Windows client guidance for IT Pros to protect against speculative

Page 3 of 4 FirstFirst 1234 LastLast
  1. Polo6RGTI's Avatar
    Posts : 733
    Windows 10 Pro WS x64 18362.356
       #20

    Steve C said: View Post
    Just to be clear - what is the option to enable Retpoline plus all the others for an Intel CPU?
    Hi Steve,

    To enable all the mitigations when Hyper-Treading is enabled:
    Code:
    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 72 /f
    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f

    To enable all the mitigations when Hyper-Treading is disabled:
    Code:
    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 8264 /f
    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f
      My ComputerSystem Spec

  2. Steve C's Avatar
    Posts : 4,133
    Windows 10 Pro 64 bit
       #21

    Polo6RGTI said: View Post
    Hi Steve,

    To enable all the mitigations when Hyper-Treading is enabled:
    Code:
    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 72 /f
    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f

    To enable all the mitigations when Hyper-Treading is disabled:
    Code:
    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 8264 /f
    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f
    Thanks. I thought I had all security settings enables, but for the above keys with hyperthreading I have the following settings:

    FeatureSettingsOverride = 400 (Hex)
    FeatureSettingsOverrideMask = 400 (Hex)
    MinVmVersionForCpuBasedMitigations - no key set
      My ComputersSystem Spec


  3. Posts : 6
    W10
       #22

    Steve C said: View Post
    Just to be clear - what is the option to enable Retpoline plus all the others for an Intel CPU?
    Retpoline will be enabled on an older Intel CPU (pre Skylake) without setting the registry as will Spectre Variant 2 (all CPUs) provided the uCode (or mcu_GenuineIntel.dll or mcu_AuthenticAMD.dll) support.

    Please use the Powershell script to verify all the settings before editing the registry.
      My ComputerSystem Spec

  4. DJG's Avatar
    DJG
    Posts : 179
    Windows 10 Pro x64 1903
       #23

    FWIW a recent firmware update to my Asus X99 Strix Gaming MB enabled MDS Windows Support.
      My ComputerSystem Spec

  5. Polo6RGTI's Avatar
    Posts : 733
    Windows 10 Pro WS x64 18362.356
       #24

    I have updated the Manage Speculative Execution Protection Settings script.

    Download @ MajorGeeks

    Windows client guidance for IT Pros to protect against speculative-screenshot-204-.png
    Last edited by Polo6RGTI; 4 Weeks Ago at 08:38.
      My ComputerSystem Spec

  6. sbh7600's Avatar
    Posts : 233
    Windows 10 - Ver: 1903- Build: 18362.356
       #25

    Hello,
    I don't quit understand this but i guess this is okay my outcome of the script

    Code:
    ============================================================================================================= 
                                    Speculative Execution Protection Status 
    ============================================================================================================= 
      
    ============================================================================================================= 
     Motherboard: ASUSTeK COMPUTER INC.  P8Z77-V LX  Rev X.0x   
    ============================================================================================================= 
     BIOS Version: 2501                
    ============================================================================================================= 
     MicroCode: 0000000020000000 
    ============================================================================================================= 
     CPU: Intel(R) Core(TM) i7-3770 CPU @ 3.40GHz   
    ============================================================================================================= 
     Hyper-Threading is Enabled 
    ============================================================================================================= 
     OS: Windows 10 Pro 1809 
    ============================================================================================================= 
      
    ============================================================================================================= 
      
    ============================================================================================================= 
     
    For more information about the output below, please refer to https://support.microsoft.com/help/4074629
    Speculation control settings for CVE-2017-5715 [branch target injection]
    Hardware support for branch target injection mitigation is present: True
    Windows OS support for branch target injection mitigation is present: True
    Windows OS support for branch target injection mitigation is enabled: True
    Speculation control settings for CVE-2017-5754 [rogue data cache load]
    Hardware requires kernel VA shadowing: True
    Windows OS support for kernel VA shadow is present: True
    Windows OS support for kernel VA shadow is enabled: True
    Windows OS support for PCID performance optimization is enabled: False [not required for security]
    Speculation control settings for CVE-2018-3639 [speculative store bypass]
    Hardware is vulnerable to speculative store bypass: True
    Hardware support for speculative store bypass disable is present: True
    Windows OS support for speculative store bypass disable is present: True
    Windows OS support for speculative store bypass disable is enabled system-wide: False
    Speculation control settings for CVE-2018-3620 [L1 terminal fault]
    Hardware is vulnerable to L1 terminal fault: True
    Windows OS support for L1 terminal fault mitigation is present: True
    Windows OS support for L1 terminal fault mitigation is enabled: True
    Speculation control settings for MDS [microarchitectural data sampling]
    Windows OS support for MDS mitigation is present: True
    Hardware is vulnerable to MDS: True
    Windows OS support for MDS mitigation is enabled: False
    Suggested actions
     * Follow the guidance for enabling Windows Client support for speculation control mitigations described in https://support.microsoft.com/help/4073119
    
    BTIHardwarePresent                  : True
    BTIWindowsSupportPresent            : True
    BTIWindowsSupportEnabled            : True
    BTIDisabledBySystemPolicy           : False
    BTIDisabledByNoHardwareSupport      : False
    BTIKernelRetpolineEnabled           : True
    BTIKernelImportOptimizationEnabled  : True
    KVAShadowRequired                   : True
    KVAShadowWindowsSupportPresent      : True
    KVAShadowWindowsSupportEnabled      : True
    KVAShadowPcidEnabled                : False
    SSBDWindowsSupportPresent           : True
    SSBDHardwareVulnerable              : True
    SSBDHardwarePresent                 : True
    SSBDWindowsSupportEnabledSystemWide : False
    L1TFHardwareVulnerable              : True
    L1TFWindowsSupportPresent           : True
    L1TFWindowsSupportEnabled           : True
    L1TFInvalidPteBit                   : 45
    L1DFlushSupported                   : True
    MDSWindowsSupportPresent            : True
    MDSHardwareVulnerable               : True
    MDSWindowsSupportEnabled            : False
      My ComputerSystem Spec

  7. Polo6RGTI's Avatar
    Posts : 733
    Windows 10 Pro WS x64 18362.356
       #26

    sbh7600 said: View Post
    Hello,
    I don't quit understand this but i guess this is okay my outcome of the script
    The latest Microcode for your CPU is 0x21.

    KB4494174 Intel Microcode Updates for Windows 10 v1809 - August 29
      My ComputerSystem Spec


  8. sbh7600's Avatar
    Posts : 233
    Windows 10 - Ver: 1903- Build: 18362.356
       #27

    Thanks for that

    Where can i see the diffrent, after the update?
      My ComputerSystem Spec

  9. Polo6RGTI's Avatar
    Posts : 733
    Windows 10 Pro WS x64 18362.356
       #28

    sbh7600 said: View Post
    Thanks for that

    Where can i see the diffrent, after the update?
    The "MicroCode" version is displayed in the main menu of the Manage Speculative Execution Protection Settings script.

    What is the version of the script that are you using? The reason I'm asking is because the "Speculative Execution Protection Status" info that you have posted above does not include the "Active Mitigation Option".
      My ComputerSystem Spec

  10. sbh7600's Avatar
    Posts : 233
    Windows 10 - Ver: 1903- Build: 18362.356
       #29

    The one i use is downloaded from this forum
    Manage_Speculative_Execution_Protection_Settings_v1.7
      My ComputerSystem Spec


 
Page 3 of 4 FirstFirst 1234 LastLast

Related Threads
Read more: https://support.microsoft.com/en-us/help/4073119/windows-client-guidance-for-it-pros-to-protect-against-speculative-exe See also: Understanding performance impact of Spectre and Meltdown mitigations - Windows 10 Forums Protect...
Source: https://support.microsoft.com/en-us/help/4073065/surface-guidance-to-protect-against-speculative-execution-side-channel See also: Surface devices and the new speculative execution side-channel vulnerabilities (May 2018) Surface
Source: https://support.microsoft.com/en-us/help/4073418/azure-stack-guidance-protect-against-speculative-execution-side-channe
Source: https://support.microsoft.com/en-us/help/4073225/guidance-for-sql-server
Source: https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 04:34.
Find Us