Meltdown, Spectre bug patch

We have small Windows network with Windows2008 servers.
I am wondering how to fix the CPU issue apart from applying the BISO update.
Will the windows updates push the patches?
or we have to tweak the registry keys?
LVL 2
sara2000Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Adelaido JimenezDevOpsCommented:
There are different instruction for applying the patch for windows servers and Windows clients. Make sure your AV is in the approved list for handling the patch. You will also need to verify with your hardware vendor for the hardware patch needed. check this out for applying the patches to windows servers.
https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution

AV supported list
http://www.zdnet.com/article/windows-meltdown-spectre-fix-how-to-check-if-your-av-is-blocking-microsoft-patch/?loc=newsletter_large_thumb_featured&ftag=TRE-03-10aaa6b&bhid=23164040498209351948461508422926

Also, look at this question for good information on AV that support the patches.
https://www.experts-exchange.com/questions/29076730/Windows-performance-hit-from-Meltdown-Sceptre-patches.html#a42424839
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
masnrockCommented:
A lot of antivirus products should just update the registry for you. However, there are some cases of AV products that will work with the patch, but NOT update the registry for you, meaning you have to come up with a way. (I'm dealing with an organization has an outdated version of McAfee that falls in this category.. they have to push out an update via ePO to get the registry update)
0
Mitul PrajapatiIT SupervisorCommented:
These are the patch details you need to install based on your OS

Windows Server 2016 - KB4056890
Windows Server 2012 R2 - KB4056898
Windows Server 2012 - KB4056899
Windows Server 2008 R2 SP1 - KB4056897
Windows 10 1709 - KB4056892
Windows 10 1703 - KB4056891
Windows 10 1607 - KB4056890
Windows 10 1511 - KB4056888
Windows 10 - KB4056893
Windows 8.1 - KB4056898
​Windows 7 SP1 - KB4056897

Registry must be the same as below if you are using antivirus software. Many antivirus software have setup the patch registry to below in order to stop this vulnerabilities.

Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat" Value="cadca5fe-87d3-4b96-b7fb-a231484277cc" Type="REG_DWORD”
Data="0x00000000”

Done!!
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

sara2000Author Commented:
If we do not have anti-virus installed on a server. What is the procedure?
We do not want antivirus because of the application !!
Do we have to edit the reg key if we do not anti-virus?
0
Adelaido JimenezDevOpsCommented:
Here is what Microsoft is saying:

Windows 7 SP1 and Windows Server 2008 R2 SP1 Customers

In a default installation of Windows 7 SP1 or Windows Server 2008 R2 SP1, customers will not have an antivirus application installed by default. In these situations, Microsoft recommends installing a compatible and supported antivirus application such as Microsoft Security Essentials or a third-party anti-virus application. The anti-virus software must set a registry key as described below in order to receive the January 2018 security updates.

Customers without Antivirus

In cases where customers can’t install or run antivirus software, Microsoft recommends manually setting the registry key as described below in order to receive the January 2018 security updates.

Setting the Registry Key

Caution Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing keys and values" help topic in Registry Editor (Regedit.exe) or view the "Add and delete information in the registry" and "Edit registry data" help topics in Regedt32.exe.

Note: Customers will not receive the January 2018 security updates (or any subsequent security updates) and will not be protected from security vulnerabilities unless their antivirus software vendor sets the following registry key:

Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat" Value="cadca5fe-87d3-4b96-b7fb-a231484277cc" Type="REG_DWORD”
Data="0x00000000”
0
sara2000Author Commented:
Is this reg key only for this Meltdown patches or any future Windows update?
0
Mitul PrajapatiIT SupervisorCommented:
It is the registry key to receive and install windows update to cure the vulnerabilities.
0
sara2000Author Commented:
Will the anti-virus update the REG without the reboot of the server or we have to reboot the server to get the reg key then run the windows update?
0
masnrockCommented:
Antivirus software would update the key without a reboot. And how are you protecting that system without antivirus? Using Defender would be better than nothing
0
Seth SimmonsSr. Systems AdministratorCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Split:
-- Adelaido Jimenez (https:#a42431703)
-- masnrock (https:#a42431813)
-- Mitul Prajapati (https:#a42432192)
-- Adelaido Jimenez (https:#a42432978)
-- Mitul Prajapati (https:#a42434327)
-- masnrock (https:#a42450006)


If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

seth2740
Experts-Exchange Cleanup Volunteer
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.