Install and run the script by running the following commands.
|
PowerShell verification by using the PowerShell Gallery (Windows Server 2016 or WMF 5.0/5.1)
|
|
Install the PowerShell module
PS> Install-Module SpeculationControl
Run the PowerShell module to verify that protections are enabled
PS> # Save the current execution policy so it can be reset
PS> $SaveExecutionPolicy = Get-ExecutionPolicy
PS> Set-ExecutionPolicy RemoteSigned -Scope Currentuser
PS> Import-Module SpeculationControl
PS> Get-SpeculationControlSettings
PS> # Reset the execution policy to the original state
PS> Set-ExecutionPolicy $SaveExecutionPolicy -Scope Currentuser
|
|
PowerShell verification by using a download from TechNet (earlier OS versions/earlier WMF versions)
|
|
Install the PowerShell module from TechNet ScriptCenter
- Go to https://aka.ms/SpeculationControlPS.
- Download SpeculationControl.zip to a local folder.
- Extract the contents to a local folder, for example C:\ADV180002
Run the PowerShell module to verify that protections are enabled
Start PowerShell, and then (using the example above) copy and run the following commands:
PS> # Save the current execution policy so it can be reset
PS> $SaveExecutionPolicy = Get-ExecutionPolicy
PS> Set-ExecutionPolicy RemoteSigned -Scope Currentuser
PS> CD C:\ADV180002\SpeculationControl
PS> Import-Module .\SpeculationControl.psd1
PS> Get-SpeculationControlSettings
PS> # Reset the execution policy to the original state
PS> Set-ExecutionPolicy $SaveExecutionPolicy -Scope Currentuser
|
The output of this PowerShell script will resemble the following. Enabled protections appear in the output as “True.”
PS C:\> Get-SpeculationControlSettings
Speculation control settings for CVE-2017-5715 [branch target injection]
Hardware support for branch target injection mitigation is present: False
Windows OS support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is enabled: False
Windows OS support for branch target injection mitigation is disabled by system policy: True
Windows OS support for branch target injection mitigation is disabled by absence of hardware support: True
Speculation control settings for CVE-2017-5754 [rogue data cache load]
Hardware requires kernel VA shadowing: True
Windows OS support for kernel VA shadow is present: False
Windows OS support for kernel VA shadow is enabled: False
Windows OS support for PCID optimization is enabled: False
Speculation control settings for CVE-2018-3639 [speculative store bypass]
Hardware is vulnerable to speculative store bypass: True
Hardware support for speculative store bypass mitigation is present: False
Windows OS support for speculative store bypass mitigation is present: True
Windows OS support for speculative store bypass mitigation is enabled system-wide: False
Speculation control settings for CVE-2018-3620 [L1 terminal fault]
Hardware is vulnerable to L1 terminal fault: True
Windows OS support for L1 terminal fault mitigation is present: True
Windows OS support for L1 terminal fault mitigation is enabled: True
Speculation control settings for MDS [microarchitectural data sampling]
Windows OS support for MDS mitigation is present: True
Hardware is vulnerable to MDS: True
Windows OS support for MDS mitigation is enabled: True
BTIHardwarePresent: False
BTIWindowsSupportPresent: True
BTIWindowsSupportEnabled: False
BTIDisabledBySystemPolicy: True
BTIDisabledByNoHardwareSupport: True
KVAShadowRequired: True
KVAShadowWindowsSupportPresent: False
KVAShadowWindowsSupportEnabled: False
KVAShadowPcidEnabled: False
SSBDWindowsSupportPresent: True
SSBDHardwareVulnerablePresent: True
SSBDHardwarePresent: True
SSBDWindowsSupportEnabledSystemWide: False
L1TFHardwareVulnerable: True
L1TFWindowsSupportPresent: True
L1TFWindowsSupportEnabled: True
L1TFInvalidPteBit: 45
L1DFlushSupported: False
MDSWindowsSupportPresent: True
MDSHardwareVulnerable: True
MDSWindowsSupportEnabled: True
The final output grid maps to the output of the preceding lines. This appears because PowerShell prints the object that is returned by a function. The following table explains each line.
|
Output
|
Explanation
|
|
Speculation control settings for CVE-2017-5715 [branch target injection]
|
This section provides system status for variant 2, CVE-2017-5715 , branch target injection.
|
|
Hardware support for branch target injection mitigation is present
|
Maps to BTIHardwarePresent. This line tells you if hardware features are present to support the branch target injection mitigation. The device OEM is responsible for providing the updated BIOS/firmware that contains the microcode provided by CPU manufacturers. If this line isTrue, the required hardware features are present. If the line isFalse, the required hardware features are not present, and therefore the branch target injection mitigation cannot be enabled.
Note BTIHardwarePresent will beTruein guest VMs if the OEM update has been applied to the host andguidanceis followed.
|
|
Windows OS support for branch target injection mitigation is present
|
Maps to BTIWindowsSupportPresent. This line tells you if Windows operating system support is present for the branch target injection mitigation. If it isTrue, the operating system supports enabling the branch target injection mitigation (and therefore has installed the January 2018 update). If it isFalse, the January 2018 update has not been installed on the system, and the branch target injection mitigation cannot be enabled.
Note If a guest VM cannot detect the host hardware update, BTIWindowsSupportEnabled will always beFalse.
|
|
Windows OS support for branch target injection mitigation is enabled
|
Maps to BTIWindowsSupportEnabled. This line tells you if Windows operating system support is enabled for the branch target injection mitigation. If it isTrue, hardware support and OS support for the branch target injection mitigation is enabled for the device, thus protecting againstCVE-2017-5715. If it isFalse, one of the following conditions is the true:
- Hardware support is not present.
- OS support is not present.
- The mitigation has been disabled by system policy.
|
|
Windows OS support for branch target injection mitigation is disabled by system policy
|
Maps to BTIDisabledBySystemPolicy. This line tells you if the branch target injection mitigation has been disabled by system policy (such as an administrator-defined policy). System policy refers to the registry controls as documented inKB 4072698. If it isTrue, the system policy is responsible for disabling the mitigation. If it isFalse, the mitigation is disabled by a different cause.
|
|
Windows OS support for branch target injection mitigation is disabled by absence of hardware support
|
Maps to BTIDisabledByNoHardwareSupport. This line tells you if the branch target injection mitigation has been disabled due to the absence of hardware support. If it isTrue, the absence of hardware support is responsible for disabling the mitigation. If it isFalse, the mitigation is disabled by a different cause.
Note If a guest VM cannot detect the host hardware update, BTIDisabledByNoHardwareSupport will always beTrue.
|
|
Speculation control settings for CVE-2017-5754 [rogue data cache load]
|
This section provides summary system status for variant 3,CVE-2017-5754, rogue data cache load. The mitigation for this is known as kernel Virtual Address (VA) shadow or the rogue data cache load mitigation.
|
|
Hardware requires kernel VA shadowing
|
Maps to KVAShadowRequired. This line tells you if the hardware is vulnerable toCVE-2017-5754. If it isTrue, the hardware is believed to be vulnerable to CVE-2017-5754. If it isFalse, the hardware is known to not be vulnerable to CVE-2017-5754.
|
|
Windows OS support for kernel VA shadow is present
|
Maps to KVAShadowWindowsSupportPresent. This line tells you if Windows operating system support for the kernel VA shadow feature is present. If it isTrue,the January 2018 update is installed on the device, and kernel VA shadow is supported. If it isFalse, the January 2018 update is not installed, and kernel VA shadow support does not exist.
|
|
Windows OS support for kernel VA shadow is enabled
|
Maps to KVAShadowWindowsSupportEnabled. This line tells you if the kernel VA shadow feature has been enabled. If it isTrue, the hardware is believed to be vulnerable toCVE-2017-5754, Windows operating system support is present, and the feature has been enabled. The Kernel VA shadow feature is currently enabled by default on client versions of Windows and is disabled by default on versions of Windows Server. If it isFalse, either Windows operating system support is not present, or the feature has not been enabled.
|
|
Windows OS support for PCID performance optimization is enabled
Note PCID is not required for security. It only indicates if a performance improvement is enabled. PCID is not supported with Windows Server 2008 R2
|
Maps to KVAShadowPcidEnabled. This line tells you if an additional performance optimization has been enabled for kernel VA shadow. If it isTrue,kernel VA shadow is enabled, hardware support for PCID is present, and PCID optimization for kernel VA shadow has been enabled. If it isFalse, either the hardware or the OS may not support PCID. It is not a security weakness for the PCID optimization to not be enabled.
|
|
Windows OS support for Speculative Store Bypass Disable is present
|
Maps to SSBDWindowsSupportPresent. This line tells you if Windows operating system support for Speculative Store Bypass Disable is present. If it is True , the January 2018 update is installed on the device, and kernel VA shadow is supported. If it is False , the January 2018 update is not installed, and kernel VA shadow support does not exist.
|
|
Hardware requires Speculative Store Bypass Disable
|
Maps to SSBDHardwareVulnerablePresent. This line tells you if the hardware is vulnerable to CVE-2018-3639 . If it is True , the hardware is believed to be vulnerable to CVE-2018-3639. If it is False , the hardware is known to not be vulnerable to CVE-2018-3639.
|
|
Hardware support for Speculative Store Bypass Disable is present
|
Maps to SSBDHardwarePresent. This line tells you if hardware features are present to support Speculative Store Bypass Disable. The device OEM is responsible for providing the updated BIOS/firmware that contains the microcode provided by Intel. If this line is True , the required hardware features are present. If the line is False , the required hardware features are not present, and therefore Speculative Store Bypass Disable cannot be turned on.
Note SSBDHardwarePresent will be True in guest VMs if the OEM update has been applied to the host.
|
|
Windows OS support for Speculative Store Bypass Disable is turned on
|
Maps to SSBDWindowsSupportEnabledSystemWide. This line tells you if Speculative Store Bypass Disable has been turned on in the Windows operating system. If it is True , hardware support and OS support for Speculative Store Bypass Disable is on for the device preventing a Speculative Store Bypass from occurring, thus eliminating the security risk completely. If it is False , one of the following conditions is true:
- Hardware support is not present.
- OS support is not present.
- Speculative Store Bypass Disable has not been turned on via registry keys. See the following articles for instructions on how to turn on:
Windows Client Guidance for IT Pros to protect against speculative execution side-channel vulnerabilities
Windows Server guidance to protect against speculative execution side-channel vulnerabilities
|
| Speculation control settings for CVE-2018-3620 [L1 terminal fault] |
This section provides summary system status for L1TF (operating system) referred to by CVE-2018-3620. This mitigation ensures that safe page frame bits are used for not present or invalid page table entries.
Note This section does not provide a summary of the mitigation status for L1TF (VMM) referred to by CVE-2018-3646.
|
| Hardware is vulnerable to L1 terminal fault: True |
Maps to L1TFHardwareVulnerable. This line tells you if the hardware is vulnerable to L1 Terminal Fault (L1TF, CVE-2018-3620). If it is True, the hardware is believed to be vulnerable to CVE-2018-3620. If it is False, the hardware is known to not be vulnerable to CVE-2018-3620. |
| Windows OS support for L1 terminal fault mitigation is present: True |
Maps to L1TFWindowsSupportPresent. This line tells you if Windows operating system support for the L1 Terminal Fault (L1TF) operating system mitigation is present. If it is True, the August 2018 update is installed on the device, and the mitigation for CVE-2018-3620 is present. If it is False, the August 2018 update is not installed, and the mitigation for CVE-2018-3620 is not present. |
| Windows OS support for L1 terminal fault mitigation is enabled: True |
Maps to L1TFWindowsSupportEnabled. This line tells you if the Windows operating system mitigation for L1 Terminal Fault (L1TF, CVE-2018-3620) is enabled. If it is True, the hardware is believed to be vulnerable to CVE-2018-3620, Windows operating system support for the mitigation is present, and the mitigation has been enabled. If it is False, either the hardware is not vulnerable, Windows operating system support is not present, or the mitigation has not been enabled. |
| Speculation control settings for MDS [Microarchitectural Data Sampling] |
This section provides system status for the MDS set of vulnerabilities, CVE-2018-11091, CVE-2018-12126, CVE-2018-12127, and CVE-2018-12130 |
| Windows OS support for MDS mitigation is present |
Maps to MDSWindowsSupportPresent. This line tells you if the Windows operating system support for the Microarchitectural Data Sampling (MDS) operating system mitigation is present. If it is True, the May 2019 update is installed on the device, and the mitigation for MDS is present. If it is False, the May 2019 update is not installed, and the mitigation for MDS is not present. |
| Hardware is vulnerable to MDS |
Maps to MDSHardwareVulnerable. This line tells you if the hardware is vulnerable to Microarchitectural Data Sampling (MDS) set of vulnerabilities (CVE-2018-11091, CVE-2018-12126, CVE-2018-12127, CVE-2018-12139). If it is True, the hardware is believed to be affected by these vulnerabilities. If it is False, the hardware is known to not be vulnerable.
|
| Windows OS support for MDS mitigation is enabled |
Maps to MDSWindowsSupportEnabled. This line tells you if the Windows operating system mitigation for Microarchitectural Data Sampling (MDS) is enabled. If it is True, the hardware is believed to be affected by the MDS vulnerabilities, the windows operating support for the mitigation is present, and the mitigation has been enabled. If it is False, either the hardware is not vulnerable, Windows operating system support is not present, or the mitigation has not been enabled. |
The following output is expected for a computer with all mitigations enabled, together with what is necessary to satisfy each condition.
BTIHardwarePresent: True -> apply OEM BIOS/firmware update
BTIWindowsSupportPresent: True -> install January 2018 update
BTIWindowsSupportEnabled: True -> on client, no action required. On server, follow guidance .
BTIDisabledBySystemPolicy: False -> ensure not disabled by policy.
BTIDisabledByNoHardwareSupport: False -> ensure OEM BIOS/firmware update is applied.
KVAShadowRequired: True or False -> no action, this is a function of the CPU the computer uses
If KVAShadowRequired is True
KVAShadowWindowsSupportPresent: True -> install January 2018 update
KVAShadowWindowsSupportEnabled: True -> on client, no action required. On server, follow guidance .
KVAShadowPcidEnabled: True or False -> no action , this is a function of the CPU the computer uses
If SSBDHardwareVulnerablePresent is True
SSBDWindowsSupportPresent: True -> install Windows updates as documented in adv180012
SSBDHardwarePresent: True -> install BIOS/firmware update with support for SSBD from your device OEM
SSBDWindowsSupportEnabledSystemWide: True -> follow recommended actions to turn on SSBD
If L1TFHardwareVulnerable is True
L1TFWindowsSupportPresent: True -> install Windows updates as documented in adv180018
L1TFWindowsSupportEnabled: True -> follow actions outlined in adv180018 for Windows Server or Client as appropriate to enable the mitigation
The following table maps the output to the registry keys that are covered in Windows Server guidance to protect against speculative execution side-channel vulnerabilities.
|
Registry key
|
Mapping
|
|
FeatureSettingsOverride – Bit 0
|
Maps to - Branch target injection - BTIWindowsSupportEnabled
|
|
FeatureSettingsOverride – Bit 1
|
Maps to - Rogue data cache load - VAShadowWindowsSupportEnabled
|