Windows 10: Windows Client Guidance against speculative execution vulnerabilities

How to get the monthly Windows security update for Windows Update and Windows Update for Business with Group or MDM policy configurations set to disable preview builds

(Note This is not applicable to WSUS users.)

If you have currently disabled preview builds, your organization’s devices will not be able to receive the January 2018 Windows security updates. The following Group or MDM policy configurations settings disable preview builds and will not allow the Windows security updates. They will have to be changed to do so. To verify that you cannot receive the update, you can scan for available updates.

Group/MDM Configuration Setting Description System/AllowBuildPreview 0 Not allowed “Toggle user control over Insider builds” Enabled Update/ManagePreviewBuilds 0 or 1 Disable preview builds -or- Disable preview builds once next release is public “Manage preview builds” Disable preview builds -or- Disable preview builds once next release is public
To allow devices to receive the January 2018 Windows security updates, you need to change the Group or MDM policies to the following “Not Configured” settings:

Group/MDM Configuration Setting Description System/AllowBuildPreview 2 Not Configured “Toggle user control over Insider builds” Not Configured Update/ManagePreviewBuilds 3 Not Configured “Manage preview builds” Not Configured
After devices have received the monthly Windows security updates, the policy configuration settings can be changed back to their previous state (disabling preview builds).

Verifying that protections are enabled

To help customers confirm whether protections have been enabled, Microsoft has published a PowerShell script that customers can run on their systems. Install and run the script by running the following commands:

Note These verification steps only apply to Windows client and not to Azure instances. For further cloud guidance, see the Azure blog.

PowerShell Verification using the PowerShell Gallery 1) Open elevated PowerShell.

2) Temporarily set PowerShell script execution policy
PS> Set-ExecutionPolicy Unrestricted -Scope Process -Force

3) Install the PowerShell module
PS > Install-Module SpeculationControl -Force

Type Y and press Enter if prompted to install and import NuGet.

4) Run the PowerShell module to validate protections are enabled
PS > Get-SpeculationControlSettings
OR

PowerShell Verification using download from Technet 1) Install PowerShell Module from Technet ScriptCenter
Go to Speculation Control Validation PowerShell Script

Download SpeculationControl.zip to a local folder.

Extract the contents to a local folder, for example C:\ADV180002
2) Open elevated PowerShell.

3) Switch to directory of extracted contents
PS> CD C:\ADV180002\SpeculationControl

4) Temporarily set PowerShell script execution policy
PS> Set-ExecutionPolicy Unrestricted -Scope Process -Force

5) Install the downloaded PowerShell module
PS > Import-Module .\SpeculationControl.psd1

6) Run the PowerShell module to validate protections are enabled
PS > Get-SpeculationControlSettings

The output of this PowerShell script will look like the following. Enabled protections will show in the output as “True”.

Code: PS C:\> Get-SpeculationControlSettings Speculation control settings for CVE-2017-5715 [branch target injection] Hardware support for branch target injection mitigation is present: True Windows OS support for branch target injection mitigation is present: True Windows OS support for branch target injection mitigation is enabled: True Speculation control settings for CVE-2017-5754 [rogue data cache load] Hardware requires kernel VA shadowing: True Windows OS support for kernel VA shadow is present: True Windows OS support for kernel VA shadow is enabled: True Windows OS support for PCID optimization is enabled: True[/quote]






Switch | Registry Settings

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
Note By default, this update is enabled. No customer action is required to enable the fixes. We are providing the following registry information for completeness in the event that customers want to disable the security fixes related to CVE-2017-5715 and CVE-2017-5754 for Windows clients.

To enable the fix *

Code: reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f[/quote] Restart the computer for the changes to take effect.

To disable the fix *

Code: reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f[/quote] Restart the computer for the changes to take effect.

(There is no need to change MinVmVersionForCpuBasedMitigations.) * Note setting of 3 is accurate for both enable/disable settings due to masking.


Disable mitigation against Spectre Variant 2

*Arrow KB4078130 Update to Disable Mitigation against Spectre, Variant 2 - Windows 10 Forums

While Intel tests, updates, and deploys new microcode, we are offering a new option for advanced users on impacted devices to manually disable and enable the mitigation against Spectre Variant 2 (CVE 2017-5715) independently via registry setting changes.

If you have installed the microcode, but want to disable CVE-2017-5715 - Branch target injection mitigation due to unexpected reboots and/or system stability issues, use the following instructions.

To enable Variant 2: CVE 2017-5715 "Branch Target Injection":

Code: reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 1 /f reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f[/quote]
To disable Variant 2: CVE 2017-5715"Branch Target Injection":

Code: reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f[/quote] Note disabling and enabling the Variant 2 via registry setting changes will require a reboot and administrative rights.


Enable usage of Indirect Branch Prediction Barrier (IBPB) for Spectre Variant 2 for AMD processors (CPUs)

Applies to: Windows 10 version 1709

Some AMD processors (CPUs) offer an indirect branch control feature designed to mitigate indirect branch target injections thru an Indirect Branch Prediction Barrier (IBPB) mechanism. (For more information, see AMD Architecture Guidelines around Indirect Branch Control and AMD Security Updates).

Use the following instructions to control usage of IBPB when switching from user context to kernel context:

To enable usage of Indirect Branch Prediction Barrier (IBPB) when switching from user context to kernel context:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 64 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
Note: Enabling usage of Indirect Branch Prediction Barrier (IBPB) through registry setting changes requires administrative rights and a restart.


Frequently asked questions

1. How can I tell if I have the right version of the CPU microcode?
The microcode is delivered through a firmware update. Customers should check with their CPU (chipset) and device manufacturers on availability of applicable firmware security updates for their specific device, including Intel's Microcode Revision Guidance.

2. My operating system (OS) is not listed. When can I expect a fix to be released?
Addressing a hardware vulnerability through a software update presents significant challenges, and mitigations for older operating systems require extensive architectural changes. We are working with affected chip manufacturers to determine the best way to provide mitigations, which may be delivered in future updates.

3. Where can I find Surface firmware/hardware updates?
Updates for Microsoft Surface devices will be delivered to customers through Windows Update along with the updates for the Windows operating system. For more information, see KB 4073065.

If your device is not from Microsoft, apply firmware from the device manufacturer. Contact the manufacturer for more information.

4. I have an x86 architecture but don’t see an update. Will I get one?
In February 2018, Microsoft released added protection for some x86-based systems. For more information see KB4073757 and the Microsoft Security Advisory ADV 180002.

5. Intel has identified reboot issues with microcode on some older processors. What should I do?
Intel has reported issues with recently released microcode meant to address Spectre variant 2 (CVE 2017-5715 Branch Target Injection). Specifically, Intel noted that this microcode can cause “higher than expected reboots and other unpredictable system behavior”, and then noted that situations like this may result in “data loss or corruption.” Our own experience is that system instability can in some circumstances cause data loss or corruption. On January 22, Intel recommended that customers stop deploying the current microcode version on impacted processors while they perform additional testing on the updated solution. We understand that Intel is continuing to investigate the potential impact of the current microcode version and encourage customers to review their guidance on an ongoing basis to inform their decisions.

While Intel tests, updates, and deploys new microcode, we are making available an out of band update today, KB4078130, that specifically disables only the mitigation against CVE-2017-5715 – “Branch target injection vulnerability.” In our testing, this update has been found to prevent the behavior described. For the full list of devices, see Intel’s microcode revision guidance. This update covers Windows 7 (SP1), Windows 8.1, and all versions of Windows 10, for client and server. If you are running an impacted device, this update can be applied by downloading it from the Microsoft Update Catalog website. Application of this payload specifically disables only the mitigation against CVE-2017-5715 – “Branch target injection vulnerability.”

As of this update, there are no known reports to indicate that this Spectre variant 2 (CVE 2017-5715 ) has been used to attack customers. We recommend Windows customers, when appropriate, reenable the mitigation against CVE-2017-5715 when Intel reports that this unpredictable system behavior has been resolved for your device.

6. Where can I find Microsoft HoloLens operating system and firmware updates?
Updates to Windows 10 for HoloLens are available to HoloLens customers through Windows Update.

After applying the February 2018 Windows Security Update, HoloLens customers do not need to take any additional action to update their device firmware. These mitigations will also be included in all future releases of Windows 10 for HoloLens.

7. I have not installed the January 2018 Security Only updates. If I install the February 2018 Security Only updates, am I protected from the vulnerabilities described in this advisory?
Yes. While Security Only updates are not normally cumulative, to ensure customers are protected, Microsoft is including the mitigations against these vulnerabilities in the February Security Only updates. These updates also include the updates for AMD-based devices.

8. If I apply any of the applicable February security updates, will they disable the protections for CVE-2017-5715 like security update 4078130 did?
No. Security update 4078130 was a specific fix to prevent unpredictable system behaviors, performance issues, and/or unexpected reboots after installation of microcode. Applying the February security updates on Windows client operating systems enables all three mitigations.

9. I've heard Intel has released microcode updates. Where can I find them?
Intel recently announced they have completed their validations and started to release microcode for newer CPU platforms. Microsoft is making available Intel validated microcode updates around Spectre Variant 2 [CVE 2017-5715 ("Branch Target Injection")]. KB4093836 lists specific Knowledge Base articles by Windows version. Each specific KB contains the available Intel microcode updates by CPU.

10. Known Issue: Some users may experience network connectivity issues or lose IP address settings after installing the March 13, 2018 Security Update (KB 4088875).
For more information, see the Known Issues section in the Knowledge Base article 4088875.

11. I've heard AMD has released microcode updates. Where can I find and install these updates for my system?
AMD recently announced they have started to release microcode for newer CPU platforms around Spectre Variant 2 [CVE 2017-5715 ("Branch Target Injection")]. For more information refer to the AMD Security Updates and AMD Whitepaper: Architecture Guidelines around Indirect Branch Control. These are available from the OEM firmware channel.


Source: https://support.microsoft.com/en-us/...peculative-exe


See also:

• Understanding performance impact of Spectre and Meltdown mitigations - Windows 10 Forums
• Protect your Windows devices against Spectre and Meltdown - Windows 10 Forums
• Windows security updates released Jan 3, 2018, and AV software - Windows 10 Forums
• Meltdown and Spectre
• March 2018 Windows security update – Expanding efforts to protect - Windows 10 Forums
• Mitigating speculative execution side channel hardware vulnerabilities - Windows 10 Forums
• KB4090007: Intel microcode updates

 

The above PowerShell commands don't work for me running the latest version of W10 Pro. What do users need to do to run these commands?

:)

 

Windows 10 we cannot connect to the update service

PLEASE READ :

Microsoft Security Advisory:
MSRC ADV180002

Intel:
Security Advisory

ARM:
Security Advisory

AMD:
Security Advisory

NVIDIA:
Security Advisory

Microsoft Secure blog:
Understanding the Performance Impact of Spectre and Meltdown Mitigations on Windows Systems

Windows for Business blog:
Windows Analytics now helps assess Meltdown and Spectre protections

Consumer Guidance:
Protecting your device against chip-related security vulnerabilities

Antivirus Guidance:
Windows security updates released January 3, 2018, and antivirus software

Guidance for AMD Windows OS security update block:
KB4073707: Windows operating system security update block for some AMD based devices

Update to Disable Mitigation against Spectre, Variant 2:
KB4078130: Intel has identified reboot issues with microcode on some older processors

Surface Guidance:
Surface Guidance to protect against speculative execution side-channel vulnerabilities

IT Pro Guidance:
Windows Client Guidance for IT Pros to protect against speculative execution side-channel vulnerabilities

Edge Developer Blog:
Mitigating speculative execution side-channel attacks in Microsoft Edge and Internet Explorer

Server Guidance:
Windows Server guidance to protect against speculative execution side-channel vulnerabilities

Server Hyper-V Guidance

• Virtual Machine Resource Controls
• Hyper-V Host CPU Resource Management

Azure Blog:
Securing Azure customers from CPU vulnerability

Azure KB:
KB4073235: Microsoft Cloud Protections Against Speculative Execution Side-Channel Vulnerabilities

Azure Stack guidance:
KB4073418: Azure stack guidance to protect against the speculative execution side-channel vulnerabilities

SQL Server guidance:
KB4073225: SQL Server Guidance to protect against speculative execution side-channel vulnerabilities

SCCM guidance:
Additional guidance to mitigate speculative execution side-channel vulnerabilities

 

Regarding KB4078130

Note Users who
do not have the affected Intel microcode do not have to download this update.

We are also offering a new option – available for
advanced users on affected devices – to manually disable and enable the mitigation against Spectre Variant 2 (CVE 2017-5715) independently through registry setting changes. The instructions for the registry key settings
can be found in the following Knowledge Base articles:

• KB4073119: IT Pro Guidance
• KB4072698:
  Server Guidance

 

*Ditto*Ditto*Ditto*Ditto

 

Shawn, mine shows a little bit more at the bottom;

 

Are you guys running as admin?

It will want to install nuget first if you don't have it installed yet(like if you are a Chocolatey user).

 

Thanks Cliff.

Tried admin and non admin but didn't know you needed to install something first... and so as I like to keep my main system clean I probably won't pursue it. But thanks *Smile

 

Probably need to change the Execution Policy from Restricted first, I used
PS C:\WINDOWS\system32> set-executionpolicy remotesigned.

Put it back to Restricted after running the scripts.

 

I did as well, Thanks again Cliff

 

Installed the latest update of Windows and this is how it looks for me, apparently it is for many users like this and means the Spectre bug hasn't been completely patched with a BIOS update. I flashed the latest BIOS version yesterday to patch a previous security problem.

 

Latest Windows Insider build which supposedly already has the fix applied:





*Confused*Confused

 

I got these commends to work by letting PowerShell install nuget and enabling PowerShell scripts (under Settings / Developer Options).

*Arrow Change PowerShell Script Execution Policy in Windows 10 General Tips Tutorials

 

Build 16299.192 & latest BIOS

 

Yesterday I received both the Cumulative update, and a BIOS update.
But the BIOS update made no mention about these two problems, or the ME(in BIOS, not the driver inside of Windows) problem. But the SA 00086 tool say's I'm good to go too.
So ASUS is on the ball(with the new Z370 boards at least)*Party*Cool