For CVE-2017-5754 [rogue data cache load] you are good as the PCID line doesn't impact security. For CVE-2017-5715 [branch target injection] you need a microcode/BIOS/firmware update.
The Windows patch is installed.... *Windows OS support for branch target injection mitigation is present: True* But the hardware isn't fixed... *Hardware support for branch target injection mitigation is present: False* Which is causing the patch to be disabled... *Windows OS support for branch target injection mitigation is disabled by absence of hardware support: True* As shown here... *Windows OS support for branch target injection mitigation is enabled: False* Once the hardware gets its fix the last two should go True. On Tue, Jan 9, 2018 at 4:23 PM, Michael Leone <oozerd...@gmail.com> wrote: > I've already issued the registry entries, so it looks like this: > > Speculation control settings for CVE-2017-5715 [branch target injection] > > Hardware support for branch target injection mitigation is present: False > Windows OS support for branch target injection mitigation is present: True > Windows OS support for branch target injection mitigation is enabled: False > Windows OS support for branch target injection mitigation is disabled by > system policy: False > Windows OS support for branch target injection mitigation is disabled by > absence of hardware support: True > > Speculation control settings for CVE-2017-5754 [rogue data cache load] > > Hardware requires kernel VA shadowing: True > Windows OS support for kernel VA shadow is present: True > Windows OS support for kernel VA shadow is enabled: True > Windows OS support for PCID optimization is enabled: False > > Suggested actions > > * Install BIOS/firmware update provided by your device OEM that enables > hardware support for the branch target injection mitigation. > * Follow the guidance for enabling Windows support for speculation > control mitigations are described in https://support.microsoft.com/ > help/4072698 > > > BTIHardwarePresent : False > BTIWindowsSupportPresent : True > BTIWindowsSupportEnabled : False > BTIDisabledBySystemPolicy : False > BTIDisabledByNoHardwareSupport : True > KVAShadowRequired : True > KVAShadowWindowsSupportPresent : True > KVAShadowWindowsSupportEnabled : True > KVAShadowPcidEnabled : False > > > > On Tue, Jan 9, 2018 at 3:58 PM, Mike <craigslist...@gmail.com> wrote: > >> Interesting. Can you post the output of the >> Get-SpeculationControlSettings command? >> >> On Tue, Jan 9, 2018 at 3:12 PM, Michael Leone <oozerd...@gmail.com> >> wrote: >> >>> On Tue, Jan 9, 2018 at 3:00 PM, Mike <craigslist...@gmail.com> wrote: >>> >>>> You only need the Registry entries on Server versions. >>>> You do need hardware support to protect against CVE-2017-5715. >>>> >>>> Run the Get-SpeculationControlSettings PowerShell command to get the >>>> details. >>>> https://gallery.technet.microsoft.com/scriptcenter/Speculati >>>> on-Control-e36f0050 >>>> >>> >>> >>> I have run it. It didn't answer my question. If you don't run the >>> registry entries, some values are false. I take "false" to mean "not as >>> fully protected as you should be". Which indicates to me that I need the >>> registry entries, even if it's not a server. >>> >>> Hence my question ... >>> >>> >> >