none
Spectre meltdown - GetSpeculationControlSettings - question RRS feed

  • Question

  • Hi guys.

    Per article:

    https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution

    We had:

    1. Checked the existence of registry key (Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat" Value="cadca5fe-87d3-4b96-b7fb-a231484277cc" Type="REG_DWORD”
    Data="0x00000000”)

    2. Pushed windows security updates 

    3. We had added registry keys:
    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f
    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f

    4. Rebooted server

    5. BIOS update for motherboard curently is not published (yet).

    This is the output of GetSpeculationControlSettings:

    Shouldn't it be more green or is it OK and the red statements are only regarded BIOS haven't been updated yet?

    Same output is also if we do this on VM machine on HYPERV host.


    bostjanc



    • Edited by B_C_R Sunday, January 14, 2018 8:25 PM
    Sunday, January 14, 2018 8:08 PM

All replies

  • Does this article explain?

    https://support.microsoft.com/en-us/help/4074629/understanding-the-output-of-get-speculationcontrolsettings-powershell


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Monday, January 15, 2018 6:52 AM
  • Hi bostjanc,

    Based on my research, you may refer to the following article to verify the output of Get-SpeculationControlSettings:
    Understanding Get-SpeculationControlSettings PowerShell script output
    https://support.microsoft.com/en-us/help/4074629/understanding-the-output-of-get-speculationcontrolsettings-powershell

    If you need further help, please feel free to let us know.

    Best Regards,
    Albert

    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, January 15, 2018 7:13 AM
  • Thanks for the clarification.

    one more question:

    Registry key:

    Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat" Value="cadca5fe-87d3-4b96-b7fb-a231484277cc" Type="REG_DWORD”

    Data="0x00000000”

    triggers download meltdown,spectre updates, correct?

    Does adding

    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f
    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f

    triggers getting any new updates?

    i have a feeling that after added those three keys (on one 2008r2 srv and one 2012 r2) I got one more update:

    Could adding those three registry keys push getting this new update?


    bostjanc

    Tuesday, January 16, 2018 12:52 PM
  • The QualityCompat key should be added by your virus protection software, to enable the mitigation update. The only time you should need to manually add this key is if you have no virus software for some reason. The other registry settings are explained here:

    https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution

    but I think these are mostly to prevent the updates, then re-enable. The new update you received, kb4056895, I believe is not related to the Meltdown/Spectre issue.

    Edit: Per this article:

    https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in

    regarding the registry settings you refer to, I quote:

    Note By default, this update is enabled. No customer action is required to enable the fixes. We are providing the following registry information for completeness in the event that customers want to disable the security fixes related to CVE-2017-5715 and CVE-2017-5754 for Windows clients.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)


    Tuesday, January 16, 2018 2:37 PM
  • Hi,

    I'm checking how the issue is going, was your issue resolved?

    And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.

    Appreciate for your feedback.

    Best Regards,
    Albert

    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, January 17, 2018 8:46 AM
  • Hi,

    I am checking how the issue is going, if you still have any questions, please feel free to contact us.

    If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.
    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.
    If no, please reply and tell us the current situation in order to provide further help.

    Appreciate for your feedback.

    Best Regards,
    Albert

    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, January 19, 2018 2:37 AM
  • Hi there.
    Just want to clarify what's the best practice approach of handling this threats. We've read dozens of articles till now and decided to go with this approach:

    1. Check if the machine has or doesnt have AV. Check the existence of the key:
    Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat" Value="cadca5fe-87d3-4b96-b7fb-a231484277cc" Type="REG_DWORD”
    Data="0x00000000”

    2. Push January windows updates, after we are sure that key for AV exists.

    3. If the machine's OS is server, add registry keys and reboot the server:

    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f
    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f

    4. If the machine has Hyper-V role, shutdown all the VM's and start them after host has been rebooted.

    5. At the end, check if host's motherboard contains any January bios and patch the server.

    6. Run the powershell script "Get-SpeculationControlSettings" to get info about protection.

    Would be this the most optimal approach or would you add any extra steps?


    bostjanc


    • Edited by B_C_R Friday, January 19, 2018 11:43 AM
    Friday, January 19, 2018 11:42 AM