Forum Discussion
Windows Update and security fixes.
Hi all, Since several years, many securities issues has been discovered in CPU. Microsoft has been able to update CPU microcode revision which is prerequisite to handle mitigation OS fixes on so...
Hi,
I think because that article says:
"Applies to: Windows 10, version 1903, Windows 10, version 1809, Windows 10, version 1803, Windows 10, version 1709, Windows 10, version 1607, Windows 10, Windows RT 8.1, Windows 8.1, Windows 7 Service Pack 1"
and there is no mention of 1909 in that entire page, so it's safe to assume that it is already fixed in version 1909, otherwise Microsoft would have included it in the article as well.
I think because that article says:
"Applies to: Windows 10, version 1903, Windows 10, version 1809, Windows 10, version 1803, Windows 10, version 1709, Windows 10, version 1607, Windows 10, Windows RT 8.1, Windows 8.1, Windows 7 Service Pack 1"
and there is no mention of 1909 in that entire page, so it's safe to assume that it is already fixed in version 1909, otherwise Microsoft would have included it in the article as well.
HotCakeXI totally agree with your analyze. The issue is that in reality, according to Microsoft expert internal tests, it is not yet safe or fixed with 1909 version. You still need to manually modify registry.
- Spoiler
Xavier_2020 wrote:HotCakeXI totally agree with your analyze. The issue is that in reality, according to Microsoft expert internal tests, it is not yet safe or fixed with 1909 version. You still need to manually modify registry.
Could you please show me that internal test results?
Microsoft do not gave me there internal test, so I can't, but I am confidant of the information that they gave me and action they ask me to do.
I think you misunderstood the side-channel mitigations article.
If you have all Updates installed on a current Windows 10 (1809, 1903, 1909), and your firmware has the correct cpu microcode, you don't have to edit the registry.
The article you linked to describes methods to disable certain mitigations if you run into problems, or enable special cases.
If we talk about Windows Server, then it is a different story. There you have to manually activate part of the mitigations. As many of these mitigations can cost a substantial ammount of performance in certain server environments, it would not be wise to enable them without an admin testing it first.
To sum it up:
For Windows 10 Clients with Intel CPU, ALL operatingsystem-mitigations, except system-wide speculative store bypass mitigation, are enabled by default. You do NOT need to touch the registry if you don't have a special case where SSBD is a problem. SSBD-mitigations are only needed if you run vulnerable software. All operating system binaries are not vulnerable to SSBD. Be aware that system-wide SSBD-mitigation will impact end-user performance!
For Windows Server 2019 with Intel CPU, you have to set 2 registry keys (FeatureSettingsOverride = 0, FeatureSettingsOverrideMask = 3) to get the same protections as a Windows 10 Client. You can easily set these keys for your servers with group policy.
You need firmware-updates for your hardware to mitigate some of the vulnerabilites! you cannot mitigate side-channel vulnerabilites with windows updates and/or registry keys alone!
If you want to know the protection state of a system, open powershell and install the speculationcontrol module. With this module you can use "get-speculationcontrolsettings" to get a complete rundown of side-channel-protections and vulnerabilites. It will tell you if your hardware is vulnerable in the first place, if os-mitigations are enabled and if hardware-support for this mitigations is available.
If it tells you to update your device firmware, you need to check with your oem, or you will be vulnerable anyway.
dretzer a écrit :If you have all Updates installed on a current Windows 10 (1809, 1903, 1909), and your firmware has the correct cpu microcode, you don't have to edit the registry.
If you want to know the protection state of a system, open powershell and install the speculationcontrol module. With this module you can use "get-speculationcontrolsettings" to get a complete rundown of side-channel-protections and vulnerabilites. It will tell you if your hardware is vulnerable in the first place, if os-mitigations are enabled and if hardware-support for this mitigations is available.
If it tells you to update your device firmware, you need to check with your oem, or you will be vulnerable anyway.
The first point is not my experience.
In a PC with updated CPU microcode, AND Windows with all latest updates done by Windows Update is not enough to mitigate all CPU vulnerabilities according “PowerShell SpeculationControl script”.
I still need to edit registry, and “PowerShell SpeculationControl script” confirm that (before and after test output to control that). Mitigations was already done before 1909 build updates.
Just to help users and administrators here, the link of the “PowerShell SpeculationControl script”.
https://www.powershellgallery.com/packages/SpeculationControl/
