Cumulative Update KB4482887 Windows 10 v1809 Build 17763.348 - March 1 Win Update

pietcorus2 said:

" enable Retpoline "...................has a price , it will cost you speed and performance...........!

Not according to this post.
If you do have some performance metrics, to substantiate your claim, I think everyone will be more than happy to see them.

Guitarmageddon said:

I see on the prior coulple pages, running some scripts etc to give what seems like important information regarding vulnerabilities/performance. Im wondering how to check this, and more importantly, if you can assist in interpreting?

Part of the reason for my worry is that once I read through that thread, I saw it mentioned that if you had an "older" system, to check and see:



I went and checked and noticed I was on a build from 1803 in may! So I allowed it to download to 1809 just now. however, I dont see the update number mentioned above regarding microcode. Should I search it out manually and apply it?

Another question, I have no clue how my updates could have been so delayed? When I looked in "installed updates" in programs and features, and it showed me maybe 8 updates total installed- I got this laptop in December of 2016! I dont forbid it to download under metered connections, and I also use DoNot Spy10 but I dont use that to block updates....confused. I would appreciate any way you can help set me straight. Some of this windows stuff is egyptian to me

edit: got the script to run fine, here were the results. Seems in accordance with others? Dell laptop with intel i3 7200u CPU

Code:

Speculation control settings for CVE-2017-5715 [branch target injection]

Hardware support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is enabled: True

Speculation control settings for CVE-2017-5754 [rogue data cache load]

Hardware requires kernel VA shadowing: True
Windows OS support for kernel VA shadow is present: True
Windows OS support for kernel VA shadow is enabled: True
Windows OS support for PCID performance optimization is enabled: True [not required for security]

Speculation control settings for CVE-2018-3639 [speculative store bypass]

Hardware is vulnerable to speculative store bypass: True
Hardware support for speculative store bypass disable is present: True
Windows OS support for speculative store bypass disable is present: True
Windows OS support for speculative store bypass disable is enabled system-wide: False

Speculation control settings for CVE-2018-3620 [L1 terminal fault]

Hardware is vulnerable to L1 terminal fault: True
Windows OS support for L1 terminal fault mitigation is present: True
Windows OS support for L1 terminal fault mitigation is enabled: True


BTIHardwarePresent                  : True
BTIWindowsSupportPresent            : True
BTIWindowsSupportEnabled            : True
BTIDisabledBySystemPolicy           : False
BTIDisabledByNoHardwareSupport      : False
BTIKernelRetpolineEnabled           : False
BTIKernelImportOptimizationEnabled  : False
KVAShadowRequired                   : True
KVAShadowWindowsSupportPresent      : True
KVAShadowWindowsSupportEnabled      : True
KVAShadowPcidEnabled                : True
SSBDWindowsSupportPresent           : True
SSBDHardwareVulnerable              : True
SSBDHardwarePresent                 : True
SSBDWindowsSupportEnabledSystemWide : False
L1TFHardwareVulnerable              : True
L1TFWindowsSupportPresent           : True
L1TFWindowsSupportEnabled           : True
L1TFInvalidPteBit                   : 45
L1DFlushSupported                   : True

Should this show true?
Windows OS support for speculative store bypass disable is enabled system-wide: False

Your output looks just fine.
If you want to install KB4465065, get it from Microsoft Update Catalog and install it.

Regarding Windows OS support for speculative store bypass disable is enabled system-wide: False, if you haven't previously installed any Microsoft provided microcode updates it's absolutely normal to be false. In any case there is a lot of discussion that this should stay false as its enablement has serious performance impact. Unfortunately I can't verify it, as I have never installed MS microcode updates, since I was lucky enough to get the appropriate, Intel suggested, microcode through a BIOS update from hp, my laptop manufacturer.

EdKiefer said:

I have the KB4465065 installed (2/6/2019) and all up to date 1809 with this retpline patch and my line Windows OS support for speculative store bypass disable is enabled system-wide: False"
is also false I also enabled retpline with reg values 400 for both FeatureSettingsOverride and FeatureSettingsOverrideMask.

I did test performance and best is with retpline on, at least with Cinebench 20.
here my output FWIW.

I think that you're in great shape, regarding vulnerabilities protection!
And thank you for the comment regarding Retpoline. It will definitely help others users too.

EdKiefer said:

I was very surprised by results, As I had both Spectre/Meltdown disabled with Inspectre, but all patched up.SoI wanted to see what the hit was with new retpoline patch, so enabled and tested.
I ran CB20 three times and avg results in each of the 3 tests.

So I run CB20, I got repeatable
1) Spectre/meltdown disabled 1387
2) Spectre/meltdown enabled 1390
3)Retpoline enabled 1393-98
So I got best with Retpoline enabled.
I expected the first test to be best but it wasn't, now other BM show nil difference, this was one popular one I happened to have and got improvement along with repeatable results (BM is no good if each run is like 5% delta).

Thank you for your test results. They don't show an overwhelming performance improvement, but it's better than before.
Of course your result beat the Microsoft statement about great performance improvement, as they conclude in their Mitigating Spectre variant 2 with Retpoline on Windows post. On the other hand they clearly state "When all relevant kernel-mode binaries are compiled with retpoline", which is practically impossible in the real world, as there will always be drivers not compiled with Retpoline… but well...

Conclusion
Retpoline has significantly improved the performance of the Spectre variant 2 mitigations on Windows. When all relevant kernel-mode binaries are compiled with retpoline, we’ve measured ~25% speedup in Office app launch times and up to 1.5-2x improved throughput in the Diskspd (storage) and NTttcp (networking) benchmarks on Broadwell CPUs in our lab. It is enabled by default in the latest Windows Client Insider Fast builds (for builds 18272 and higher on machines exposing compatible speculation control capabilities) and is targeted to ship with 19H1.

Guitarmageddon said:

Thanks a lot. So should I be modifying something in the registry then? Or is it enabled whenever I end up with this latest update?

The only thing that you might want to do, from your output from the Get-SpeculationControlSettings script, is to Enable the following two entries

Code:

BTIKernelRetpolineEnabled           : False
BTIKernelImportOptimizationEnabled  : False

From what I saw in your specs you have an intel i7-8700.
According to Intel your CPU cannot use Retpoline.
So that leaves you to at least enable BTIKernelImportOptimizationEnabled.
If you want to do that, just make the two registry changes proposed in the Windows Kernel Internals blog post.
It has been reported previously in this thread that by doing that you do get some performance improvement.
Either way, from what I understood from the Microsoft blog is that, even if you don't do it now, at a point of time, it will be automatically done by a future Windows Update. Now the if's, when's and how's, as always, are up to Microsoft!