Friday, 26 January 2018

Windows Patches for Meltdown and Spectre remediation

Or, All you need to know about windows patches for Meltdown and Spectre vulnerabilities

Or, Microsoft Windows Operating Systems Patches for Meltdown and Spectre Vulnerabilities

Microsoft's process for releasing Windows updates addressing Meltdown and Spectre has been a good and well as problematic causing high-profile incompatibility issues with third-party antivirus (AV) software and AMD processors. In some cases, delivery of the latest security update has been restricted or suspended by Microsoft.

More details and direct download links to the updates below:  
What they addressed in these fixes
  • Spectre variant 1, bounds check bypass (CVE-2017-5753)
  • Meltdown, rogue data cache load (CVE-2017-5754)

    UPDATE (1/17/18): As readers have pointed out, it appears Windows patches for 32-bit systems (x86-based systems) do not provide Meltdown mitigations.
    Per Microsoft:
The existing 32 bit update packages listed in this advisory fully address CVE-2017-5753 and CVE-2017-5715, but do not provide protections for CVE-2017-5754 at this time. Microsoft is continuing to work with affected chip manufacturers and investigate the best way to provide mitigations for x86 customers, which may be provided in a future update.

What they don't address in these fixes:
  • Spectre variant 2, branch target injection (CVE-2017-5715) — firmware updates are required to fully address Spectre variant 2. 
Known issues with AV agents (also explained in MS Advisory):
Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat" Value="cadca5fe-87d3-4b96-b7fb-a231484277cc" Type="REG_DWORD”
This has created a lot of confusion, especially since the response from AV vendors has varied, with some setting the registry key for their customers and others recommending users set it, themselves, manually. The situation only gets more complicated considering many organizations have more than one AV solution installed. 
Update: Microsoft has clarified that Windows Defender Antivirus, System Center Endpoint Protection, and Microsoft Security Essentials are compatible with the update and do set the required registry key.

That means as long as you have one of these built-in Microsoft protections enabled the registry key should be set automatically — no further, manual action should be necessary. 

Be careful: If you are using third party software that Microsoft offically recognizes as AV, it is important to note that, by default, Windows Defender and Microsoft Security Essentials will turn themselves off. That means the registry key won't be added unless you or your AV actively do it. 
It’s better approach that, you first reach out to your AV vendor and ask for AV update/upgrade patches which ensures the compatibility with these MS updates. After installing AV patches, you should proceed with windows patches installation for smooth deployment. This means not that, you can’t update windows patches without updating AV.

Some Additional References:

ADV180002 | Guidance to mitigate speculative execution side-channel vulnerabilities

Question: I have an AMD-based device and compatible antivirus software, but I am not getting the January 2018 Windows Security Update. Why is that?

Answer: Microsoft has received reports that some devices using certain AMD processors can enter an unbootable state after installing the January Windows security updates. To prevent this, Microsoft has temporarily suspended automatically sending the following Windows security updates to devices with affected AMD processors:
·         KB4056892
·         KB4056891
·         KB4056890
·         KB4056888
·         KB4056893
·         KB4056898
·         KB4056897
·         KB4056894
·         KB4056895

Microsoft is working with AMD to resolve this issue and to resume offering Windows security updates to the affected AMD devices via Windows Update and WSUS as soon as possible. For AMD device-specific information please contact AMD.

Server Operating Systems (Affected Table):

Operating system version
Update KB
Windows Server, version 1709 (Server Core Inst..)
Windows Server 2016
Windows Server 2012 R2
Windows Server 2012
Not available
Windows Server 2008 R2
Windows Server 2008
Not available

Windows Client:

AV Agent Relational Advisory by MS:

Unbootable state for AMD devices in Windows 8.1 and Windows Server 2012 R2

Reference KBs

KB4073576 is not applicable for Intel platform

KB4073576 is applicable for Client machines on Windows 8.1 AMD platform

Cheers, Please write me back if you have any feedback or suggestions..

Sunday, 17 December 2017

Update multiple user’s profiles in O365 using PowerShell

Or, Updating bulk user’s job title, phone, title, email ID etc... In O365 using PowerShell
Or, How to update user’s profile in O365 using PowerShell with csv import function?

Descriptions: This is one of the very common task that you may be doing on very frequent intervals. Generally when promotions or appraisal are announced in an organization, the Exchange server administrator and AD administrators are requested to update the user’s profiles as per the current designation, extension, department etc...
If you are looking for PowerShell command to update user’s profiles in bulk, you are at the right place and you may refer the steps below.

Connect to Microsoft Azure AD > Open Windows PowerShell (Run as Administrator) > Type the command below and hit Enter


Once you have the sign-in pop, please feed in your O365 credentials

Feed in all the info as per your requirement in a CSV file, as reference shown below.

Run below command now and hit Enter
$users = Import-Csv 'D:\temp\UsersInfoUpdate\profileupdate1.csv'

Now run below command to update all the details you have selected
$users | ForEach-Object { Set-MsolUser -UserPrincipalName $_.Email -Title $_.Jobtitle -PhoneNumber $_.OfficePhone -MobilePhone $_.MobilePhone }

Reference screenshot of PowerShell command execution with all commands in sequence:

Cheers, Please write me back if you have any query or feedback on this…