none
Meltdown and Spectre, must registry value FeatureSettingsOverride manually set after Patch installation (KB4056898) on W2K12 R2

    Question

  • In link https://support.microsoft.com/en-hk/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in it is described, that 2 registry values need to be set to enable the fix:

    To enable the fix *

    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f

    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

    Restart the computer for the changes to take effect.

    To disable the fix *

    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f

    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

    After Installation of patch
    KB4056898 on a W2K12 R2 Server, both registry values doesn't exist. Do I need to set them manually? I couldn't believe that, I expected that the installation does it.

    I did some check with the mentioned powershell script and saw that the result without existing registry values and enabled registry settings are different. The result without existing registry values are the same as disabled registry settings. Please note, that I always rebooted the Server after doing registry changes.

    As a result it looks like that the patch really fixes nothing without additional registry settings, is this really true? 

    Please note, that I'm developping security compliance tools and need to report the correct result. It would be very helpful, if Microsoft documents this properly. 

    Wednesday, January 10, 2018 10:41 PM

All replies

  • Hello,

    Yes, you need to do it manually (or via GPO).

    without these values, the update is installed but not activated.

    If you're on virtual environment, be sure the ESXi or vm hosts are also updated...

    Friday, January 12, 2018 6:08 AM
  • Hi,

    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

    Best Regards,
    William

    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, January 15, 2018 1:31 AM
    Moderator
  • The documentation you've linked to is for client versions of Windows, where the mitigation is enabled by default.

    The documentation for server versions of Windows, where the mitigation is disabled by default, is here:

    https://support.microsoft.com/en-hk/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution

    "Customers have to enable mitigations to help protect against speculative execution side-channel vulnerabilities."

    Tuesday, January 16, 2018 9:42 PM
  • I think they must be added manually (GPO) because some servers need special treatment.

    Especially Hyper-V hosts and guests.


    Regards Stephan

    OneDrive / Sharepoint Blog

    Wednesday, January 17, 2018 6:17 AM
  • Hi,

    Just want to confirm the current situations.

    Please feel free to let us know if you need further assistance.

    Best Regards,
    William

    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, January 18, 2018 12:36 PM
    Moderator
  • I should point out that the referenced article includes the following note:

    Note By default, this update is enabled. No customer action is required to enable the fixes. We are providing the following registry information for completeness in the event that customers want to disable the security fixes related to CVE-2017-5715 and CVE-2017-5754 for Windows clients.

    The registry settings are only to disable the updates, perhaps for testing, and then to re-enable them. If the registry setting does not exist, updates are enabled.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Thursday, January 18, 2018 2:36 PM
  • Yes. For the client side. But i think we are all talking server here.

    And there it says:

    1. Apply the Windows operating system update. For details about how to enable this update, see Microsoft Knowledge Base article 4072699.
    2. Make necessary configuration changes to enable protection.
    3. Apply an applicable firmware update from the OEM device manufacturer.


    Regards Stephan

    OneDrive / Sharepoint Blog

    Thursday, January 18, 2018 2:42 PM
  • We have to run the two reg keys to "enable the mitigations" on all Server VM's as well right? (not just the hosts)

    The only machines that are automatically enabled are client OS's.  Correct?


    • Edited by JoeFri Tuesday, January 23, 2018 1:57 PM
    Tuesday, January 23, 2018 1:57 PM
  • Yes, I realize now that my previous reply only applies to client OS's. The registry settings you refer to must be applied for all servers.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Tuesday, January 23, 2018 2:14 PM
  • Thanks Stephan, that's how I read it too, but there are multiple people in multiple forums stating the reg keys don't need applied to VM's.  Just trying to get some clarification out of all the non-sense. 

    Tuesday, January 23, 2018 2:35 PM
  • Quote: "Apply the Windows operating system update. For details about how to enable this update, see Microsoft Knowledge Base article 4072699."

    This article is about enabling deployment of january updates vs compatibility with antivirus. Compatible antivirus software like McAfee will create themselve the registry key.

    It is not about enabling/disabling the mitigations once the monthly patches have been applied, which is explained in this article. https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution


    • Edited by turri01 Tuesday, April 3, 2018 8:52 PM
    Tuesday, April 3, 2018 8:51 PM
  • In this article there are different settings for FeatureSettingsOverride  for AMD and None AMD processors.

    Manage mitigations for CVE-2018-3639 (Speculative Store Bypass), CVE-2017-5715 (Spectre Variant 2), and CVE-2017-5754 (Meltdown) :

    AMD:
    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 72 /f

    None AMD:
    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 8 /f

    In earlier versions of this article the setting for "FeatureSettingsOverride" was always 0. What happened, if it is set to 0?

    In FAQ "Can you provide more details about the registry values" it is described, that if a bit is set to 0 the related mitigation is enabled. As a result 0 should always enable everything, so why setting to 8 or 72? 
    For my meaning the registry value "FeatureSettingsOverrideMask" also should not be 3, because this would only represents 2 bits, but we now have 3 features to disable/enable.. Why is this unchanged?

    Thursday, December 20, 2018 6:50 PM