Windows client guidance for IT Pros to protect against speculative

So I applied the "big one" with all the mitigations including disabling HT and I have to say, I hardly notice a performance difference with HT disabled. But what I do notice is that lower priority processes don't eat into the responsiveness of my laptop any more, which is just a 2 core CPU. With HT, priorities didn't matter since windows would just put a low prio thread running on the other logical cpu pertaining to the physical core and cause contention. I'll be leaving HT off

I'm uncertain what to do here. I thought I had enabled most of these security options. Under the registry key Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management, I have the following settings for an Intel CPU:

FeatureSettingsOverride = 400 hex
FeatureSettingsOverrideMask = 400 hex

My security report is below. Is there anything to fix?

Speculation control settings for CVE-2017-5715 [branch target injection]

Hardware support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is enabled: True

Speculation control settings for CVE-2017-5754 [rogue data cache load]

Hardware requires kernel VA shadowing: True
Windows OS support for kernel VA shadow is present: True
Windows OS support for kernel VA shadow is enabled: True
Windows OS support for PCID performance optimization is enabled: False [not required for security]

Speculation control settings for CVE-2018-3639 [speculative store bypass]

Hardware is vulnerable to speculative store bypass: True
Hardware support for speculative store bypass disable is present: True
Windows OS support for speculative store bypass disable is present: True
Windows OS support for speculative store bypass disable is enabled system-wide: False

Speculation control settings for CVE-2018-3620 [L1 terminal fault]

Hardware is vulnerable to L1 terminal fault: True
Windows OS support for L1 terminal fault mitigation is present: True
Windows OS support for L1 terminal fault mitigation is enabled: True

Speculation control settings for MDS [microarchitectural data sampling]

Windows OS support for MDS mitigation is present: True
Hardware is vulnerable to MDS: True
Windows OS support for MDS mitigation is enabled: False

Suggested actions
* Follow the guidance for enabling Windows Client support for speculation control mitigations described in https://support.microsoft.com/help/4073119

BTIHardwarePresent : True
BTIWindowsSupportPresent : True
BTIWindowsSupportEnabled : True
BTIDisabledBySystemPolicy : False
BTIDisabledByNoHardwareSupport : False
BTIKernelRetpolineEnabled : True
BTIKernelImportOptimizationEnabled : True
KVAShadowRequired : True
KVAShadowWindowsSupportPresent : True
KVAShadowWindowsSupportEnabled : True
KVAShadowPcidEnabled : False
SSBDWindowsSupportPresent : True
SSBDHardwareVulnerable : True
SSBDHardwarePresent : True
SSBDWindowsSupportEnabledSystemWide : False
L1TFHardwareVulnerable : True
L1TFWindowsSupportPresent : True
L1TFWindowsSupportEnabled : True
L1TFInvalidPteBit : 45
L1DFlushSupported : True
MDSWindowsSupportPresent : True
MDSHardwareVulnerable : True
MDSWindowsSupportEnabled : False

Just out of curiosity, has anyone found a source that says which features each of the "Features Settings" bits represents?

QMNXUK said:

Just out of curiosity, has anyone found a source that says which features each of the "Features Settings" bits represents?

; FeatureSettingsOverride values:
; 400+ =Retpoline enabled (Intel only; Broadwell and earlier) +bitwise OR with values 8 and lower
; 72 = Enable All (Speculative Store Bypass together with Spectre Variant 2)(AMD)
; 64 = Enable Spectre Variant 2 (AMD)
; 8 = Enable All (Speculative Store Bypass together with Spectre Variant 2 and Meltdown)
; 3 = Disable both Spectre Variant 2 and Meltdown
; 2 = Disable Meltdown (Kernel VA Shadow)
; 1 = Disable Spectre Variant 2 (Branch Target Injection)
; 0 = Enable Spectre Variant 2 and Meltdown
;
; FeatureSettingsOverrideMask value is always 3 (unless Retpoline enabled then is 400)

Rebit said:

; FeatureSettingsOverride values:
; 400+ =Retpoline enabled (Intel only; Broadwell and earlier) +bitwise OR with values 8 and lower
; 72 = Enable All (Speculative Store Bypass together with Spectre Variant 2)(AMD)
; 64 = Enable Spectre Variant 2 (AMD)
; 8 = Enable All (Speculative Store Bypass together with Spectre Variant 2 and Meltdown)
; 3 = Disable both Spectre Variant 2 and Meltdown
; 2 = Disable Meltdown (Kernel VA Shadow)
; 1 = Disable Spectre Variant 2 (Branch Target Injection)
; 0 = Enable Spectre Variant 2 and Meltdown
;
; FeatureSettingsOverrideMask value is always 3 (unless Retpoline enabled then is 400)

Just to be clear - what is the option to enable Retpoline plus all the others for an Intel CPU?