And this statement from Terry Myerson sounds to me like outside of the Hyper-V hosts, the Memory Management keys may only be needed in very specific cases:
https://cloudblogs.microsoft.com/microsoftsecure/2018/01/09/understanding-the-performance-impact-of-spectre-and-meltdown-mitigations-on-windows-systems/ Windows Server customers, running either on-premises or in the cloud, also need to evaluate whether to apply additional security mitigations within each of their Windows Server VM guest or physical instances. These mitigations are needed when you are running untrusted code within your Windows Server instances (for example, you allow one of your customers to upload a binary or code snippet that you then run within your Windows Server instance) and you want to isolate the application binary or code to ensure it can't access memory within the Windows Server instance that it should not have access to. You do not need to apply these mitigations to isolate your Windows Server VMs from other VMs on a virtualized server, as they are instead only needed to isolate untrusted code running within a specific Windows Server instance. BRIAN ILLNER | Canal Insurance Company 864.250.9227 864.679.2537 Fax [cid:[email protected]] Visit canalinsurance.com<http://canalinsurance.com> for news and information. [cid:[email protected]]<https://www.linkedin.com/company/canal-insurance-company> WARNING: As the information in this transmittal (including attachments, if any) may contain confidential, proprietary, or business trade secret information, it should only be reviewed by those who are the intended recipients. Unless you are an intended recipient, any review, use, disclosure, distribution or copying of this transmittal (or any attachments) is strictly prohibited. If you have received this transmittal in error, please notify me immediately by reply email and destroy all copies of the transmittal. While Canal believes this transmittal to be free of virus or other defect, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by Canal (or its subsidiaries and affiliates) for any loss or damage arising therefrom. From: [email protected] [mailto:[email protected]] On Behalf Of Robert Spinelli Sent: Tuesday, January 9, 2018 1:43 PM To: [email protected] Subject: [mssms] RE: Confused - Spectre / Meltdown I agree, something isn't right. I'm 99% sure those registry keys weren't in the article last week for workstation OS. Rod, you got some pull with MS, ask them what the deal is.. hah. Rob From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Brian Illner Sent: Tuesday, January 9, 2018 11:48 AM To: [email protected]<mailto:[email protected]> Subject: [mssms] RE: Confused - Spectre / Meltdown My understanding was that those keys were just for the ServerOS? I have a Dell laptop that I completed all the tasks for and it does not have the memory management keys and yet it shows as all green in SpeculationControl? Come on MS, your information is changing hourly as each team contradicts the other BRIAN ILLNER | Canal Insurance Company 864.250.9227 864.679.2537 Fax [cid:[email protected]] Visit canalinsurance.com<http://canalinsurance.com> for news and information. [cid:[email protected]]<https://www.linkedin.com/company/canal-insurance-company> WARNING: As the information in this transmittal (including attachments, if any) may contain confidential, proprietary, or business trade secret information, it should only be reviewed by those who are the intended recipients. Unless you are an intended recipient, any review, use, disclosure, distribution or copying of this transmittal (or any attachments) is strictly prohibited. If you have received this transmittal in error, please notify me immediately by reply email and destroy all copies of the transmittal. While Canal believes this transmittal to be free of virus or other defect, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by Canal (or its subsidiaries and affiliates) for any loss or damage arising therefrom. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Kent, Mark Sent: Tuesday, January 9, 2018 11:00 AM To: [email protected]<mailto:[email protected]> Subject: [mssms] RE: Confused - Spectre / Meltdown Yeah I see them at the bottom of https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in<https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in> And they don't really say what they are for. Keep refreshing the page, wait for an edit :) Mark Kent Manager, Client Systems Engineering Technology Support Services Resources for Information, Technology and Education (RITE) http://rite.buffalostate.edu<http://rite.buffalostate.edu/> From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of SCCM FUN Sent: Tuesday, January 9, 2018 10:02 AM To: [email protected]<mailto:[email protected]> Subject: [mssms] Confused - Spectre / Meltdown Can anyone confirm the following? Workstation/Servers - both need the AV key in order to do any patching going forward Workstation At one point in the MS article for workstation patching (4073119) I could of sworn there wasn't anything about having to making registry settings (except for AV) but now it looks like they added 2 registry keys. Were these 2 reg keys always in the KB/needed? reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f Server 3 reg keys need to be added for the server patch to take effect. Are you enabling this on all your servers or just the 3 use cases they list in their article (4072698). reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f Thanks
