Windows client guidance for IT Pros to protect against speculative

Polo6RGTI · 31 May 2019

Steve C said:

Just to be clear - what is the option to enable Retpoline plus all the others for an Intel CPU?

Hi Steve,

To enable all the mitigations when Hyper-Treading is enabled:

Code:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 72 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f

To enable all the mitigations when Hyper-Treading is disabled:

Code:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 8264 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f

Steve C · 01 Jun 2019

Polo6RGTI said:

Hi Steve,

To enable all the mitigations when Hyper-Treading is enabled:

Code:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 72 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f

To enable all the mitigations when Hyper-Treading is disabled:

Code:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 8264 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f

Thanks. I thought I had all security settings enables, but for the above keys with hyperthreading I have the following settings:

FeatureSettingsOverride = 400 (Hex)
FeatureSettingsOverrideMask = 400 (Hex)
MinVmVersionForCpuBasedMitigations - no key set

Rebit · 02 Jun 2019

Steve C said:

Just to be clear - what is the option to enable Retpoline plus all the others for an Intel CPU?

Retpoline will be enabled on an older Intel CPU (pre Skylake) without setting the registry as will Spectre Variant 2 (all CPUs) provided the uCode (or mcu_GenuineIntel.dll or mcu_AuthenticAMD.dll) support.

Please use the Powershell script to verify all the settings before editing the registry.

DJG · 21 Jul 2019

FWIW a recent firmware update to my Asus X99 Strix Gaming MB enabled MDS Windows Support.

Polo6RGTI · 06 Aug 2019

I have updated the Manage Speculative Execution Protection Settings script.

Download @ MajorGeeks

Windows client guidance for IT Pros to protect against speculative-screenshot-271019001-.png

sbh7600 · 14 Sep 2019

Hello,
I don't quit understand this but i guess this is okay my outcome of the script

Code:

============================================================================================================= 
                                Speculative Execution Protection Status 
============================================================================================================= 
  
============================================================================================================= 
 Motherboard: ASUSTeK COMPUTER INC.  P8Z77-V LX  Rev X.0x   
============================================================================================================= 
 BIOS Version: 2501                
============================================================================================================= 
 MicroCode: 0000000020000000 
============================================================================================================= 
 CPU: Intel(R) Core(TM) i7-3770 CPU @ 3.40GHz   
============================================================================================================= 
 Hyper-Threading is Enabled 
============================================================================================================= 
 OS: Windows 10 Pro 1809 
============================================================================================================= 
  
============================================================================================================= 
  
============================================================================================================= 
 
For more information about the output below, please refer to https://support.microsoft.com/help/4074629
Speculation control settings for CVE-2017-5715 [branch target injection]
Hardware support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is enabled: True
Speculation control settings for CVE-2017-5754 [rogue data cache load]
Hardware requires kernel VA shadowing: True
Windows OS support for kernel VA shadow is present: True
Windows OS support for kernel VA shadow is enabled: True
Windows OS support for PCID performance optimization is enabled: False [not required for security]
Speculation control settings for CVE-2018-3639 [speculative store bypass]
Hardware is vulnerable to speculative store bypass: True
Hardware support for speculative store bypass disable is present: True
Windows OS support for speculative store bypass disable is present: True
Windows OS support for speculative store bypass disable is enabled system-wide: False
Speculation control settings for CVE-2018-3620 [L1 terminal fault]
Hardware is vulnerable to L1 terminal fault: True
Windows OS support for L1 terminal fault mitigation is present: True
Windows OS support for L1 terminal fault mitigation is enabled: True
Speculation control settings for MDS [microarchitectural data sampling]
Windows OS support for MDS mitigation is present: True
Hardware is vulnerable to MDS: True
Windows OS support for MDS mitigation is enabled: False
Suggested actions
 * Follow the guidance for enabling Windows Client support for speculation control mitigations described in https://support.microsoft.com/help/4073119

BTIHardwarePresent                  : True
BTIWindowsSupportPresent            : True
BTIWindowsSupportEnabled            : True
BTIDisabledBySystemPolicy           : False
BTIDisabledByNoHardwareSupport      : False
BTIKernelRetpolineEnabled           : True
BTIKernelImportOptimizationEnabled  : True
KVAShadowRequired                   : True
KVAShadowWindowsSupportPresent      : True
KVAShadowWindowsSupportEnabled      : True
KVAShadowPcidEnabled                : False
SSBDWindowsSupportPresent           : True
SSBDHardwareVulnerable              : True
SSBDHardwarePresent                 : True
SSBDWindowsSupportEnabledSystemWide : False
L1TFHardwareVulnerable              : True
L1TFWindowsSupportPresent           : True
L1TFWindowsSupportEnabled           : True
L1TFInvalidPteBit                   : 45
L1DFlushSupported                   : True
MDSWindowsSupportPresent            : True
MDSHardwareVulnerable               : True
MDSWindowsSupportEnabled            : False

Polo6RGTI · 14 Sep 2019

sbh7600 said:

Hello,
I don't quit understand this but i guess this is okay my outcome of the script

The latest Microcode for your CPU is 0x21.

KB4494174 Intel Microcode Updates for Windows 10 v1809 - August 29

sbh7600 · 14 Sep 2019

Thanks for that

Where can i see the diffrent, after the update?

Polo6RGTI · 14 Sep 2019

sbh7600 said:

Thanks for that

Where can i see the diffrent, after the update?

The "MicroCode" version is displayed in the main menu of the Manage Speculative Execution Protection Settings script.

What is the version of the script that are you using? The reason I'm asking is because the "Speculative Execution Protection Status" info that you have posted above does not include the "Active Mitigation Option".

sbh7600 · 14 Sep 2019

The one i use is downloaded from this forum
Manage_Speculative_Execution_Protection_Settings_v1.7