Spectre, Meltdown, and Your Enterprise

Update: Intel has reported that customers with certain CPUs are experiencing random reboots after applying firmware updates to patch this vulnerability. I can’t say this enough but TEST before rolling these out!

By now, you have likely heard about recently disclosed vulnerabilities called Spectre and Meltdown.  If not, TechCrunch has a detailed article about them that will get you up to speed.  The vulnerability affects most modern operating systems and processors.  It also affects other systems such as iOS, MacOS, Android, Chrome, etc.

I have found that many IT people I talk with do not understand what needs to happen to address these vulnerabilities.  I think this is (at least partly) because unlike many previous vulnerabilities, simply installing a Windows update does not fix the problem.  The fix also requires registry keys to be set and firmware updates released by the hardware manufacturers to be applied.

After reviewing what needs to happen to protect enterprise systems, I have pulled together some information so you can protect yourself as well.  While this is not an all-encompassing guide, it should point you to many of the resources needed to address the vulnerabilities.    Rather than this blog post being extremely long and repetitive, you will find many linked items below to already created documentation that will be helpful in patching your systems. Continue reading

ConfigMgr 1702 Rollup Update Deployment Gotchas

Microsoft released a Rollup Update for Configuration Manager v1702 this week to address multiple issues.  One specific issue that affected many deployments was related to operating system deployment:

Starting with System Center Configuration Manager, version 1702, unknown computers that are started from media or PXE may not find task sequences targeted to them. This issue may occur if the Previous button on the “Select a task sequence to run” page is selected on the unknown computer.

There are already great examples of how to install this update, but there are a couple of key gotchas I ran into during deployment.

Continue reading

Granting Permissions to Create Power Management Report Subscriptions in SCCM

With the role based administration controls (RBAC) in SCCM 2012 and above, a common way to grant access to reporting is using the built-in security role Read-Only Analyst.  This role grants access to view Configuration Manager objects, but also to run reports.  However, it does not grant permission to create subscriptions to these reports.  Subscription permissions are tied to other built-in roles.  For example, adding the Operating System Deployment Manager security role to a user would add the ability to create subscriptions to reports about OSD.  The only built-in role that grants permission to schedule Power Management reports, though is the Operations Administrator role.  Using custom permissions, we can grant the ability to create a subscription for all reports including Power Management.  These custom permissions will still honor any Security Scopes and Collections that are assigned to the Administrative User. Continue reading