meltdown & spectre patch installation

HI guys,

I'm unsure about the specific KB hotfix that Microsoft has released to patch the Meltdown & Spectre vulnerabilities.
Does anyone know ? Are there different patches for the various operating systems (2008/2012/2016) ?

In case someone has already installed them, did you notice a performance degradation ? Did you do a baseline before and after the patch installation to verify the performance impact ? I'm wondering how to best measure this (I'm referring to servers, ie data center environment).

Also, did you deploy the new registry key too before installing this patch ?

Thanks!
LVL 2
ferraristaAsked:
Who is Participating?
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
0
 
JohnBusiness Consultant (Owner)Commented:
Microsoft has been patching. The basic fix was issued late last week.  That was KB4056892

Yes, different operating systems have different patches.

No, no performance degradation. That depends on load, the computer and to some extent how old. New 64-bit computers are working fine.

Also, did you deploy the new registry key too before installing this patch ?  No. There was one for our machines that I know of. There is some workstation BIOS updates out which I have done.
0
 
Cliff GaliherCommented:
Lee and John gave you the KB article.

Performance varies wildly.  Most workloads are fine.  Minimal impact.  One of my dense Hyper-V hosts is definitely taking a hit. 15% I'd estimate. But hypervisors under load with the many process swaps will see that impact more.  

AI workloads and some very random SQL reads would also be more heavily impacted.  There is a reason companies have been saying "workload dependent."  30% as some irresponsible tech blogs have claimed is a VERY extreme case though.  Normal performance counters would suffice if you really want to know.  In the SMB space, I doubt it'll get noticed.  

Regarding registry keys:

The one to allow patch detection; no.  I let the AV vendor actually set the key as intended.  If they aren't setting the key then they aren't done testing, and a BSOD is worse than the symptoms.  I don't recommend forcing by setting that key.

The three keys in the support required to enable mitigation, yes.  Installing the patch and not setting them seems counterproductive.  In some isolated workloads that do take a performance hit, I could see leaving them off as the performance gains outweigh the risks, but that would require a full risk assessment and I'd argue it is a significant edge case.  

By and large, put them in.
0
 
masnrockCommented:
The one to allow patch detection; no.  I let the AV vendor actually set the key as intended.  If they aren't setting the key then they aren't done testing, and a BSOD is worse than the symptoms.  I don't recommend forcing by setting that key.
This is partially true. While you should let your AV update the registry key, not all compatible products and versions will do so. For example, McAfee has quite a few compatible products where you have to download a script and push through ePO or find another way to get the registry update out there. However, you absolutely should be ensuring that your AV product is compatible. Just also check to see if they update the key for you. Deploying the registry key should be a backup option, and that's a decision to be made based on your existing AV not doing so.
0
 
Seth SimmonsSr. Systems AdministratorCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Split:
-- Lee W MVP (https:#a42427875)
-- John Hurst (https:#a42427876)
-- Cliff Galiher (https:#a42427911)
-- masnrock (https:#a42435137)


If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

seth2740
Experts-Exchange Cleanup Volunteer
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.