Meltdown, Spectre bug patch

We have small Windows network with Windows2008 servers.
I am wondering how to fix the CPU issue apart from applying the BISO update.
Will the windows updates push the patches?
or we have to tweak the registry keys?
Who is Participating?
Adelaido JimenezDevOpsCommented:
There are different instruction for applying the patch for windows servers and Windows clients. Make sure your AV is in the approved list for handling the patch. You will also need to verify with your hardware vendor for the hardware patch needed. check this out for applying the patches to windows servers.

AV supported list

Also, look at this question for good information on AV that support the patches.
A lot of antivirus products should just update the registry for you. However, there are some cases of AV products that will work with the patch, but NOT update the registry for you, meaning you have to come up with a way. (I'm dealing with an organization has an outdated version of McAfee that falls in this category.. they have to push out an update via ePO to get the registry update)
Mitul PrajapatiJunior IT EngineerCommented:
These are the patch details you need to install based on your OS

Windows Server 2016 - KB4056890
Windows Server 2012 R2 - KB4056898
Windows Server 2012 - KB4056899
Windows Server 2008 R2 SP1 - KB4056897
Windows 10 1709 - KB4056892
Windows 10 1703 - KB4056891
Windows 10 1607 - KB4056890
Windows 10 1511 - KB4056888
Windows 10 - KB4056893
Windows 8.1 - KB4056898
​Windows 7 SP1 - KB4056897

Registry must be the same as below if you are using antivirus software. Many antivirus software have setup the patch registry to below in order to stop this vulnerabilities.

Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat" Value="cadca5fe-87d3-4b96-b7fb-a231484277cc" Type="REG_DWORD”

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

sara2000Author Commented:
If we do not have anti-virus installed on a server. What is the procedure?
We do not want antivirus because of the application !!
Do we have to edit the reg key if we do not anti-virus?
Adelaido JimenezDevOpsCommented:
Here is what Microsoft is saying:

Windows 7 SP1 and Windows Server 2008 R2 SP1 Customers

In a default installation of Windows 7 SP1 or Windows Server 2008 R2 SP1, customers will not have an antivirus application installed by default. In these situations, Microsoft recommends installing a compatible and supported antivirus application such as Microsoft Security Essentials or a third-party anti-virus application. The anti-virus software must set a registry key as described below in order to receive the January 2018 security updates.

Customers without Antivirus

In cases where customers can’t install or run antivirus software, Microsoft recommends manually setting the registry key as described below in order to receive the January 2018 security updates.

Setting the Registry Key

Caution Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing keys and values" help topic in Registry Editor (Regedit.exe) or view the "Add and delete information in the registry" and "Edit registry data" help topics in Regedt32.exe.

Note: Customers will not receive the January 2018 security updates (or any subsequent security updates) and will not be protected from security vulnerabilities unless their antivirus software vendor sets the following registry key:

Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat" Value="cadca5fe-87d3-4b96-b7fb-a231484277cc" Type="REG_DWORD”
sara2000Author Commented:
Is this reg key only for this Meltdown patches or any future Windows update?
Mitul PrajapatiJunior IT EngineerCommented:
It is the registry key to receive and install windows update to cure the vulnerabilities.
sara2000Author Commented:
Will the anti-virus update the REG without the reboot of the server or we have to reboot the server to get the reg key then run the windows update?
Antivirus software would update the key without a reboot. And how are you protecting that system without antivirus? Using Defender would be better than nothing
Seth SimmonsSr. Systems AdministratorCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

-- Adelaido Jimenez (https:#a42431703)
-- masnrock (https:#a42431813)
-- Mitul Prajapati (https:#a42432192)
-- Adelaido Jimenez (https:#a42432978)
-- Mitul Prajapati (https:#a42434327)
-- masnrock (https:#a42450006)

If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

Experts-Exchange Cleanup Volunteer
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.