Microsoft delivers free Meltdown-Spectre assessment tool for IT pros
Protecting an organization from attacks based on two widespread and potentially deadly security vulnerabilities requires monitoring software, firmware, and antivirus updates. New capabilities in Microsoft's Windows Analytics service display that status on a single dashboard.
The biggest challenge is keeping track of all the pieces that need to be patched. To fully protect your Windows PCs from the inevitable attacks aimed at these vulnerabilities, you'll need to apply multiple software patches and update the BIOS or firmware on the underlying hardware.
If your organization has standardized on third-party antivirus software, you'll also have to assess whether that software is compatible with those software and firmware patches. (You might also need to edit the registry on affected PCs to unblock security updates for those devices.)
But don't do that until the PC maker pushes out a new firmware update to replace the defective one.
If you're responsible for a single PC, that checkup is easy to do manually. In a small office with a half-dozen PCs, it's a tedious but manageable task.
On a network with hundreds or thousands of Windows PCs, however, inspecting and patching every device by hand is impractical.
To address that acute problem, Microsoft announced today that it's releasing a new set of tools to help Windows admins assess what they need to do to protect their enterprise PCs from Meltdown and Spectre.
These capabilities are available through the free Windows Analytics service, which collects data from an organization's registered devices using the built-in Windows telemetry service and displays the aggregated protection status on a single dashboard like the one shown here.
The Windows Analytics capabilities are available on Pro, Enterprise, and Education editions of all supported desktop versions of Windows: Windows 7 with Service Pack 1, Windows 8.1, and Windows 10. Setting up the service requires an Azure Active Directory account, which is also free. (If your organization has a business or enterprise Office 365 subscription, you already have the Azure AD infrastructure in place.)
As the screenshot above illustrates, the dashboard displays three crucial pieces of information, called status insights:
Antivirus software status: Most third-party antivirus software has been updated to be compatible with the Windows security updates for Spectre and Meltdown. This status insight should identify any devices that still require updates.
Windows security update status: This panel shows which security updates have been installed on a device that's being monitored and also indicates whether any of those updates have been disabled. This status insight includes information for all original January 2018 updates as well as the updates released as part of the February 2018 Patch Tuesday release. (For a complete list of software updates by edition, see "Protect your Windows devices against Spectre and Meltdown" [KB4073757].)
Firmware security update status: In an interview ahead of today's announcement, Klaus Diaconu, Partner Group Program Manager at Microsoft, acknowledged that this piece of the puzzle is "still evolving." Intel pulled its original microcode updates, and some of the PC makers who were burned with the initial batch of defective updates are being more cautious with the latest round of updates.
From that dashboard, an IT pro can drill down into groups and even to specific devices to determine what actions are still required.
Most large organizations already have update management tools in place to deliver Windows security patches and antivirus updates as needed. Firmware updates are potentially the most problematic, as they don't always allow for automated updates from a centralized server.
This is not a problem for Microsoft's Surface devices, which deliver firmware and other system software updates through Windows Update. For other PC OEMs, the update workflow might be more challenging, and it might be weeks or months before the required updates are available.
In the short run, this service solves a serious problem for harried IT pros. In the long run, it also represents an opportunity for Microsoft to introduce its relatively new Windows Analytics service to a generation of admins who haven't tried it yet. Because, sadly, the Meltdown-Spectre cleanup is going to be a long process, with more updates to come.