Security Tool: Implement registry keys per Windows Server guidance to protect against speculative execution side-channel vulnerabilities

Version 6



    The Ivanti Content Team created a Security Tool to help implement the required registry keys discussed in the Microsoft article linked below.  This document will step through the configuration to specifically target the new Security Tool and deploy it your clients.


    Windows Server guidance to protect against speculative execution side-channel vulnerabilities


    "Microsoft is aware of a new publicly disclosed class of vulnerabilities that are referred to as “speculative execution side-channel attacks” that affect many modern processors and operating systems, including chipsets from Intel, AMD, and ARM. Microsoft has not yet received any information to indicate that these vulnerabilities have been used to attack customers. Microsoft continues working closely with industry partners including chip makers, hardware OEMs, and app vendors to protect customers. To get all available protections, hardware or firmware updates and software updates are required. This includes microcode from device OEMs and, in some cases, updates to antivirus software."
    As we are unable to completely test the impact of adding these registry keys per Microsoft guidance, we highly recommend testing this in your test labs before pushing to production.  One known side affect of implementing this will be a performance decrease.




    You will be creating a Scan Template and Patch Group to specifically target this Security Tool.  This will allow you to scan with automatic deployment without having to worry about installing other Security Tools we offer.  We will be offering 2 Security Tools, one to implement the registry keys and another to remove the registry keys.


    • IVA18-001 Q4072698: This tool enables the fix for ADV180002
    • IVA18-001 Q4072698U: This tool disables the fix for ADV180002


    Creating the Patch Group


    A Patch Group contains a list of patches you can use to use as a baseline (to scan for) or use to exclude from scan results. We will be using a Patch Group as a baseline to scan for IVA18-001 Q4072698.


    1. Navigate to New > Patch Group.  Enter a Name for the Patch Group and optionally a Description. Click Save.


    2. Search for IVA18-001 or 4072698. Right-click on the Security Tool IVA18-001 Q4072698 and choose Add to Patch Group then choose the Patch Group you created.


    3. The Patch Group is created and can be added to the Patch Scan Template, close the Patches window.


    Creating the Patch Scan Template


    The Scan Template, along with your new Patch Group will help you scan for the new Security Tool.


    1. Navigate to New > Patch Scan Template


    2. Give the Scan Template a Name, matching the Patch Group Name is advisable.


    3. In the Baseline or Exceptions section, choose Baseline and check-mark your Patch Group. (no other filtering is needed)


    4. The Scan Template should look similar to this:



    5. The Patch Scan Template is created, Click Save.


    Scanning for the Security Tool


    The setup is complete, you can use your new Patch Scan Template to scan for the new Security Tool IVA18-001 Q4072698. The Security Tool will show missing on systems that do not have the registry keys on them and can be deployed like a regular update.  A reboot is required.


    Additional Information


    • The target systems need to be restarted after running the Security Tools to enable or disable the registry keys for the changes to take effect.
    • You can follow these instructions to scan for the uninstall Security Tool by creating a Patch Group including the IVA18-001 Q4072698U version of the tool.


    Affected Product(s)


    Ivanti Patch for Windows Servers 9.3.x

    Shavlik Protect 9.2.x