I have installed the patch released today as detailed here and then set the two registry keys as mentioned:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
However, when I run the provided PowerShell module to check, it is informing me the mitigations are still not enabled:
PS C:\Users\Administrator> get-speculationcontrolsettings
Speculation control settings for CVE-2017-5715 [branch target injection]
Hardware support for branch target injection mitigation is present: False
Windows OS support for branch target injection mitigation is present: False
Windows OS support for branch target injection mitigation is enabled: False
Speculation control settings for CVE-2017-5754 [rogue data cache load]
Hardware requires kernel VA shadowing: True
Windows OS support for kernel VA shadow is present: False
Windows OS support for kernel VA shadow is enabled: False
Suggested actions
* Install BIOS/firmware update provided by your device OEM that enables hardware support for the branch target injection mitigation.
* Install the latest available updates for Windows with support for speculation control mitigations.
* Follow the guidance for enabling Windows support for speculation control mitigations are described in https://support.microsoft.com/help/4072698
BTIHardwarePresent : False
BTIWindowsSupportPresent : False
BTIWindowsSupportEnabled : False
BTIDisabledBySystemPolicy : False
BTIDisabledByNoHardwareSupport : False
KVAShadowRequired : True
KVAShadowWindowsSupportPresent : False
KVAShadowWindowsSupportEnabled : False
KVAShadowPcidEnabled : False
Why is this? What else do I have to do? I have rebooted the server for good measure with no improvement.
Update after answer from @Paul:
I've now installed the correct update (wally), and this is the output of the PowerShell cmdlet:
PS C:\Users\Administrator> get-speculationcontrolsettings
Speculation control settings for CVE-2017-5715 [branch target injection]
Hardware support for branch target injection mitigation is present: False
Windows OS support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is enabled: False
Windows OS support for branch target injection mitigation is disabled by system policy: True
Windows OS support for branch target injection mitigation is disabled by absence of hardware support: True
Speculation control settings for CVE-2017-5754 [rogue data cache load]
Hardware requires kernel VA shadowing: True
Windows OS support for kernel VA shadow is present: True
Windows OS support for kernel VA shadow is enabled: False
Suggested actions
* Install BIOS/firmware update provided by your device OEM that enables hardware support for the branch target injection mitigation.
* Follow the guidance for enabling Windows support for speculation control mitigations are described in https://support.microsoft.com/help/4072698
BTIHardwarePresent : False
BTIWindowsSupportPresent : True
BTIWindowsSupportEnabled : False
BTIDisabledBySystemPolicy : True
BTIDisabledByNoHardwareSupport : True
KVAShadowRequired : True
KVAShadowWindowsSupportPresent : True
KVAShadowWindowsSupportEnabled : False
KVAShadowPcidEnabled : False
Is this everything I can do pending a microcode update?
Firstly the above output is saying that the required windows patch has not been installed:
and
Is your AV preventing it? - see here
Secondly CVE-2017-5715 will also require a CPU Microcode update which means a BIOS update when/if it becomes available. Intel have apparently released the code but it's down to OEMs to provide updated BIOS's that incorporate it and that may take a while.
All you can do right now is install the Windows patch. Once the correct patch is installed you should be covered for Meltdown but will still need a subsequent BIOS update to fully cover off Spectre.
FYI here is the output for my (patched) windows 10 system:
You will note that for CVE-2017-5715 it shows that the patch is installed but not enabled due to "absence of hardware support" i.e. the microcode update.
You will also note that for CVE-2017-5754 it simply says that it's not required - this is because I'm running on an AMD CPU.
As for your side note, I can't say for sure without testing but if you look closely, for disable the FeatureSettingsOverride key is being set to 3, not 0 as is required to enable it so I assume that you need the same mask for both but either a 0 (enable) or 3 (disable) for the FeatureSettingsOverride key.
CVE-2017-5715 looks right to me in the absence of a firmware update however CVE-2017-5754 is now showing as installed but disabled. Have you checked what the enabler registry keys are set to?
I've also just noted that CVE-2017-5715 is also showing as disabled by system policy as well as by absence of hardware support which also suggests the registry settings are wrong.
There are 3 registry keys, not two. See here:
https://support.microsoft.com/en-gb/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution
You're missing this one:
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f
Just a note to enabling Hardware support of this.
Support must be enables via Bios update or.... ... A CPU Microcode update via the VMWare CPU Microcode update driver seems to work. Intel has released an archive with the microcode files on 8th of January. It updates the mc of the cpu, the change is shown in hwinfo or similar.
https://downloadcenter.intel.com/download/27431/Linux-Processor-Microcode-Data-File?product=873
https://labs.vmware.com/flings/vmware-cpu-microcode-update-driver
how-to: http://forum.notebookreview.com/threads/how-to-update-microcode-from-windows.787152/
But I also am not able to fully activate it, though now HW and OS Support is enabled.
S C:\Windows\system32> Get-SpeculationControlSettings Speculation control settings for CVE-2017-5715 [branch target injection]
Hardware support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is enabled: False
Windows OS support for branch target injection mitigation is disabled by system policy: False
Windows OS support for branch target injection mitigation is disabled by absence of hardware support: False
Speculation control settings for CVE-2017-5754 [rogue data cache load]
Hardware requires kernel VA shadowing: True
Windows OS support for kernel VA shadow is present: True
Windows OS support for kernel VA shadow is enabled: True
Windows OS support for PCID performance optimization is enabled: True [not required for security]
Suggested actions
I have just a same problem like Marco Vernaglione. Thanks to VMware driver and downloaded microcode from Intel, I have now HW support, OS support, but mitigation is still disabled.
So definitely this is the way to enable hw support.
I tried reinstall kb4056892 windows update, but no change happened.
I tried the vmware driver as suggested by @marco-vernaglione without success.
I have the driver installed and the Get-SpeculationControlSettings Powershell module reports hardware support now. But I can't get windows to enable support, I've tried setting the registry keys in the referenced KB article https://support.microsoft.com/help/4073119
I suspect that the driver loads to late, that windows has already done it's check to enable support before the driver loads the microcode update and I can't find anything about re-running the check or anyway to load the driver before that check.
Output from Get-SpeculationControlSettings Powershell module