We recently had a scan on our network which revealed that many Critical/High Windows patches are missing. Upon further investigation, these patches are installed, but apparently require additional Registry configuration for the patch to be enabled. An example
would be:
https://support.microsoft.com/en-us/help/4072698/windows-server-speculative-execution-side-channel-vulnerabilities-prot
For CVE-2017-5715, this involves adding 2 DWORD's and 1 String, in order to enable the mitigations.
My question is, how do others manage the additional requirements? Like many, we see the patch installed in the SCCM reporting and assume all is well. Does anyone review every individual patch each month to look for additional requirements? Then test the Registry changes for each patch and roll them out using GPO?
Most importantly, why don't Microsoft include the required Registry changes in the patch installation? Thus making it truly automated.
Thanks all!
Chris