Re: [NTSysADM] Are the Meltdown/Spectre reg keys needed for workstations?

Tue, 09 Jan 2018 13:30:31 -0800 

I've already issued the registry entries, so it looks like this:

Speculation control settings for CVE-2017-5715 [branch target injection]

Hardware support for branch target injection mitigation is present: False
Windows OS support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is enabled: False
Windows OS support for branch target injection mitigation is disabled by
system policy: False
Windows OS support for branch target injection mitigation is disabled by
absence of hardware support: True

Speculation control settings for CVE-2017-5754 [rogue data cache load]

Hardware requires kernel VA shadowing: True
Windows OS support for kernel VA shadow is present: True
Windows OS support for kernel VA shadow is enabled: True
Windows OS support for PCID optimization is enabled: False

Suggested actions

 * Install BIOS/firmware update provided by your device OEM that enables
hardware support for the branch target injection mitigation.
 * Follow the guidance for enabling Windows support for speculation control
mitigations are described in https://support.microsoft.com/help/4072698


BTIHardwarePresent             : False
BTIWindowsSupportPresent       : True
BTIWindowsSupportEnabled       : False
BTIDisabledBySystemPolicy      : False
BTIDisabledByNoHardwareSupport : True
KVAShadowRequired              : True
KVAShadowWindowsSupportPresent : True
KVAShadowWindowsSupportEnabled : True
KVAShadowPcidEnabled           : False



On Tue, Jan 9, 2018 at 3:58 PM, Mike <craigslist...@gmail.com> wrote:

> Interesting. Can you post the output of the Get-SpeculationControlSettings
> command?
>
> On Tue, Jan 9, 2018 at 3:12 PM, Michael Leone <oozerd...@gmail.com> wrote:
>
>> On Tue, Jan 9, 2018 at 3:00 PM, Mike <craigslist...@gmail.com> wrote:
>>
>>> You only need the Registry entries on Server versions.
>>> You do need hardware support to protect against CVE-2017-5715.
>>>
>>> Run the Get-SpeculationControlSettings PowerShell command to get the
>>> details.
>>> https://gallery.technet.microsoft.com/scriptcenter/Speculati
>>> on-Control-e36f0050
>>>
>>
>>
>> I have run it. It didn't answer my question. If you don't run the
>> registry entries, some values are false. I take "false" to mean "not as
>> fully protected as you should be". Which indicates to me that I need the
>> registry entries, even if it's not a server.
>>
>> Hence my question ...
>>
>>
>

Reply via email to