Some helpful links
Microsoft Client Guidance
Microsoft Security Advisory ADV180002
Microsoft Understanding Performance impact of mitigations
Spectre-Meltdown Overview
Symantec Product Update INFO 4786
Symantec Microsoft Software Update release Jan 2018 INFO4782
Meltdown-Spectre powershell reporting tool
Dell BIOS update for clients
Per the Microsoft client guidance link above, the first step to protecting your clients is making sure your antivirus updates. We use Sophos, and you can see if a client has the necessary registry key by looking at
Key="HKEY_LOCAL_MACHINE"Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat"
Value Name="cadca5fe-87d3-4b96-b7fb-a231484277cc"
Type="REG_DWORD”
Data="0x00000000”
All of the major antivirus companies are going to push that key out, but you have to check with yours. This key is required in order for your computers to become applicable for the necessary windows security update in the Symantec Patch Remediation Center & future windows rollups and security updates. The patch is included in the monthly rollups (so MS18-01-MR7 for win7 or MS18-01-W10 for win10). I didn't test because we always push monthly rollups for win7, but I am confident the updates for this vulnerability are included in the security only update MS18-01-SO7. These updates are included in PMImport 7.2.118.
The trick for us is how to update BIOS remotely because we use bitlocker to encrypt our hard drives, and you need to suspend bitlocker for BIOS updates to run. I am testing a workflow that pushes the BIOS update along with an xml file in order to accomplish re-enabling bitlocker. This is an example of the software resource for the Dell Latitude 5x80 series. The xml file is attached to this article; it just creates a scheduled task on restart bitlocker on startup and then deletes itself.
When creating this new software resource, I also create a dummy command line item in order to get the files to the computer without actually executing it.
Note: You could just copy the necessary files to your workstations with a file copy job instead of including of creating software resource should you choose.
Below is the script I'm using to suspend bitlocker, update bios, and add the scheduled task to re-enable bitlocker. You'll need to modify the file path with your GUID which you can find by navigating to your software library and finding the uploaded BIOS file & enter your BIOS password.
REM Suspend Bitlocker
Manage-bde.exe -protectors -disable c:
REM Update Bios
"C:\Program Files\Altiris\Altiris Agent\Agents\SoftwareManagement\Software Delivery\{YOURGUIDHERE}\cache\Latitude_5X80_Precision_3520_1.8.1.exe" /s /p=BIOSPASSWORDHERE /FORCEIT /l=c:\drivers\5480-181.log
schtasks /create /f /tn "Bitlock" /XML "C:\Program Files\Altiris\Altiris Agent\Agents\SoftwareManagement\Software Delivery\{YOURGUIDHERE}\cache\enablebitlockeronstartup.xml"
Note: the risk with this method is users going home without restarting with a machine with bitlocker suspended so you may have to address for that with a scheduled restart, and also laptops will only update while plugged into power. Also, there are expected slow downs with the BIOS updates particularly on older processors, so you may have to weigh that in your environment.
Clients will need to do hardware inventory updates in order to report back their new BIOS version to CMS. You likely will want to check your hardware inventory delta schedules and up them during the remediation, or at least scope a new delta update for the models not on the correct BIOS.
You can create a filter/target that checks for Model Like X and Bios version is not latest, see the solution on this post for the query.
Testing is still needed, but you should be able to combine all the tools above to use a quick delivery and/or managed software policy to get the BIOS updated for your clients fully remediating them against Spectre and Meltdown.
Would love to hear tips of how others are planning remediation.