Forum Discussion
Windows Update and security fixes.
To give you some real-world examples, I checked three different machines with freshly installed Windows 10 1909 and Windows Server 2019. One machine uses a 7th gen Core i7, the other one a 10th gen and the server uses a Xeon D. As you see, only the Windows Server instance would need a registry setting to enable BTIWindowsSupport. The Windows 10 Clients have all needed mitigations enabled without touching the registry. System-Wide SSBD being the only exception, which, as I explained, should not be necessary on a normal system.
Windows 10 1909 on Intel(R) Core(TM) i7-7500U
BTIHardwarePresent : True
BTIWindowsSupportEnabled : True
BTIDisabledBySystemPolicy : False
BTIDisabledByNoHardwareSupport : False
BTIKernelRetpolineEnabled : False
BTIKernelImportOptimizationEnabled : True
KVAShadowRequired : True
KVAShadowWindowsSupportPresent : True
SSBDWindowsSupportPresent : True
SSBDHardwareVulnerable : True
SSBDHardwarePresent : True
SSBDWindowsSupportEnabledSystemWide : False
L1TFHardwareVulnerable : True
L1TFWindowsSupportEnabled : True
L1TFInvalidPteBit : 45
L1DFlushSupported : True
MDSWindowsSupportPresent : True
MDSHardwareVulnerable : True
MDSWindowsSupportEnabled : True
Windows 10 1909 on Intel(R) Core(TM) i7-1065G7
BTIHardwarePresent : True
BTIWindowsSupportPresent : True
BTIWindowsSupportEnabled : True
BTIDisabledBySystemPolicy : False
BTIDisabledByNoHardwareSupport : False
BTIKernelRetpolineEnabled : False
BTIKernelImportOptimizationEnabled : True
KVAShadowRequired : False
KVAShadowWindowsSupportPresent : True
KVAShadowWindowsSupportEnabled : False
KVAShadowPcidEnabled : False
SSBDWindowsSupportPresent : True
SSBDHardwareVulnerable : True
SSBDHardwarePresent : True
SSBDWindowsSupportEnabledSystemWide : False
L1TFHardwareVulnerable : False
L1TFWindowsSupportPresent : True
L1TFWindowsSupportEnabled : False
L1TFInvalidPteBit : 0
L1DFlushSupported : True
MDSWindowsSupportPresent : True
MDSHardwareVulnerable : False
MDSWindowsSupportEnabled : False
Windows Server 2019 on Intel(R) Xeon(R) D-2183IT
BTIWindowsSupportPresent : True
BTIWindowsSupportEnabled : False
BTIDisabledBySystemPolicy : True
BTIDisabledByNoHardwareSupport : False
BTIKernelRetpolineEnabled : False
BTIKernelImportOptimizationEnabled : True
KVAShadowWindowsSupportEnabled : True
KVAShadowPcidEnabled : True
SSBDWindowsSupportPresent : True
SSBDHardwareVulnerable : True
SSBDHardwarePresent : True
SSBDWindowsSupportEnabledSystemWide : False
L1TFWindowsSupportPresent : True
L1TFWindowsSupportEnabled : True
L1TFInvalidPteBit : 45
L1DFlushSupported : True
MDSWindowsSupportPresent : True
MDSHardwareVulnerable : True
MDSWindowsSupportEnabled : True
If you don't understand the output of get-speculationcontrolsettings, just ask for specifics and I'll try to explain.
Hello,
Thank-you for your test and explaination.
I have done some tests on my own personal computer with new installed Windows 10 1909 build with AMD CPU.
- CVE 2017-5715 (Spectre Variant 2) mitigation is now applied by default.
- CVE 2018-3639 (Speculative Store Bypass) mitigation is still not applied by default.
Speculation control settings for CVE-2017-5715 [branch target injection]
Hardware support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is enabled: True
Speculation control settings for CVE-2017-5754 [rogue data cache load]
Hardware requires kernel VA shadowing: False
Speculation control settings for CVE-2018-3639 [speculative store bypass]
Hardware is vulnerable to speculative store bypass: True
Hardware support for speculative store bypass disable is present: True
Windows OS support for speculative store bypass disable is present: True
Windows OS support for speculative store bypass disable is enabled system-wide: False
Speculation control settings for CVE-2018-3620 [L1 terminal fault]
Hardware is vulnerable to L1 terminal fault: False
Speculation control settings for MDS [microarchitectural data sampling]
Windows OS support for MDS mitigation is present: True
Hardware is vulnerable to MDS: False
BTIHardwarePresent : True
BTIWindowsSupportPresent : True
BTIWindowsSupportEnabled : True
BTIDisabledBySystemPolicy : False
BTIDisabledByNoHardwareSupport : False
BTIKernelRetpolineEnabled : True
BTIKernelImportOptimizationEnabled : True
KVAShadowRequired : False
KVAShadowWindowsSupportPresent : True
KVAShadowWindowsSupportEnabled : False
KVAShadowPcidEnabled : False
SSBDWindowsSupportPresent : True
SSBDHardwareVulnerable : True
SSBDHardwarePresent : True
SSBDWindowsSupportEnabledSystemWide : False
L1TFHardwareVulnerable : False
L1TFWindowsSupportPresent : True
L1TFWindowsSupportEnabled : False
L1TFInvalidPteBit : 0
L1DFlushSupported : False
MDSWindowsSupportPresent : True
MDSHardwareVulnerable : False
MDSWindowsSupportEnabled : False
Same results as you.
The question is for sensitives PC who need to have “SSBDWindowsSupportEnabledSystemWide” activated, how to do this? If VBS (Virtualization-based security) is running, do we have now to understand that Hyper-V is installed for 1909 build? I don’t think so, even if Windows server has some specific additional lines for Hyper-V on AMD, but Intel based CPU Windows 10 has to deal with this choice.
Link for Servers:
https://support.microsoft.com/fr-fr/help/4072698/windows-server-speculative-execution-side-channel-vulnerabilities
For my understanding, we just need to add this two lines for AMD:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 72 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
And for Intel based CPU with only VBS activated, do we have to integrate that Hyper-V is installed or not?
If you are using VBS, with or without Hyper-V virtual machines, you can only mitigate L1TF/MDS fully if you disable hyper-threading (SMT). You have to do this either in firmware or via registry (firmware is preferable). There is no way around this. If you use VBS and have hyper-threading enabled, VBS secrets will be vulnerable to L1TF and MDS exploits.
Hyper-V itself does not need special attention on a client. If you have Windows Server 2016 Hyper-V, you should enable the core-scheduler for Hyper-V.
If you have to enable all mitigations, with no regards for performance, use the following settings (works the same for Intel and AMD CPU's, and needs current microcode for the CPU):
Set the following registry keys:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 72 /f reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /fIf you are using VBS and/or WDAG:
- Disable SMT/HT in firmware
- If you can't disable SMT/HT in firmware, use the following registry keys instead:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 8264 /f reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /fIf you are using Hyper-V on Windows Server 2016:
- Enable core scheduler and set all your VMs to utilize SMT:
bcdedit /set hypervisorschedulertype core Set-VMProcessor -VMName <VMName> -HwThreadCountPerCore 2- If you use VMs older than 8.0 (this is needed for WS2019 as well if you use old VM-configurations):
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /fdretzerThank-you dretzer.