Configure-RegistryForMicrosoftIntelPatch.ps1
|
<#PSScriptInfo .VERSION 1.0.0 .GUID 1b039c19-c5a5-4348-859b-e4dadd486bbe .AUTHOR chrisblackgb .COMPANYNAME .COPYRIGHT .TAGS .LICENSEURI .PROJECTURI .ICONURI .EXTERNALMODULEDEPENDENCIES .REQUIREDSCRIPTS .EXTERNALSCRIPTDEPENDENCIES .RELEASENOTES #> <# .DESCRIPTION Verify and/or Set Registry settings to allow speculative execution side-channel vulnerabilities patches to be installed #> Function Configure-RegistryForMicrosoftIntelPatch { <# .SYNOPSIS Verify and/or Set Registry settings to allow speculative execution side-channel vulnerabilities patches to be installed .DESCRIPTION To apply patches for for speculative execution side-channel vulnerabilities you need to set the following registry key first: Due to an issue with some versions of Anti-Virus software, this fix is only being made applicable to the machines where the Anti virus ISV has updated the ALLOW REGKEY. REGKEY on the machine Key="HKEY_LOCAL_MACHINE"Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat" Value Name="cadca5fe-87d3-4b96-b7fb-a231484277cc" Type="REG_DWORD� Data="0x00000000� .EXAMPLE Configure-RegistryForMicrosoftIntelPatch -CheckValues .EXAMPLE Configure-RegistryForMicrosoftIntelPatch -CheckValues -Create .EXAMPLE Configure-RegistryForMicrosoftIntelPatch -CheckValues -Remove .EXAMPLE Configure-RegistryForMicrosoftIntelPatch -CheckValues -Create -WhatIf .EXAMPLE Configure-RegistryForMicrosoftIntelPatch -CheckValues -Remove -WhatIf .PARAMETER CheckValues Manatory Parameter that will check registry keys before and after execution .PARAMETER Create Not Manatory Parameter that will create the registry key .PARAMETER Remove Not Manatory Parameter that will remove the registry key .LINK https://support.microsoft.com/en-gb/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution https://support.microsoft.com/en-gb/help/4056890/windows-10-update-kb4056890 https://support.microsoft.com/en-gb/help/4056898/windows-81-update-kb4056898 #> [CmdletBinding( SupportsShouldProcess = $True )] param ( [Parameter(Mandatory=$true)] [AllowNull()] [AllowEmptyString()] [switch]$CheckValues, [Parameter(Mandatory=$false)] [AllowNull()] [AllowEmptyString()] [switch]$Create, [Parameter(Mandatory=$false)] [AllowNull()] [AllowEmptyString()] [switch]$Remove ) # Clear Errors $err = $null # Check Values before If($CheckValues) { $CheckValuesBefore = (Get-ItemProperty -Path "HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat" -ErrorAction SilentlyContinue -ErrorVariable err ) | Select-Object -Property "cadca5fe-87d3-4b96-b7fb-a231484277cc" If($err){Write-Host "$err You need to create it first" -ForegroundColor Red} Write-Host "Before changes: $CheckValuesBefore" } # Create If($Create) { New-Item -Path "HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat" -ErrorAction SilentlyContinue -Verbose Set-ItemProperty -Path "HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat" -Type "DWORD" -Value "0" -Name "cadca5fe-87d3-4b96-b7fb-a231484277cc" -ErrorAction SilentlyContinue -Verbose -ErrorVariable err If($err){Write-Host "$err You need to create it first" -ForegroundColor Red} } # Remove If($Remove) { Remove-Item -Path "HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat" -ErrorAction SilentlyContinue -ErrorVariable err -Verbose #-WhatIf If($err){Write-Host "$err You need to create it first" -ForegroundColor Red} } # Check Values after $CheckValuesAfter = (Get-ItemProperty -Path "HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat" -ErrorAction SilentlyContinue -ErrorVariable err) | Select-Object -Property "cadca5fe-87d3-4b96-b7fb-a231484277cc" Write-Host "After changes: $CheckValuesAfter" } |