I do see that I can't enable the Meltdown/Spectre mitigations in Windows Server 2008 R2 is a similar question, but I suppose that the environment differences may justify different remedies.
After installing the Meltdown/Spectre related Windows updates and registry keys, and verifying that the relevant Vmware patch is installed (more precisely, ESXi550-201709101-SG is listed as "considered obsolete by the host", as is ESXi550-201709102-SG, but ESXi550-201709103-SG is installed).
The Microsoft testing tool gives me only
Speculation control settings for CVE-2017-5715 [branch target injection]
Hardware support for branch target injection mitigation is present: False
Windows OS support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is enabled: False
Windows OS support for branch target injection mitigation is disabled by system policy: False
Windows OS support for branch target injection mitigation is disabled by absence of hardware support: True
Speculation control settings for CVE-2017-5754 [rogue data cache load]
Hardware requires kernel VA shadowing: True
Windows OS support for kernel VA shadow is present: True
Windows OS support for kernel VA shadow is enabled: True
Windows OS support for PCID performance optimization is enabled: False [not required for security]
Suggested actions
* Install BIOS/firmware update provided by your device OEM that enables hardware support for the branch target injection mitigation.
BTIHardwarePresent : False
BTIWindowsSupportPresent : True
BTIWindowsSupportEnabled : False
BTIDisabledBySystemPolicy : False
BTIDisabledByNoHardwareSupport : True
KVAShadowRequired : True
KVAShadowWindowsSupportPresent : True
KVAShadowWindowsSupportEnabled : True
KVAShadowPcidEnabled : False
I dare to interprete these (in particular regarding CVE-2017-5715) as
- CPU is vulnerable
- Windows updates have been installed
- Registry settings are missing
- GPO is not a problem
- Appropriate Microcode/Firmware is missing
This confuses me. For one, the registry settings should be ok according to the following export excerpt:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management]
"FeatureSettingsOverride"=dword:00000000
"FeatureSettingsOverrideMask"=dword:00000003
"FeatureSettings"=dword:00000003
Additionally, I don't understand why the required microcode is missing (and hence BIOS/firmware update is suggested) given that the underlying VmWare host has ESXi550-201709103-SG installed (note though that ESXi550-201709101-SG comes with a footnote that it mitigates against CVE-2017-5715 but not against CVE-2017-5753)
What should I do?
Update
Meanwhile, I did also install BIOS/firmware (specifically, for the underlying ProLiant BL460c Gen 9 blade, I installed BIOS version 2.54 12-07-2017 (Fixes: "Updated the Intel processor microcode to the latest version."). The blade/host as well as the guest have been rebooted afterwards, but I still get the same test results (FTFFTTTTF and I am still suggested to "Install BIOS/firmware update provided by your device OEM ..."). I even had the guest boot into its BIOS and flipped through the settings to see if something needed to be enabled (apparently this is not the case).
Update 2
Out of curiosity, I tried the Linux testing tool as well. That tells me "Hardware (CPU microcode) support for mitigation: YES" even on a blade that had only ESXi550-201709103-SG installed, but not yet ProLiant BIOS 2.54.
As far as I know, VMware patches don't contain new microcode- you will need to get and install a firmware / BIOS update from your hardware vendor for this. ESXi550-201709101-SG should contain (some) mitigations against CVE-2017-5715, but on a hypervisor level and not on a hardware / CPU / microcode level.
There are already updates from HPE for ProLiant Gen9 and 10 and Dell for PowerEdge R630/R730/R730XD. I should think from other vendors and for other models, too, but these are the ones I'm interested in and therefore had an eye on.
Can't help you with your registry settings, though.
edit: I have to apologize, it looks like ESXi650-201801402-BG updates cpu-microcode. That's new to me...
edit 2: Installing all Updates (BIOS / Microcode, ESXi, OS) might not be enough, it looks like you need to ensure that virtual hardware 9 (better is 11 or later) is used and again power off and power on your VM. And
power off and power on your VM
means just that, rebooting the guest OS seems to be not enough.