Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Windows Server guidance to protect against speculative execution side-channel vulnerabilities


View products that this article applies to.

Summary

Microsoft is aware of a new publicly disclosed class of vulnerabilities that are called “speculative execution side-channel attacks” and that affect many modern processors including Intel, AMD, VIA, and ARM.

Note This issue also affects other operating systems, such as Android, Chrome, iOS, and macOS. Therefore, we advise customers to seek guidance from those vendors.

We have released several updates to help mitigate these vulnerabilities. We have also taken action to secure our cloud services. See the following sections for more details.

We have not yet received any information to indicate that these vulnerabilities were used to attack customers. We are working closely with industry partners including chip makers, hardware OEMs, and application vendors to protect customers. To get all available protections, firmware (microcode) and software updates are required. This includes microcode from device OEMs and, in some cases, updates to antivirus software.

This article addresses the following vulnerabilities:

Windows Update will also provide Internet Explorer and Edge mitigations. We will continue to improve these mitigations against this class of vulnerabilities.

To learn more about this class of vulnerabilities, see

UPDATED ON May 14, 2019 On May 14, 2019, Intel published information about a new subclass of speculative execution side-channel vulnerabilities known as Microarchitectural Data Sampling. They have been assigned the following CVEs:

Important These issues will affect other systems such as Android, Chrome, iOS, and MacOS. We advise customers seek guidance from their respective vendors.

Microsoft has released updates to help mitigate these vulnerabilities. To get all available protections, firmware (microcode) and software updates are required. This may include microcode from device OEMs. In some cases, installing these updates will have a performance impact. We have also acted to secure our cloud services. We strongly recommend deploying these updates.

For more information about this issue, see the following Security Advisory and use scenario-based guidance to determine actions necessary to mitigate the threat:

Note We recommend that you install all of the latest updates from Windows Update before you install any microcode updates.

UPDATED ON AUGUST 6, 2019 On August 6, 2019 Intel released details about a Windows kernel information disclosure vulnerability. This vulnerability is a variant of the Spectre Variant 1 speculative execution side channel vulnerability and has been assigned CVE-2019-1125.

On July 9, 2019 we released security updates for the Windows operating system to help mitigate this issue. Please note that we held back documenting this mitigation publicly until the coordinated industry disclosure on Tuesday, August 6, 2019.

Customers who have Windows Update enabled and have applied the security updates released on July 9, 2019 are protected automatically. There is no further configuration necessary.

Note This vulnerability does not require a microcode update from your device manufacturer (OEM).

For more information about this vulnerability and applicable updates , see the Microsoft Security Update Guide:

CVE-2019-1125 | Windows Kernel Information Disclosure Vulnerability

UPDATED ON NOVEMBER 12, 2019 On November 12, 2019, Intel published a technical advisory around Intel® Transactional Synchronization Extensions (Intel® TSX) Transaction Asynchronous Abort vulnerability that is assigned CVE-2019-11135. Microsoft has released updates to help mitigate this vulnerability and the OS protections are enabled by default for Windows Server 2019 but disabled by default for Windows Server 2016 and earlier Windows Server OS editions.

↑ Back to the top


Recommended actions

Customers should take the following actions to help protect against the vulnerabilities:

  1. Apply all available Windows operating system updates, including the monthly Windows security updates.
  2. Apply the applicable firmware (microcode) update that is provided by the device manufacturer.
  3. Evaluate the risk to your environment based on the information that is provided on Microsoft Security Advisories: ADV180002, ADV180012, ADV190013, and information provided in this Knowledge Base article.
  4. Take action as required by using the advisories and registry key information that are provided in this Knowledge Base article.

Note Surface customers will receive a microcode update through Windows update. For a list of the latest Surface device firmware (microcode) updates, see KB 4073065.

↑ Back to the top


Mitigation Settings for Windows Server

Security advisories ADV180002, ADV180012, and ADV190013 provide information about the risk that is posed by these vulnerabilities.  They also help you identify the these vulnerabilities and identify the default state of mitigations for Windows Server systems. The below table summarizes the requirement of CPU microcode and the default status of the mitigations on Windows Server.

CVE Requires CPU microcode/firmware? Mitigation Default status

CVE-2017-5753

No

Enabled by default (no option to disable)

Please refer to ADV180002 for additional information

CVE-2017-5715

Yes

Disabled by default.

Please refer to ADV180002 for additional information and this KB article for applicable registry key settings.

Note “Retpoline” is enabled by default for devices running Windows 10 1809 or newer if Spectre Variant 2 ( CVE-2017-5715 ) is enabled. For more information, around “Retpoline”, follow Mitigating Spectre variant 2 with Retpoline on Windows blog post.

CVE-2017-5754

No

Windows Server 2019: Enabled by default.
Windows Server 2016 and earlier: Disabled by default.

Please refer to ADV180002 for additional information.

CVE-2018-3639

Intel: Yes

AMD: No

Disabled by default. See ADV180012 for more information and this KB article for applicable registry key settings.

CVE-2018-11091 Intel: Yes

Windows Server 2019: Enabled by default.
Windows Server 2016 and earlier: Disabled by default.

See ADV190013 for more information and this KB article for applicable registry key settings.
CVE-2018-12126 Intel: Yes

Windows Server 2019: Enabled by default.
Windows Server 2016 and earlier: Disabled by default.

See ADV190013 for more information and this KB article for applicable registry key settings.
CVE-2018-12127 Intel: Yes

Windows Server 2019: Enabled by default.
Windows Server 2016 and earlier: Disabled by default.

See ADV190013 for more information and this KB article for applicable registry key settings.
CVE-2018-12130 Intel: Yes

Windows Server 2019: Enabled by default.
Windows Server 2016 and earlier: Disabled by default.

See ADV190013 for more information and this KB article for applicable registry key settings.
CVE-2019-11135 Intel: Yes

Windows Server 2019: Enabled by default.
Windows Server 2016 and earlier: Disabled by default.

See CVE-2019-11135 for more information and this KB article for applicable registry key settings.

Customers who want to obtain all available protections against these vulnerabilities must make registry key changes to enable these mitigations that are disabled by default.

Enabling these mitigations may affect performance. The scale of the performance effects depends on multiple factors, such as the specific chipset in your physical host and the workloads that are running. We recommend that customers assess the performance effects for their environment and make any necessary adjustments.

Your server is at increased risk if it's in one of the following categories:

  • Hyper-V hosts – Requires protection for VM-to-VM and VM-to-host attacks.
  • Remote Desktop Services Hosts (RDSH) – Requires protection from one session to another session or from session-to-host attacks.
  • Physical hosts or virtual machines that are running untrusted code, such as containers or untrusted extensions for database, untrusted web content, or workloads that run code that's from external sources. These require protection from untrusted process-to-another-process or untrusted-process-to-kernel attacks.

Use the following registry key settings to enable the mitigations on the server, and restart the system for the changes to take effect.

Note Enabling mitigations that are off by-default may affect performance. The actual performance effect depends on multiple factors, such as the specific chipset in the device and the workloads that are running.

↑ Back to the top


Registry settings

We are providing the following registry information to enable mitigations that are not enabled by default, as documented in Security Advisories ADV180002, ADV180012, and ADV190013.

Additionally, we are providing registry key settings for users who want to disable the mitigations that are related to CVE-2017-5715 and CVE-2017-5754 for Windows clients.

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

322756 How to back up and restore the registry in Windows

↑ Back to the top


Manage mitigations for CVE-2017-5715 (Spectre Variant 2) and CVE-2017-5754 (Meltdown)

Important note Retpoline is enabled by default on Windows 10, version 1809 servers if Spectre, Variant 2 ( CVE-2017-5715 ) is enabled. Enabling Retpoline on the latest version of Windows 10 may enhance performance on servers running Windows 10, version 1809 for Spectre variant 2, particularly on older processors.

To enable mitigations for CVE-2017-5715 (Spectre Variant 2) and CVE-2017-5754 (Meltdown)

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

If the Hyper-V feature is installed, add the following registry setting:

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f

If this is a Hyper-V host and the firmware updates have been applied: Fully shut down all Virtual Machines. This enables the firmware-related mitigation to be applied on the host before the VMs are started. Therefore, the VMs are also updated when they're restarted.

Restart the computer for the changes to take effect.

To disable mitigations for CVE-2017-5715 (Spectre Variant 2) and CVE-2017-5754 (Meltdown)

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

Restart the computer for the changes to take effect.


Note Setting FeatureSettingsOverrideMask to 3 is accurate for both the "enable" and "disable" settings. (See the "FAQ " section for more details about registry keys.)

↑ Back to the top


Manage the mitigation for CVE-2017-5715 (Spectre Variant 2)

To disable Variant 2: (CVE-2017-5715  "Branch Target Injection") mitigation:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 1 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

Restart the computer for the changes to take effect.

To enable Variant 2: (CVE-2017-5715  "Branch Target Injection") mitigation:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

Restart the computer for the changes to take effect.

↑ Back to the top


AMD processors only: Enable the full mitigation for CVE-2017-5715 (Spectre Variant 2)

By default, user-to-kernel protection for CVE-2017-5715 is disabled for AMD CPUs. Customers must enable the mitigation to receive additional protections for CVE-2017-5715.  For more information, see FAQ #15 in ADV180002.

Enable user-to-kernel protection on AMD processors along with other protections for CVE 2017-5715:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 64 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

If the Hyper-V feature is installed, add the following registry setting:

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f

If this is a Hyper-V host and the firmware updates have been applied: Fully shut down all Virtual Machines. This enables the firmware-related mitigation to be applied on the host before the VMs are started. Therefore, the VMs are also updated when they're restarted.

Restart the computer for the changes to take effect.

↑ Back to the top


Manage mitigations for CVE-2018-3639 (Speculative Store Bypass), CVE-2017-5715 (Spectre Variant 2), and CVE-2017-5754 (Meltdown)


To enable mitigations for CVE-2018-3639 (Speculative Store Bypass), CVE-2017-5715 (Spectre Variant 2), and CVE-2017-5754 (Meltdown):

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 8 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

If the Hyper-V feature is installed, add the following registry setting:

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f

If this is a Hyper-V host and the firmware updates have been applied: Fully shut down all Virtual Machines. This enables the firmware-related mitigation to be applied on the host before the VMs are started. Therefore, the VMs are also updated when they're restarted.

Restart the computer for the changes to take effect.

To disable mitigations for CVE-2018-3639 (Speculative Store Bypass) AND mitigations for CVE-2017-5715 (Spectre Variant 2)  and CVE-2017-5754 (Meltdown)

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

Restart the computer for the changes to take effect.

↑ Back to the top


AMD processors only: Enable the full mitigation for CVE-2017-5715 (Spectre Variant 2) and CVE 2018-3639 (Speculative Store Bypass)

By default, user-to-kernel protection for CVE-2017-5715 is disabled for AMD processors. Customers must enable the mitigation to receive additional protections for CVE-2017-5715.  For more information, see FAQ #15 in ADV180002.

Enable user-to-kernel protection on AMD processors along with other protections for CVE 2017-5715 and protections for CVE-2018-3639 (Speculative Store Bypass):

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 72 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

If the Hyper-V feature is installed, add the following registry setting:

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f

If this is a Hyper-V host and the firmware updates have been applied: Fully shut down all Virtual Machines. This enables the firmware-related mitigation to be applied on the host before the VMs are started. Therefore, the VMs are also updated when they're restarted.

Restart the computer for the changes to take effect.

↑ Back to the top


Manage Intel® Transactional Synchronization Extensions (Intel® TSX) Transaction Asynchronous Abort vulnerability (CVE-2019-11135) and Microarchitectural Data Sampling (CVE-2018-11091, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130) along with Spectre [ CVE-2017-5753 & CVE-2017-5715 ] and Meltdown [ CVE-2017-5754 ] variants, including Speculative Store Bypass Disable (SSBD) [ CVE-2018-3639 ] as well as L1 Terminal Fault (L1TF) [ CVE-2018-3615, CVE-2018-3620, and CVE-2018-3646 ]

To enable mitigations for Intel® Transactional Synchronization Extensions (Intel® TSX) Transaction Asynchronous Abort vulnerability (CVE-2019-11135) and Microarchitectural Data Sampling (CVE-2018-11091, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130) along with Spectre [CVE-2017-5753 & CVE-2017-5715] and Meltdown [CVE-2017-5754] variants, including Speculative Store Bypass Disable (SSBD) [CVE-2018-3639 ] as well as L1 Terminal Fault (L1TF) [CVE-2018-3615, CVE-2018-3620, and CVE-2018-3646] without disabling Hyper-Threading:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 72 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

If the Hyper-V feature is installed, add the following registry setting:

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f

If this is a Hyper-V host and the firmware updates have been applied: Fully shut down all Virtual Machines. This enables the firmware-related mitigation to be applied on the host before the VMs are started. Therefore, the VMs are also updated when they're restarted.

Restart the computer for the changes to take effect.

To enable mitigations for Intel® Transactional Synchronization Extensions (Intel® TSX) Transaction Asynchronous Abort vulnerability (CVE-2019-11135) and Microarchitectural Data Sampling ( CVE-2018-11091 , CVE-2018-12126 , CVE-2018-12127 , CVE-2018-12130 ) along with Spectre [ CVE-2017-5753 & CVE-2017-5715 ] and Meltdown [ CVE-2017-5754 ] variants, including Speculative Store Bypass Disable (SSBD) [ CVE-2018-3639 ] as well as L1 Terminal Fault (L1TF) [ CVE-2018-3615, CVE-2018-3620, and CVE-2018-3646 ] with Hyper-Threading disabled:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 8264 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

If the Hyper-V feature is installed, add the following registry setting:

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f

If this is a Hyper-V host and the firmware updates have been applied: Fully shut down all Virtual Machines. This enables the firmware-related mitigation to be applied on the host before the VMs are started. Therefore, the VMs are also updated when they're restarted.

Restart the computer for the changes to take effect.

To disable mitigations for Intel® Transactional Synchronization Extensions (Intel® TSX) Transaction Asynchronous Abort vulnerability (CVE-2019-11135) and Microarchitectural Data Sampling ( CVE-2018-11091 , CVE-2018-12126 , CVE-2018-12127 , CVE-2018-12130 ) along with Spectre [ CVE-2017-5753 & CVE-2017-5715 ] and Meltdown [ CVE-2017-5754 ] variants, including Speculative Store Bypass Disable (SSBD) [ CVE-2018-3639 ] as well as L1 Terminal Fault (L1TF) [ CVE-2018-3615, CVE-2018-3620, and CVE-2018-3646 ]:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

Restart the computer for the changes to take effect.

↑ Back to the top


Verifying that protections are enabled

To help customers verify that protections are enabled, Microsoft has published a PowerShell script that customers can run on their systems. Install and run the script by running the following commands.

PowerShell verification by using the PowerShell Gallery (Windows Server 2016 or WMF 5.0/5.1)

Install the PowerShell Module:

PS> Install-Module SpeculationControl

Run the PowerShell module to verify that protections are enabled:

PS> # Save the current execution policy so it can be reset

PS> $SaveExecutionPolicy = Get-ExecutionPolicy

PS> Set-ExecutionPolicy RemoteSigned -Scope Currentuser

PS> Import-Module SpeculationControl

PS> Get-SpeculationControlSettings

PS> # Reset the execution policy to the original state

PS> Set-ExecutionPolicy $SaveExecutionPolicy -Scope Currentuser

PowerShell verification by using a download from Technet (Earlier operating system versions and Earlier WMF versions)

Install the PowerShell module from Technet ScriptCenter:

  1. Go to https://aka.ms/SpeculationControlPS .
  2. Download SpeculationControl.zip to a local folder.
  3. Extract the contents to a local folder. For example: C:\ADV180002

Run the PowerShell module to verify that protections are enabled:

Start PowerShell, and then use the previous example to copy and run the following commands:

PS> # Save the current execution policy so it can be reset

PS> $SaveExecutionPolicy = Get-ExecutionPolicy

PS> Set-ExecutionPolicy RemoteSigned -Scope Currentuser

PS> CD C:\ADV180002\SpeculationControl

PS> Import-Module .\SpeculationControl.psd1

PS> Get-SpeculationControlSettings

PS> # Reset the execution policy to the original state

PS> Set-ExecutionPolicy $SaveExecutionPolicy -Scope Currentuser


For a detailed explanation of the output of the PowerShell script, see Knowledge Base article 4074629

↑ Back to the top


Frequently asked questions

I wasn't offered the Windows security updates that were released in January and February 2018. What should I do?

To help avoid adversely affecting customer devices, the Windows security updates that were released in January and February 2018 were not offered to all customers. For details, see Microsoft Knowledge Base article 4072699 .

Where can I find the scenario-based guidance to determine actions necessary to mitigate Intel® Transactional Synchronization Extensions (Intel® TSX) Transaction Asynchronous Abort vulnerability (CVE-2019-11135)?
Do I need to disable Hyper-Threading for Intel® Transactional Synchronization Extensions (Intel® TSX) Transaction Asynchronous Abort vulnerability (CVE-2019-11135) on my device?
Is there a way to disable Intel® Transactional Synchronization Extensions (Intel® TSX) capability?

↑ Back to the top


References

Third-party information disclaimer
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.

↑ Back to the top


Keywords: kbsurveynew, kb, meltdown, spectre, kbregistry, kbbug, kbexpertiseinter, kblangall, kbmustloc, kbsecreview, kbsecurity

↑ Back to the top

Article Info
Article ID : 4072698
Revision : 302
Created on : 12/20/2019
Published on : 12/20/2019
Exists online : False
Views : 5282