Patches in SCCM console shows as “Not Required” for Jan 3 out of band patches.
KB4056897, KB4056898 and KB4056890 KBs for server operating systems
“Allow Regkey” to be created on all OS platform where update is required.
Provided in below links:
1. Create package to allow registry entry on server – No reboot required for this step.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat]
"cadca5fe-87d3-4b96-b7fb-a231484277cc"=dword:00000000
2. Initiate Scan to receive the latest security patches
3. Create Deployment(s) in SCCM and deploy on to clients
4. Create sccm package and deploy on client machines to add 3 registry values to Enable the Fix – Restart required
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f
5. Restart the server
Refer the below Links for more detail
Microsoft KBs -
Important Link related to vulnerability for more details:
Additional guidance
Windows Server guidance to protect against speculative execution side-channel vulnerabilities
ADV180002 | Guidance to mitigate speculative execution side-channel vulnerabilities
Important: Windows security updates released January 3, 2018, and antivirus software
