Windows Update and security fixes.

If you are using VBS, with or without Hyper-V virtual machines, you can only mitigate L1TF/MDS fully if you disable hyper-threading (SMT). You have to do this either in firmware or via registry (firmware is preferable). There is no way around this. If you use VBS and have hyper-threading enabled, VBS secrets will be vulnerable to L1TF and MDS exploits.

Hyper-V itself does not need special attention on a client. If you have Windows Server 2016 Hyper-V, you should enable the core-scheduler for Hyper-V.

If you have to enable all mitigations, with no regards for performance, use the following settings (works the same for Intel and AMD CPU's, and needs current microcode for the CPU):

Set the following registry keys:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 72 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f​

If you are using VBS and/or WDAG:

• Disable SMT/HT in firmware
• If you can't disable SMT/HT in firmware, use the following registry keys instead:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 8264 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f​

If you are using Hyper-V on Windows Server 2016:

• Enable core scheduler and set all your VMs to utilize SMT:

bcdedit /set hypervisorschedulertype core​
Set-VMProcessor -VMName <VMName> -HwThreadCountPerCore 2​

• If you use VMs older than 8.0 (this is needed for WS2019 as well if you use old VM-configurations):

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f​

Xavier_2020