none
meltdown related question - way to workaround not having BIOS update?? RRS feed

  • Question

  • I was able to go through some hoops and was able to get the latest microcode for my Intel kaby lake processor loaded using this Vmware windows CPU microcode loader driver tool. However there doesn't seem to be a way to enable the windows patch on the fly unfortunately. Is there anyway to get windows to enable the meltdown patch after boot up?  I do hear the patch is being pulled because of the AMD issue so who knows now totally. I was mainly trying to do this so on old machines with no hope of a BIOS update anytime soon could be patched.

    Now I get this on the patch test.

    PS C:\script\SpeculationControl> Get-SpeculationControlSettings
    Speculation control settings for CVE-2017-5715 [branch target injection]

    Hardware support for branch target injection mitigation is present: True
    Windows OS support for branch target injection mitigation is present: True
    Windows OS support for branch target injection mitigation is enabled: False
    Windows OS support for branch target injection mitigation is disabled by system policy: False
    Windows OS support for branch target injection mitigation is disabled by absence of hardware support: False

    Speculation control settings for CVE-2017-5754 [rogue data cache load]

    Hardware requires kernel VA shadowing: True
    Windows OS support for kernel VA shadow is present: True
    Windows OS support for kernel VA shadow is enabled: True
    Windows OS support for PCID performance optimization is enabled: True [not required for security]

    Suggested actions

     * Follow the guidance for enabling Windows Client support for speculation control mitigations described in https://support.microsoft.com/help/4073119


    BTIHardwarePresent             : True
    BTIWindowsSupportPresent       : True
    BTIWindowsSupportEnabled       : False
    BTIDisabledBySystemPolicy      : False
    BTIDisabledByNoHardwareSupport : False
    KVAShadowRequired              : True
    KVAShadowWindowsSupportPresent : True
    KVAShadowWindowsSupportEnabled : True
    KVAShadowPcidEnabled           : True

    Wednesday, January 10, 2018 10:14 PM

All replies

  • Hi,

    Do you mean you want to automatically install update package which download with third party software after boot computer?

    If yes, we could create a script to run this installation update package them configure a Task scheduler to run the script after boot computer.

    For configuration steps about Task Scheduler, please refer to: Task Scheduler How to...

    If I misunderstood your issue, please let me know directly.

    Bests,


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, January 15, 2018 2:36 AM
    Moderator
  • Well I not sure if your following or not what I was trying to do. I not necessarily trying to install the patch as it is already on my machine.  I believe the elements of Meltdown/Specter patch is implemented at boot up probably early on. Therefore the new CPU microcode is not loaded at that time by the third party driver I was trying to use. So what I was looking for was some way to dynamically enable the code that implements the patch later on after the system has booted. If that makes sense I hope?

    Trouble is I don't know enough detail in how they implemented the patch if it has to be enabled early on in the boot up of the OS or not. If windows could implement the patch so it can be dynamically enabled it would be nice so that we can fully patch our machines without having to have the BIOS which may not be available for a long time if at all. It might be also useful if the microcode is buggy or something can easily change it back etc.

    Monday, January 15, 2018 7:19 AM
  • any interest in this? really quiet.. :(
    Sunday, January 21, 2018 7:37 AM