Microsoft is aware of a new publicly disclosed class of vulnerabilities that are referred to as “speculative execution side-channel attacks” that affect many modern processors and operating systems, including chipsets from Intel, AMD, and ARM.
There are few help pages by Microsoft that can be used to update and protect this information.
How to Check and Update for Meltdown and Spectre
Before apply any updates and add registry values you need to make sure what is you Windows Server status with the following steps:
Check Windows Server status
1. Open PowerShell in Admin Mode and type: Set-ExecutionPolicy Bypass
2. Install SpeculationControl mode with the following command: Install-Module SpeculationControl
3. Run Get-SpeculationControlSettings to check update and settings status
Apply Update and Values
1. Unblock the update with Anti-Virus with the following registry value
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat” /v cadca5fe-87d3-4b96-b7fb-a231484277cc /t REG_DWORD /d 0 /f
***this registry value depend on your Anti-Virus product based on the following url
2. Update Windows Client based on the specific update (via Intune,SCCM or manually)
3. Update BIOS/firmware update provided by your device OEM
4. Enable speculative execution side-channel to mitigate the vulnerabilities with the following registry values
reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” /v FeatureSettingsOverride /t REG_DWORD /d 0 /f
reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
for VM configure the value below more information
reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization” /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d “1.0” /f
If this is a Hyper-V host: fully shutdown all Virtual Machines, restart the server for changes to take effect.
Once finish all updates and settings the Get-SpeculationControlSettings need to be green with True status
– At least for now the firmware update isn’t require for guest machines such, Azure VM, Hyper-V and VMware
– Currently, the update is causing server load issues so we recommend that you test before updates are made
– The values FeatureSettingsOverride and FeatureSettingsOverrideMask may affect performance