RE: [mssms] RE: Confused - Spectre / Meltdown

[Aaron Czechowski]

An update. The KB will be revised. The memory management registry keys are for 
enabling protections on server only; they are not required on the client. You 
don't generally need to modify these registry keys on client OS.

Also, we released a configuration baseline with Microsoft-signed content to 
help verify: 
https://gallery.technet.microsoft.com/Speculation-Execution-Side-1483f621
We'll update our blog soon

Aaron


From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Dam, Bryan
Sent: Tuesday, 9 January, 2018 14:45
To: mssms@lists.myitforum.com
Subject: RE: [mssms] RE: Confused - Spectre / Meltdown

My testing this afternoon would seem to confirm that the Memory Management keys 
are not needed on Windows 10.  At least as far as the detection script is to be 
trusted.  The result of the script was the same whether the keys didn't exist 
(the initial state) or if they were set to enabled.  If you specifically set 
them to disabled then the script reported the device vulnerable.


   Bryan

From: listsad...@lists.myitforum.com [listsad...@lists.myitforum.com] on behalf 
of Adam Juelich [acjuel...@gmail.com]
Sent: Tuesday, January 09, 2018 12:06 PM
To: mssms@lists.myitforum.com
Subject: Re: [mssms] RE: Confused - Spectre / Meltdown
Workstation:

  1.  Registry Key set by A/V (or manually set based on A/V guidance)
  2.  Windows Update
  3.  BIOS/Firmware Update from vendor
Server:

  1.  Registry Key set by A/V (or manually set based on A/V guidance)
  2.  Window Update
  3.  Push Registry Keys (2 needed, the third is for Hypver-V Hosts - I believe)

 *   Test and monitor performance impact

  1.  BIOS/Firmware Update from vendor

That is my understanding thus far...

Good thing we have nothing else to do ;-)


On Tue, Jan 9, 2018 at 10:48 AM, Brian Illner 
<brian.ill...@canal-ins.com<mailto:brian.ill...@canal-ins.com>> wrote:
My understanding was that those keys were just for the ServerOS?

I have a Dell laptop that I completed all the tasks for and it does not have 
the memory management keys and yet it shows as all green in SpeculationControl?

Come on MS, your information is changing hourly as each team contradicts the 
other

BRIAN ILLNER | Canal Insurance Company
864.250.9227<tel:(864)%20250-9227>
864.679.2537<tel:(864)%20679-2537> Fax

[cid:image001.jpg@01D38A2A.18D777F0]

Visit 
canalinsurance.com<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttp-3A__canalinsurance.com%26d%3DDwMFaQ%26c%3DNjgxpSSi0c1nSHFRGItzyA%26r%3DKWpqtEEfXhZfmzEhpZYWbkTAjRbCjXuhffs_frSMo9A%26m%3D7eAF1on4WbqiIw9gdju7bDCBAuLWPpl3-xnx-V7tdLo%26s%3D4F9X90g5_8HDwoolSyP0lpS66YJK_StnUqgnq7RlN8E%26e%3D=02%7C01%7Caaron.czechowski%40microsoft.com%7C7508dd971fe84f01db3208d557b360b3%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636511350339469322=ZXCT2zHi4oofgFaUtvfp3BxAHNqnTQ5p9BGRkTFILfQ%3D=0>
 for news and information.

[cid:image002.jpg@01D38A2A.18D777F0]<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__www.linkedin.com_company_canal-2Dinsurance-2Dcompany%26d%3DDwMFaQ%26c%3DNjgxpSSi0c1nSHFRGItzyA%26r%3DKWpqtEEfXhZfmzEhpZYWbkTAjRbCjXuhffs_frSMo9A%26m%3D7eAF1on4WbqiIw9gdju7bDCBAuLWPpl3-xnx-V7tdLo%26s%3D7UyWWN0cTWXprzWCUn6Cfj3jQJ7rgOjYTICTI8nUiWs%26e%3D=02%7C01%7Caaron.czechowski%40microsoft.com%7C7508dd971fe84f01db3208d557b360b3%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636511350339469322=wGJFixgYaKx0C1TpQDkALJHtSmoWaMLSi3OGzvWLa4M%3D=0>
WARNING:  As the information in this transmittal (including attachments, if 
any) may contain confidential, proprietary, or business trade secret 
information, it should only be reviewed by those who are the intended 
recipients.  Unless you are an intended recipient, any review, use, disclosure, 
distribution or copying of this transmittal (or any attachments) is strictly 
prohibited.   If you have received this transmittal in error, please notify me 
immediately by reply email and destroy all copies of the transmittal.  While 
Canal believes this transmittal to be free of virus or other defect, it is the 
responsibility of the recipient to ensure that it is virus free and no 
responsibility is accepted by Canal (or its subsidiaries and affiliates) for 
any loss or damage arising therefrom.
From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Kent, Mark
Sent: Tuesday, January 9, 2018 11:00 AM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: [mssms] RE: Confused - Spectre / Meltdown

Yeah I see them at the bottom of 
https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in<https://na01.safelinks.protection.outlook.com/?url=https

RE: [mssms] RE: Confused - Spectre / Meltdown

[Dam, Bryan]

My testing this afternoon would seem to confirm that the Memory Management keys 
are not needed on Windows 10.  At least as far as the detection script is to be 
trusted.  The result of the script was the same whether the keys didn't exist 
(the initial state) or if they were set to enabled.  If you specifically set 
them to disabled then the script reported the device vulnerable.


   Bryan

From: listsad...@lists.myitforum.com [listsad...@lists.myitforum.com] on behalf 
of Adam Juelich [acjuel...@gmail.com]
Sent: Tuesday, January 09, 2018 12:06 PM
To: mssms@lists.myitforum.com
Subject: Re: [mssms] RE: Confused - Spectre / Meltdown

Workstation:

  1.  Registry Key set by A/V (or manually set based on A/V guidance)
  2.  Windows Update
  3.  BIOS/Firmware Update from vendor

Server:

  1.  Registry Key set by A/V (or manually set based on A/V guidance)
  2.  Window Update
  3.  Push Registry Keys (2 needed, the third is for Hypver-V Hosts - I believe)
 *   Test and monitor performance impact
  4.  BIOS/Firmware Update from vendor

That is my understanding thus far...

Good thing we have nothing else to do ;-)


On Tue, Jan 9, 2018 at 10:48 AM, Brian Illner 
<brian.ill...@canal-ins.com<mailto:brian.ill...@canal-ins.com>> wrote:
My understanding was that those keys were just for the ServerOS?

I have a Dell laptop that I completed all the tasks for and it does not have 
the memory management keys and yet it shows as all green in SpeculationControl?

Come on MS, your information is changing hourly as each team contradicts the 
other

BRIAN ILLNER | Canal Insurance Company
864.250.9227<tel:(864)%20250-9227>
864.679.2537<tel:(864)%20679-2537> Fax

[cid:image001.jpg@01D3893F.B60E45D0]

Visit 
canalinsurance.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__canalinsurance.com=DwMFaQ=NjgxpSSi0c1nSHFRGItzyA=KWpqtEEfXhZfmzEhpZYWbkTAjRbCjXuhffs_frSMo9A=7eAF1on4WbqiIw9gdju7bDCBAuLWPpl3-xnx-V7tdLo=4F9X90g5_8HDwoolSyP0lpS66YJK_StnUqgnq7RlN8E=>
 for news and information.

[cid:image002.jpg@01D3893F.B60E45D0]<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.linkedin.com_company_canal-2Dinsurance-2Dcompany=DwMFaQ=NjgxpSSi0c1nSHFRGItzyA=KWpqtEEfXhZfmzEhpZYWbkTAjRbCjXuhffs_frSMo9A=7eAF1on4WbqiIw9gdju7bDCBAuLWPpl3-xnx-V7tdLo=7UyWWN0cTWXprzWCUn6Cfj3jQJ7rgOjYTICTI8nUiWs=>
WARNING:  As the information in this transmittal (including attachments, if 
any) may contain confidential, proprietary, or business trade secret 
information, it should only be reviewed by those who are the intended 
recipients.  Unless you are an intended recipient, any review, use, disclosure, 
distribution or copying of this transmittal (or any attachments) is strictly 
prohibited.   If you have received this transmittal in error, please notify me 
immediately by reply email and destroy all copies of the transmittal.  While 
Canal believes this transmittal to be free of virus or other defect, it is the 
responsibility of the recipient to ensure that it is virus free and no 
responsibility is accepted by Canal (or its subsidiaries and affiliates) for 
any loss or damage arising therefrom.
From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Kent, Mark
Sent: Tuesday, January 9, 2018 11:00 AM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: [mssms] RE: Confused - Spectre / Meltdown

Yeah I see them at the bottom of 
https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in<https://urldefense.proofpoint.com/v2/url?u=https-3A__support.microsoft.com_en-2Dus_help_4073119_protect-2Dagainst-2Dspeculative-2Dexecution-2Dside-2Dchannel-2Dvulnerabilities-2Din=DwMFaQ=NjgxpSSi0c1nSHFRGItzyA=KWpqtEEfXhZfmzEhpZYWbkTAjRbCjXuhffs_frSMo9A=7eAF1on4WbqiIw9gdju7bDCBAuLWPpl3-xnx-V7tdLo=cLUf0bi6vko7UFOvCMTzShN5j6YjV7C1l9diIlxVppo=>

And they don’t really say what they are for.

Keep refreshing the page, wait for an edit :)

Mark Kent
Manager, Client Systems Engineering
Technology Support Services
Resources for Information, Technology and Education (RITE)
http://rite.buffalostate.edu<https://urldefense.proofpoint.com/v2/url?u=http-3A__rite.buffalostate.edu_=DwMFaQ=NjgxpSSi0c1nSHFRGItzyA=KWpqtEEfXhZfmzEhpZYWbkTAjRbCjXuhffs_frSMo9A=7eAF1on4WbqiIw9gdju7bDCBAuLWPpl3-xnx-V7tdLo=mjHLhJ5kVFFzsaO4k7TI4QWjSQzc582n5qbqYYaBxWU=>

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of SCCM FUN
Sent: Tuesday, January 9, 2018 10:02 AM
To: mssms@lists.myITforum.com<mailto:mssms@lists.myITforum.com>
Subject: [mssms] Confused - Spectre / Meltdown

Can anyone confirm the following?

Workstation/Servers - both need the AV key in order to do any patching going 
forward

Workstation
At on

[mssms] RE: Confused - Spectre / Meltdown

[Aaron Czechowski]

Yeah, I'm checking on this.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Robert Spinelli
Sent: Tuesday, 9 January, 2018 10:43
To: mssms@lists.myitforum.com
Subject: [mssms] RE: Confused - Spectre / Meltdown

I agree, something isn't right.  I'm 99% sure those registry keys weren't in 
the article last week for workstation OS.

Rod, you got some pull with MS, ask them what the deal is.. hah.

Rob

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Brian Illner
Sent: Tuesday, January 9, 2018 11:48 AM
To: mssms@lists.myitforum.com
Subject: [mssms] RE: Confused - Spectre / Meltdown

My understanding was that those keys were just for the ServerOS?

I have a Dell laptop that I completed all the tasks for and it does not have 
the memory management keys and yet it shows as all green in SpeculationControl?

Come on MS, your information is changing hourly as each team contradicts the 
other

BRIAN ILLNER | Canal Insurance Company
864.250.9227
864.679.2537 Fax

[cid:image001.jpg@01D3894F.92DC01F0]

Visit 
canalinsurance.com<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fcanalinsurance.com=02%7C01%7Caaron.czechowski%40microsoft.com%7Cccdbfd50cad34f178b4708d55796ef95%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636511228163321882=3kZqM%2Bi6HFAdzVa0%2BExb61WeA54aPULnEb6jEgcz4vg%3D=0>
 for news and information.

[cid:image002.jpg@01D3894F.92DC01F0]<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fcompany%2Fcanal-insurance-company=02%7C01%7Caaron.czechowski%40microsoft.com%7Cccdbfd50cad34f178b4708d55796ef95%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636511228163321882=Q6f5P%2BuulTN7sW6EinexsCWxRF%2F%2F240Em%2FzPX%2F3joGE%3D=0>
WARNING:  As the information in this transmittal (including attachments, if 
any) may contain confidential, proprietary, or business trade secret 
information, it should only be reviewed by those who are the intended 
recipients.  Unless you are an intended recipient, any review, use, disclosure, 
distribution or copying of this transmittal (or any attachments) is strictly 
prohibited.   If you have received this transmittal in error, please notify me 
immediately by reply email and destroy all copies of the transmittal.  While 
Canal believes this transmittal to be free of virus or other defect, it is the 
responsibility of the recipient to ensure that it is virus free and no 
responsibility is accepted by Canal (or its subsidiaries and affiliates) for 
any loss or damage arising therefrom.
From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Kent, Mark
Sent: Tuesday, January 9, 2018 11:00 AM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: [mssms] RE: Confused - Spectre / Meltdown

Yeah I see them at the bottom of 
https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F4073119%2Fprotect-against-speculative-execution-side-channel-vulnerabilities-in=02%7C01%7Caaron.czechowski%40microsoft.com%7Cccdbfd50cad34f178b4708d55796ef95%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636511228163321882=YblcAgXnXNDCHq%2F7MxBjzEpg%2FzoIMHxrWgAF0vXGrNQ%3D=0>

And they don't really say what they are for.

Keep refreshing the page, wait for an edit :)

Mark Kent
Manager, Client Systems Engineering
Technology Support Services
Resources for Information, Technology and Education (RITE)
http://rite.buffalostate.edu<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Frite.buffalostate.edu%2F=02%7C01%7Caaron.czechowski%40microsoft.com%7Cccdbfd50cad34f178b4708d55796ef95%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636511228163321882=HPp0yw27zI2U6Pwu9kYaUOHVC55p4fXL%2FaB%2BzJXrwzU%3D=0>

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of SCCM FUN
Sent: Tuesday, January 9, 2018 10:02 AM
To: mssms@lists.myITforum.com<mailto:mssms@lists.myITforum.com>
Subject: [mssms] Confused - Spectre / Meltdown

Can anyone confirm the following?

Workstation/Servers - both need the AV key in order to do any patching going 
forward

Workstation
At one point in the MS article for workstation patching (4073119) I could of 
sworn there wasn't anything about having to making registry settings (except 
for AV) but now it looks like they added 2 registry keys.  Were these 2 reg 
keys always in the KB/needed?

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session 
Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session 
Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DW

[mssms] RE: Confused - Spectre / Meltdown

[Brian Illner]

And this statement from Terry Myerson sounds to me like outside of the Hyper-V 
hosts, the Memory Management keys may only be needed in very specific cases:

https://cloudblogs.microsoft.com/microsoftsecure/2018/01/09/understanding-the-performance-impact-of-spectre-and-meltdown-mitigations-on-windows-systems/


Windows Server customers, running either on-premises or in the cloud, also need 
to evaluate whether to apply additional security mitigations within each of 
their Windows Server VM guest or physical instances. These mitigations are 
needed when you are running untrusted code within your Windows Server instances 
(for example, you allow one of your customers to upload a binary or code 
snippet that you then run within your Windows Server instance) and you want to 
isolate the application binary or code to ensure it can't access memory within 
the Windows Server instance that it should not have access to. You do not need 
to apply these mitigations to isolate your Windows Server VMs from other VMs on 
a virtualized server, as they are instead only needed to isolate untrusted code 
running within a specific Windows Server instance.

BRIAN ILLNER | Canal Insurance Company
864.250.9227
864.679.2537 Fax

[cid:image001.jpg@01D38959.2D662580]

Visit canalinsurance.com<http://canalinsurance.com> for news and information.

[cid:image002.jpg@01D38959.2D662580]<https://www.linkedin.com/company/canal-insurance-company>
WARNING:  As the information in this transmittal (including attachments, if 
any) may contain confidential, proprietary, or business trade secret 
information, it should only be reviewed by those who are the intended 
recipients.  Unless you are an intended recipient, any review, use, disclosure, 
distribution or copying of this transmittal (or any attachments) is strictly 
prohibited.   If you have received this transmittal in error, please notify me 
immediately by reply email and destroy all copies of the transmittal.  While 
Canal believes this transmittal to be free of virus or other defect, it is the 
responsibility of the recipient to ensure that it is virus free and no 
responsibility is accepted by Canal (or its subsidiaries and affiliates) for 
any loss or damage arising therefrom.
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Robert Spinelli
Sent: Tuesday, January 9, 2018 1:43 PM
To: mssms@lists.myitforum.com
Subject: [mssms] RE: Confused - Spectre / Meltdown

I agree, something isn't right.  I'm 99% sure those registry keys weren't in 
the article last week for workstation OS.

Rod, you got some pull with MS, ask them what the deal is.. hah.

Rob

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Brian Illner
Sent: Tuesday, January 9, 2018 11:48 AM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: [mssms] RE: Confused - Spectre / Meltdown

My understanding was that those keys were just for the ServerOS?

I have a Dell laptop that I completed all the tasks for and it does not have 
the memory management keys and yet it shows as all green in SpeculationControl?

Come on MS, your information is changing hourly as each team contradicts the 
other

BRIAN ILLNER | Canal Insurance Company
864.250.9227
864.679.2537 Fax

[cid:image001.jpg@01D3894F.92DC01F0]

Visit canalinsurance.com<http://canalinsurance.com> for news and information.

[cid:image002.jpg@01D3894F.92DC01F0]<https://www.linkedin.com/company/canal-insurance-company>
WARNING:  As the information in this transmittal (including attachments, if 
any) may contain confidential, proprietary, or business trade secret 
information, it should only be reviewed by those who are the intended 
recipients.  Unless you are an intended recipient, any review, use, disclosure, 
distribution or copying of this transmittal (or any attachments) is strictly 
prohibited.   If you have received this transmittal in error, please notify me 
immediately by reply email and destroy all copies of the transmittal.  While 
Canal believes this transmittal to be free of virus or other defect, it is the 
responsibility of the recipient to ensure that it is virus free and no 
responsibility is accepted by Canal (or its subsidiaries and affiliates) for 
any loss or damage arising therefrom.
From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Kent, Mark
Sent: Tuesday, January 9, 2018 11:00 AM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: [mssms] RE: Confused - Spectre / Meltdown

Yeah I see them at the bottom of 
https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in<https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in>

And they don't r

[mssms] RE: Confused - Spectre / Meltdown

[Robert Spinelli]

I agree, something isn't right.  I'm 99% sure those registry keys weren't in 
the article last week for workstation OS.

Rod, you got some pull with MS, ask them what the deal is.. hah.

Rob

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Brian Illner
Sent: Tuesday, January 9, 2018 11:48 AM
To: mssms@lists.myitforum.com
Subject: [mssms] RE: Confused - Spectre / Meltdown

My understanding was that those keys were just for the ServerOS?

I have a Dell laptop that I completed all the tasks for and it does not have 
the memory management keys and yet it shows as all green in SpeculationControl?

Come on MS, your information is changing hourly as each team contradicts the 
other

BRIAN ILLNER | Canal Insurance Company
864.250.9227
864.679.2537 Fax

[cid:image001.jpg@01D3894F.92DC01F0]

Visit canalinsurance.com<http://canalinsurance.com> for news and information.

[cid:image002.jpg@01D3894F.92DC01F0]<https://www.linkedin.com/company/canal-insurance-company>
WARNING:  As the information in this transmittal (including attachments, if 
any) may contain confidential, proprietary, or business trade secret 
information, it should only be reviewed by those who are the intended 
recipients.  Unless you are an intended recipient, any review, use, disclosure, 
distribution or copying of this transmittal (or any attachments) is strictly 
prohibited.   If you have received this transmittal in error, please notify me 
immediately by reply email and destroy all copies of the transmittal.  While 
Canal believes this transmittal to be free of virus or other defect, it is the 
responsibility of the recipient to ensure that it is virus free and no 
responsibility is accepted by Canal (or its subsidiaries and affiliates) for 
any loss or damage arising therefrom.
From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Kent, Mark
Sent: Tuesday, January 9, 2018 11:00 AM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: [mssms] RE: Confused - Spectre / Meltdown

Yeah I see them at the bottom of 
https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in

And they don't really say what they are for.

Keep refreshing the page, wait for an edit :)

Mark Kent
Manager, Client Systems Engineering
Technology Support Services
Resources for Information, Technology and Education (RITE)
http://rite.buffalostate.edu<http://rite.buffalostate.edu/>

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of SCCM FUN
Sent: Tuesday, January 9, 2018 10:02 AM
To: mssms@lists.myITforum.com<mailto:mssms@lists.myITforum.com>
Subject: [mssms] Confused - Spectre / Meltdown

Can anyone confirm the following?

Workstation/Servers - both need the AV key in order to do any patching going 
forward

Workstation
At one point in the MS article for workstation patching (4073119) I could of 
sworn there wasn't anything about having to making registry settings (except 
for AV) but now it looks like they added 2 registry keys.  Were these 2 reg 
keys always in the KB/needed?

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session 
Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session 
Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

Server
3 reg keys need to be added for the server patch to take effect.  Are you 
enabling this on all your servers or just the 3 use cases they list in their 
article (4072698).

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session 
Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session 
Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v 
MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f


Thanks

RE: [mssms] RE: Confused - Spectre / Meltdown

[Brian Illner]

They updated their documentation. OverrideMask is supposed to be ‘3’ for BOTH 
enable and disable

BRIAN ILLNER | Canal Insurance Company
864.250.9227
864.679.2537 Fax

[cid:image001.jpg@01D3894B.4C9A9CF0]

Visit canalinsurance.com<http://canalinsurance.com> for news and information.

[cid:image002.jpg@01D3894B.4C9A9CF0]<https://www.linkedin.com/company/canal-insurance-company>
WARNING:  As the information in this transmittal (including attachments, if 
any) may contain confidential, proprietary, or business trade secret 
information, it should only be reviewed by those who are the intended 
recipients.  Unless you are an intended recipient, any review, use, disclosure, 
distribution or copying of this transmittal (or any attachments) is strictly 
prohibited.   If you have received this transmittal in error, please notify me 
immediately by reply email and destroy all copies of the transmittal.  While 
Canal believes this transmittal to be free of virus or other defect, it is the 
responsibility of the recipient to ensure that it is virus free and no 
responsibility is accepted by Canal (or its subsidiaries and affiliates) for 
any loss or damage arising therefrom.
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Rajah, Zubair
Sent: Tuesday, January 9, 2018 1:03 PM
To: mssms@lists.myitforum.com
Subject: RE: [mssms] RE: Confused - Spectre / Meltdown

In addition, anyone know if there is a typo on the second registry key 
(heighted belew) that needs to be set, seems like the value should be 0 …..

Switch | Registry Settings
To enable the fix
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session 
Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session 
Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v 
MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f
If this is a Hyper-V host: fully shutdown all Virtual Machines.
Restart the server for changes to take effect.

To disable this fix
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session 
Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session 
Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
Restart the server for the changes to take effect.
(There is no need to change MinVmVersionForCpuBasedMitigations.)



From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Adam Juelich
Sent: Tuesday, January 9, 2018 8:07 PM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: Re: [mssms] RE: Confused - Spectre / Meltdown


EXTERNAL: This is an external email received from the Internet. Report this 
message to s...@aramco.com<mailto:s...@aramco.com> if the email contains any 
suspicious content.




Workstation:

  1.  Registry Key set by A/V (or manually set based on A/V guidance)
  2.  Windows Update
  3.  BIOS/Firmware Update from vendor
Server:

  1.  Registry Key set by A/V (or manually set based on A/V guidance)
  2.  Window Update
  3.  Push Registry Keys (2 needed, the third is for Hypver-V Hosts - I believe)

 *   Test and monitor performance impact

  1.  BIOS/Firmware Update from vendor

That is my understanding thus far...

Good thing we have nothing else to do ;-)


On Tue, Jan 9, 2018 at 10:48 AM, Brian Illner 
<brian.ill...@canal-ins.com<mailto:brian.ill...@canal-ins.com>> wrote:
My understanding was that those keys were just for the ServerOS?

I have a Dell laptop that I completed all the tasks for and it does not have 
the memory management keys and yet it shows as all green in SpeculationControl?

Come on MS, your information is changing hourly as each team contradicts the 
other

BRIAN ILLNER | Canal Insurance Company
864.250.9227<tel:(864)%20250-9227>
864.679.2537<tel:(864)%20679-2537> Fax

[cid:image001.jpg@01D3894B.4C9A9CF0]

Visit canalinsurance.com<http://canalinsurance.com> for news and information.

[cid:image002.jpg@01D3894B.4C9A9CF0]<https://www.linkedin.com/company/canal-insurance-company>
WARNING:  As the information in this transmittal (including attachments, if 
any) may contain confidential, proprietary, or business trade secret 
information, it should only be reviewed by those who are the intended 
recipients.  Unless you are an intended recipient, any review, use, disclosure, 
distribution or copying of this transmittal (or any attachments) is strictly 
prohibited.   If you have received this transmittal in error, please notify me 
immediately by reply email and destroy all copies of the transm

RE: [mssms] RE: Confused - Spectre / Meltdown

[Rajah, Zubair]

In addition, anyone know if there is a typo on the second registry key 
(heighted belew) that needs to be set, seems like the value should be 0 …..

Switch | Registry Settings
To enable the fix
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session 
Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session 
Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v 
MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f
If this is a Hyper-V host: fully shutdown all Virtual Machines.
Restart the server for changes to take effect.

To disable this fix
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session 
Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session 
Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
Restart the server for the changes to take effect.
(There is no need to change MinVmVersionForCpuBasedMitigations.)



From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Adam Juelich
Sent: Tuesday, January 9, 2018 8:07 PM
To: mssms@lists.myitforum.com
Subject: Re: [mssms] RE: Confused - Spectre / Meltdown


EXTERNAL: This is an external email received from the Internet. Report this 
message to s...@aramco.com<mailto:s...@aramco.com> if the email contains any 
suspicious content.




Workstation:

  1.  Registry Key set by A/V (or manually set based on A/V guidance)
  2.  Windows Update
  3.  BIOS/Firmware Update from vendor
Server:

  1.  Registry Key set by A/V (or manually set based on A/V guidance)
  2.  Window Update
  3.  Push Registry Keys (2 needed, the third is for Hypver-V Hosts - I believe)

 *   Test and monitor performance impact

  1.  BIOS/Firmware Update from vendor

That is my understanding thus far...

Good thing we have nothing else to do ;-)


On Tue, Jan 9, 2018 at 10:48 AM, Brian Illner 
<brian.ill...@canal-ins.com<mailto:brian.ill...@canal-ins.com>> wrote:
My understanding was that those keys were just for the ServerOS?

I have a Dell laptop that I completed all the tasks for and it does not have 
the memory management keys and yet it shows as all green in SpeculationControl?

Come on MS, your information is changing hourly as each team contradicts the 
other

BRIAN ILLNER | Canal Insurance Company
864.250.9227<tel:(864)%20250-9227>
864.679.2537<tel:(864)%20679-2537> Fax

[cid:image001.jpg@01D3898D.2B997E30]

Visit canalinsurance.com<http://canalinsurance.com> for news and information.

[cid:image002.jpg@01D3898D.2B997E30]<https://www.linkedin.com/company/canal-insurance-company>
WARNING:  As the information in this transmittal (including attachments, if 
any) may contain confidential, proprietary, or business trade secret 
information, it should only be reviewed by those who are the intended 
recipients.  Unless you are an intended recipient, any review, use, disclosure, 
distribution or copying of this transmittal (or any attachments) is strictly 
prohibited.   If you have received this transmittal in error, please notify me 
immediately by reply email and destroy all copies of the transmittal.  While 
Canal believes this transmittal to be free of virus or other defect, it is the 
responsibility of the recipient to ensure that it is virus free and no 
responsibility is accepted by Canal (or its subsidiaries and affiliates) for 
any loss or damage arising therefrom.
From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Kent, Mark
Sent: Tuesday, January 9, 2018 11:00 AM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: [mssms] RE: Confused - Spectre / Meltdown

Yeah I see them at the bottom of 
https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in

And they don’t really say what they are for.

Keep refreshing the page, wait for an edit ☺

Mark Kent
Manager, Client Systems Engineering
Technology Support Services
Resources for Information, Technology and Education (RITE)
http://rite.buffalostate.edu<http://rite.buffalostate.edu/>

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of SCCM FUN
Sent: Tuesday, January 9, 2018 10:02 AM
To: mssms@lists.myITforum.com<mailto:mssms@lists.myITforum.com>
Subject: [mssms] Confused - Spectre / Meltdown

Can anyone confirm the following?

Workstation/Servers - both need the AV key in order to do any patching going 
forward

Wo

RE: [mssms] RE: Confused - Spectre / Meltdown

[Rod Trent]

Unsub information is here:
http://myitforum.com/myitforumwp/newsletter/email-lists-2/#configmgr 

 

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com]
On Behalf Of Chris Wooton
Sent: Tuesday, January 9, 2018 11:30 AM
To: mssms@lists.myitforum.com
Subject: [mssms] RE: Confused - Spectre / Meltdown

 

UNSUBSCRIBE mssms

 

From: listsad...@lists.myitforum.com <mailto:listsad...@lists.myitforum.com>
[mailto:listsad...@lists.myitforum.com] On Behalf Of Kent, Mark
Sent: Tuesday, January 9, 2018 11:00 AM
To: mssms@lists.myitforum.com
Subject: [mssms] RE: Confused - Spectre / Meltdown

 

Yeah I see them at the bottom of
https://support.microsoft.com/en-us/help/4073119/protect-against-speculative
-execution-side-channel-vulnerabilities-in

 

And they don't really say what they are for.

 

Keep refreshing the page, wait for an edit :)

 

Mark Kent

Manager, Client Systems Engineering

Technology Support Services

Resources for Information, Technology and Education (RITE)

 <http://rite.buffalostate.edu/> http://rite.buffalostate.edu

 

From: listsad...@lists.myitforum.com <mailto:listsad...@lists.myitforum.com>
[mailto:listsad...@lists.myitforum.com] On Behalf Of SCCM FUN
Sent: Tuesday, January 9, 2018 10:02 AM
To: mssms@lists.myITforum.com <mailto:mssms@lists.myITforum.com> 
Subject: [mssms] Confused - Spectre / Meltdown

 

Can anyone confirm the following?

 

Workstation/Servers - both need the AV key in order to do any patching going
forward

 

Workstation

At one point in the MS article for workstation patching (4073119) I could of
sworn there wasn't anything about having to making registry settings (except
for AV) but now it looks like they added 2 registry keys.  Were these 2 reg
keys always in the KB/needed?

 

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session
Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session
Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3
/f

 

Server

3 reg keys need to be added for the server patch to take effect.  Are you
enabling this on all your servers or just the 3 use cases they list in their
article (4072698).

 

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session
Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session
Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3
/f

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization"
/v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f

 

Thanks

 

 

 

Re: [mssms] RE: Confused - Spectre / Meltdown

[Adam Juelich]

Workstation:

   1. Registry Key set by A/V (or manually set based on A/V guidance)
   2. Windows Update
   3. BIOS/Firmware Update from vendor

Server:

   1. Registry Key set by A/V (or manually set based on A/V guidance)
   2. Window Update
   3. Push Registry Keys (2 needed, the third is for Hypver-V Hosts - I
   believe)
  1. Test and monitor performance impact
   4. BIOS/Firmware Update from vendor


That is my understanding thus far...

Good thing we have nothing else to do ;-)


On Tue, Jan 9, 2018 at 10:48 AM, Brian Illner <brian.ill...@canal-ins.com>
wrote:

> My understanding was that those keys were just for the ServerOS?
>
>
>
> I have a Dell laptop that I completed all the tasks for and *it does not
> have the memory management keys* and yet it shows as all green in
> SpeculationControl?
>
>
>
> Come on MS, your information is changing hourly as each team contradicts
> the other
>
>
>
> *BRIAN* *ILLNER |* Canal Insurance Company
> 864.250.9227 <(864)%20250-9227>
> 864.679.2537 <(864)%20679-2537> Fax
>
>
>
>
> Visit canalinsurance.com for news and information.
>
>
> <https://www.linkedin.com/company/canal-insurance-company>
>
> *WARNING*:  *As the information in this transmittal (including
> attachments, if any) may contain confidential, proprietary, or business
> trade secret information, it should only be reviewed by those who are the
> intended recipients.  Unless you are an intended recipient, any review,
> use, disclosure, distribution or copying of this transmittal (or any
> attachments) is strictly prohibited.   If you have received this
> transmittal in error, please notify me immediately by reply email and
> destroy all copies of the transmittal.  While Canal believes this
> transmittal to be free of virus or other defect, it is the responsibility
> of the recipient to ensure that it is virus free and no responsibility is
> accepted by Canal (or its subsidiaries and affiliates) for any loss or
> damage arising therefrom.*
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *On Behalf Of *Kent, Mark
> *Sent:* Tuesday, January 9, 2018 11:00 AM
> *To:* mssms@lists.myitforum.com
> *Subject:* [mssms] RE: Confused - Spectre / Meltdown
>
>
>
> Yeah I see them at the bottom of https://support.microsoft.com/
> en-us/help/4073119/protect-against-speculative-execution-
> side-channel-vulnerabilities-in
>
>
>
> And they don’t really say what they are for.
>
>
>
> Keep refreshing the page, wait for an edit J
>
>
>
> Mark Kent
>
> Manager, Client Systems Engineering
>
> Technology Support Services
>
> Resources for Information, Technology and Education (RITE)
>
> http://rite.buffalostate.edu
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com <listsad...@lists.myitforum.com>] *On Behalf Of *SCCM FUN
> *Sent:* Tuesday, January 9, 2018 10:02 AM
> *To:* mssms@lists.myITforum.com
> *Subject:* [mssms] Confused - Spectre / Meltdown
>
>
>
> Can anyone confirm the following?
>
>
>
> Workstation/Servers - both need the AV key in order to do any patching
> going forward
>
>
>
> Workstation
>
> At one point in the MS article for workstation patching (4073119) I could
> of sworn there wasn't anything about having to making registry settings
> (except for AV) but now it looks like they added 2 registry keys.  Were
> these 2 reg keys always in the KB/needed?
>
>
>
> reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session
> Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f
>
> reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session
> Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3
> /f
>
>
>
> Server
>
> 3 reg keys need to be added for the server patch to take effect.  Are you
> enabling this on all your servers or just the 3 use cases they list in
> their article (4072698).
>
>
>
> reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session
> Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f
>
> reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session
> Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3
> /f
>
> reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization"
> /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f
>
>
>
> Thanks
>
>
>
>
>
>

[mssms] RE: Confused - Spectre / Meltdown

[Brian Illner]

My understanding was that those keys were just for the ServerOS?

I have a Dell laptop that I completed all the tasks for and it does not have 
the memory management keys and yet it shows as all green in SpeculationControl?

Come on MS, your information is changing hourly as each team contradicts the 
other

BRIAN ILLNER | Canal Insurance Company
864.250.9227
864.679.2537 Fax

[cid:image001.jpg@01D3893F.B60E45D0]

Visit canalinsurance.com<http://canalinsurance.com> for news and information.

[cid:image002.jpg@01D3893F.B60E45D0]<https://www.linkedin.com/company/canal-insurance-company>
WARNING:  As the information in this transmittal (including attachments, if 
any) may contain confidential, proprietary, or business trade secret 
information, it should only be reviewed by those who are the intended 
recipients.  Unless you are an intended recipient, any review, use, disclosure, 
distribution or copying of this transmittal (or any attachments) is strictly 
prohibited.   If you have received this transmittal in error, please notify me 
immediately by reply email and destroy all copies of the transmittal.  While 
Canal believes this transmittal to be free of virus or other defect, it is the 
responsibility of the recipient to ensure that it is virus free and no 
responsibility is accepted by Canal (or its subsidiaries and affiliates) for 
any loss or damage arising therefrom.
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Kent, Mark
Sent: Tuesday, January 9, 2018 11:00 AM
To: mssms@lists.myitforum.com
Subject: [mssms] RE: Confused - Spectre / Meltdown

Yeah I see them at the bottom of 
https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in<https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in>

And they don't really say what they are for.

Keep refreshing the page, wait for an edit :)

Mark Kent
Manager, Client Systems Engineering
Technology Support Services
Resources for Information, Technology and Education (RITE)
http://rite.buffalostate.edu<http://rite.buffalostate.edu/>

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of SCCM FUN
Sent: Tuesday, January 9, 2018 10:02 AM
To: mssms@lists.myITforum.com<mailto:mssms@lists.myITforum.com>
Subject: [mssms] Confused - Spectre / Meltdown

Can anyone confirm the following?

Workstation/Servers - both need the AV key in order to do any patching going 
forward

Workstation
At one point in the MS article for workstation patching (4073119) I could of 
sworn there wasn't anything about having to making registry settings (except 
for AV) but now it looks like they added 2 registry keys.  Were these 2 reg 
keys always in the KB/needed?

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session 
Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session 
Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

Server
3 reg keys need to be added for the server patch to take effect.  Are you 
enabling this on all your servers or just the 3 use cases they list in their 
article (4072698).

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session 
Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session 
Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v 
MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f


Thanks

Re: [mssms] RE: Confused - Spectre / Meltdown

[Sherry Kissinger]

fyi, a Baseline with ConfigItems has been created to assist us ConfigMgr
admins with some of the items that are detectible.

https://blogs.technet.microsoft.com/configmgr_geek_speak/2018/01/09/configmgr-speculation-control-baseline-ftw/

That, plus this:
https://blogs.technet.microsoft.com/configurationmgr/2018/01/08/additional-guidance-to-mitigate-speculative-execution-side-channel-vulnerabilities/

and I think I'm STARTING to wrap my head around what needs to be done.
Maybe.  After I have more coffee.


On Tue, Jan 9, 2018 at 9:59 AM, Kent, Mark  wrote:

> Yeah I see them at the bottom of https://support.microsoft.com/
> en-us/help/4073119/protect-against-speculative-execution-
> side-channel-vulnerabilities-in
>
>
>
> And they don’t really say what they are for.
>
>
>
> Keep refreshing the page, wait for an edit J
>
>
>
> Mark Kent
>
> Manager, Client Systems Engineering
>
> Technology Support Services
>
> Resources for Information, Technology and Education (RITE)
>
> http://rite.buffalostate.edu
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *On Behalf Of *SCCM FUN
> *Sent:* Tuesday, January 9, 2018 10:02 AM
> *To:* mssms@lists.myITforum.com
> *Subject:* [mssms] Confused - Spectre / Meltdown
>
>
>
> Can anyone confirm the following?
>
>
>
> Workstation/Servers - both need the AV key in order to do any patching
> going forward
>
>
>
> Workstation
>
> At one point in the MS article for workstation patching (4073119) I could
> of sworn there wasn't anything about having to making registry settings
> (except for AV) but now it looks like they added 2 registry keys.  Were
> these 2 reg keys always in the KB/needed?
>
>
>
> reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session
> Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f
>
> reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session
> Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3
> /f
>
>
>
> Server
>
> 3 reg keys need to be added for the server patch to take effect.  Are you
> enabling this on all your servers or just the 3 use cases they list in
> their article (4072698).
>
>
>
> reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session
> Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f
>
> reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session
> Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3
> /f
>
> reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization"
> /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f
>
>
>
> Thanks
>
>
>
>


-- 
Thank you,

Sherry Kissinger

My Parameters:  Standardize. Simplify. Automate
Blog: http://mnscug.org/blogs/sherry-kissinger

[mssms] RE: Confused - Spectre / Meltdown

[Chris Wooton]

UNSUBSCRIBE mssms

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Kent, Mark
Sent: Tuesday, January 9, 2018 11:00 AM
To: mssms@lists.myitforum.com
Subject: [mssms] RE: Confused - Spectre / Meltdown

Yeah I see them at the bottom of 
https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in

And they don't really say what they are for.

Keep refreshing the page, wait for an edit :)

Mark Kent
Manager, Client Systems Engineering
Technology Support Services
Resources for Information, Technology and Education (RITE)
http://rite.buffalostate.edu<http://rite.buffalostate.edu/>

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of SCCM FUN
Sent: Tuesday, January 9, 2018 10:02 AM
To: mssms@lists.myITforum.com<mailto:mssms@lists.myITforum.com>
Subject: [mssms] Confused - Spectre / Meltdown

Can anyone confirm the following?

Workstation/Servers - both need the AV key in order to do any patching going 
forward

Workstation
At one point in the MS article for workstation patching (4073119) I could of 
sworn there wasn't anything about having to making registry settings (except 
for AV) but now it looks like they added 2 registry keys.  Were these 2 reg 
keys always in the KB/needed?

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session 
Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session 
Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

Server
3 reg keys need to be added for the server patch to take effect.  Are you 
enabling this on all your servers or just the 3 use cases they list in their 
article (4072698).

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session 
Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session 
Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v 
MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f


Thanks

[mssms] RE: Confused - Spectre / Meltdown

[Kent, Mark]

Yeah I see them at the bottom of 
https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in

And they don't really say what they are for.

Keep refreshing the page, wait for an edit :)

Mark Kent
Manager, Client Systems Engineering
Technology Support Services
Resources for Information, Technology and Education (RITE)
http://rite.buffalostate.edu

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of SCCM FUN
Sent: Tuesday, January 9, 2018 10:02 AM
To: mssms@lists.myITforum.com
Subject: [mssms] Confused - Spectre / Meltdown

Can anyone confirm the following?

Workstation/Servers - both need the AV key in order to do any patching going 
forward

Workstation
At one point in the MS article for workstation patching (4073119) I could of 
sworn there wasn't anything about having to making registry settings (except 
for AV) but now it looks like they added 2 registry keys.  Were these 2 reg 
keys always in the KB/needed?

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session 
Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session 
Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

Server
3 reg keys need to be added for the server patch to take effect.  Are you 
enabling this on all your servers or just the 3 use cases they list in their 
article (4072698).

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session 
Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session 
Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v 
MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f


Thanks