Guidance for protecting against Intel® Processor Machine Check Error vulnerability (CVE-2018-12207)

On November 12, 2019, Intel published a technical advisory around Intel® Processor Machine Check Error vulnerability that is assigned CVE-2018-12207. Microsoft has released updates to help mitigate this vulnerability for guest Virtual Machines (VMs) but the protection is disabled by default. Enabling this protection requires an action on the Hyper-V hosts running untrusted VMs. Follow the guidance in the "Registry setting" section to enable this protection on the Hyper-V hosts running untrusted VMs.

• To enable the protection around Intel® Processor Machine Check Error vulnerability (CVE-2018-12207), run the following command in an elevated Command Prompt on the Hyper-V host that run untrusted VMs to set the following registry key:

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v IfuErrataMitigations /t REG_DWORD /d 1 /f

Note After executing this command, please shutdown and then restart all Guest VMs running on the Hyper-V host.

• To disable the protection around Intel® Processor Machine Check Error vulnerability (CVE-2018-12207), run the following command in an elevated Command Prompt on the Hyper-V host that run untrusted VMs to set the following registry key:

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v IfuErrataMitigations /t REG_DWORD /d 0 /f

Note After executing this command, please shutdown and then restart all Guest VMs running on the Hyper-V host.