none
Security Advisory ADV180002 mitigate for Windows 10/8.x Client Hyper-V RRS feed

  • Question

  • Hi,

    In Windows Server Guidance to protect against the speculative execution side-channel vulnerabilities

    article, Hyper-V hosts are considered at increased risk, some registry keys to enable the mitigations on server given as following:

    To enable the mitigations
    
    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f
    
    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
    
    To disable the mitigations
    
    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f
    
    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

    What about Windows 10/8.x Host with Client Hyper-V enabled? Are these registry keys needed in Windows 10/8.x Host with Client Hyper-V enabled?

     

     

    Updated 5/Jan/2018:

    I find it seems like this:

    Security Advisory ADV180002 protect against speculative execution side-channel vulnerabilities

    The mitigation status after Windows Update and firmware update installed:

    Windows Client

    Windows Server

    Registry switch not configured

    enabled

    disabled

    Registry switch enabled

    enabled

    enabled

    Registry switch disabled

    disabled

    disabled

     

    Regardless of Windows Client as Hyper-V Host or Guest, mitigation is effective unless the registry switch is disabled.

     

    Updated 7/Jan/2018:

    I find those registry key is needed if you wonder protect your VMs running under Windows 10/8.x Client Hyper-V.

    You need run the following command on your Windows 10/8.x Client Hyper-V Host, and fully shutdown all VMs, then restart the Windows 10/8.x Client Hyper-V Host for changes to take effect.Windows Update is also needed in Guest Windows OS

    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f 

    • Edited by Erica Asa Sunday, January 7, 2018 8:22 AM
    Thursday, January 4, 2018 11:28 AM

All replies

  • To answer your question, yes you need this mitigations in "client" hyper-v as well. client hyper-v is still the real hyper-v just running on your desktop. Imagine if you ran a malicious docker container or hyper-v vm on a client machine with "client hyper-v" enabled. You'd still be hosed.

    -S


    • Edited by JinzoBlazer Thursday, January 4, 2018 5:07 PM
    • Proposed as answer by JinzoBlazer Thursday, January 4, 2018 5:07 PM
    Thursday, January 4, 2018 4:38 PM
  • I think the KB article has a mistake? - the reg key is the same for enable/disable with the same value for FeatureSettingsOverrideMask 

    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

    When I run the powershell script it says:

    Windows OS support for branch target injection mitigation is enabled: False

    but the other support IS enabled:

    Windows OS support for kernel VA shadow is present: True
    Windows OS support for kernel VA shadow is enabled: True
    Windows OS support for PCID optimization is enabled: True

    Friday, January 5, 2018 3:09 PM
  • I agree this key is wrong and I am surprised that there are not more people questioning it.

    Mark

    Friday, January 5, 2018 4:26 PM
  • Thanks for sharing your updates here, please closely monitoring our blogs regarding this issue.

    Server: https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution

    Client: https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in

    Please check the link below for more detailed information:

    https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002    



    “Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.”

    Monday, January 8, 2018 4:01 AM
  • Hi Mark and Glidah,

    We set FeatureSettingsOverrideMask to be 3 in both enable setting and disable setting because it will regardless the system default setting and ensure FeatureSettingsOverride sets whatever bits are specified.

    Please let me know if you have any question or concern else.


    “Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.”

    Monday, January 8, 2018 4:06 AM
  • Hi Mark and Glidah,

    We set FeatureSettingsOverrideMask to be 3 in both enable setting and disable setting because it will regardless the system default setting and ensure FeatureSettingsOverride sets whatever bits are specified.

    Please let me know if you have any question or concern else.


    “Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.”

    Do these reg keys need to be AFTER the update is applied or can they be applied in advance so they take effect when the update is applied and server is restarted?

    We would like to set these via GPO in advance, assuming they have no negative impact rather than have to apply them post update and restart the server again

    Andy

    Monday, January 8, 2018 2:58 PM
  • Hi Andy,

    No, you can apply this registry setting at first.

    Currently we have not received negative impact regarding this registry settings. It is recommended to perform all those suggestion in following articles ASAP.

    Server: https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution

    Client: https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in


    “Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.”

    Monday, January 8, 2018 4:45 PM
  • Hello.

    Recently I updated CPU microcode for my Intel CPU, and now I see in PowerShell:

    Hardware support for branch target injection mitigation is present: True
    Windows OS support for branch target injection mitigation is present: True
    Windows OS support for branch target injection mitigation is enabled: False

    I created both registry values FeatureSettingsOverrideMask = 3 and FeatureSettingsOverride = 0, rebooted, but still receive
    Windows OS support for branch target injection mitigation is enabled: False

    Can it be due to usage of VMware driver for updating CPU microcode? I mean kernel is loaded => sees no HW support for BTI and turns mitigation off => then VMware driver is loaded and updates CPU microcode (only too late).

    Update: So I succeeded in modifying the BIOS file with updated CPU microcode and flashing it to BIOS. And after that BTI mitigation is reported as enabled. So I was right about too late stage of applying CPU microcode update through VMware driver.




    • Edited by Maks.K Wednesday, January 10, 2018 1:12 AM
    Tuesday, January 9, 2018 10:40 PM
  • Maks, Thanks for updating this information here.

    BTW, update a new blog for performance impact FYI , Understanding the performance impact of Spectre and Meltdown mitigations on Windows Systems.



    “Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.”

    Wednesday, January 10, 2018 1:42 AM