Tool for determining required registry changes
In the case of patches (Spectre being one example) that may require extra registry key changes in order to be fully secure from threats, currently the only way to scan an environment for missing changes is using a tool such as Nessus. There should be a way to manage any required changes of this sort that isn't included in rollups within SCCM. I was recently made aware of a change that accompanied MS15-124, an update from December 2015. Even though that patch has been superseded and or rolled up many times over since then, the Microsoft Premier SCCM support team is telling me that registry key changes is still applicable. And the only way I learned of this is from our security team using Nessus.