Microsoft has modified its Windows Analytics service for IT admins to report on machines’ Meltdown/Spectre protection status.
The Meltdown/Spectre vulnerabilities have been a headache for everyone, but imagine having to deal with it for hundreds or thousands of machines. That task has already fallen onto the shoulders of the world’s IT admins. To make their jobs a little easier, Microsoft put a trio of new features into its Windows administration tool suite.
The first is an antivirus status check that probes whether a machine’s installed antivirus software will prevent it from receiving a Windows Meltdown/Spectre patch. The possibility of anti-virus software interfering with the patches was discovered when Microsoft released them in early January. Microsoft eventually gated the deployment of patches according to a whitelist of antivirus softwares. This new feature seems to leverage that list to give visibility into the issue.
The natural consequence of needing multiple patches, some of which your machine might have been gated from receiving, is that it can be difficult to definitively know whether your system is protected. System admins can be dealing with this for multiple generations of machines and Windows, so Microsoft has consolidated all information related to the deployment of Windows Meltdown/Spectre patches into one place. Windows Analytics will show, beyond which machines have the correct patch installed, which have had it disabled. Due to the initially unclear performance impact of the patches, Windows Meltdown/Spectre patches were defeatable with a registry modification. Microsoft later added another registry kill-switch to nullify Intel’s bugged BIOS updates.
Intel’s BIOS debacle is probably the reason Microsoft added this third feature, because Windows Analytics now reports on machines’ specific BIOS version. This is for automatically checking against lists provided by processor manufacturers. If you have any doubt that this is difficult to do, then look at Intel’s Spectre microcode revision guidance. Each line on there is one or a family of Intel CPUs that needs a specific BIOS update. Certain AMD and ARM CPUs have reportedly had firmware updates released for them as well, but they haven’t been as widely publicized. That's all the more reason for for Microsoft to make this aspect visible.
The Meltdown/Spectre issue has truly sent some waves through the tech industry. (We've been tracking all of it here.) As we know by now, Meltdown/Spectre mitigations are multi-faceted, and miscommunication between companies has left everyone confused more than once. Microsoft’s attempt to bring visibility and certainty to protecting against Meltdown/Spectre can only be a good thing.