheers Timo