Update Windows Server for Meltdown and Spectre

By | January 5, 2018

Microsoft is aware of a new publicly disclosed class of vulnerabilities that are referred to as “speculative execution side-channel attacks” that affect many modern processors and operating systems, including chipsets from Intel, AMD, and ARM.

There are few help pages by Microsoft  that can be used to update and protect this information.

How to Check and Update for Meltdown and Spectre

Before apply any updates and add registry values you need to make sure what is you Windows Server status with the following steps:

Check Windows Server status

1. Open PowerShell in Admin Mode and type: Set-ExecutionPolicy Bypass
2. Install SpeculationControl mode with the following command: Install-Module SpeculationControl
3. Run Get-SpeculationControlSettings to check update and settings status

image

Apply Update and Values

1. Unblock the update with Anti-Virus with the following registry value
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat” /v cadca5fe-87d3-4b96-b7fb-a231484277cc /t REG_DWORD /d 0 /f

***this registry value depend on your Anti-Virus product based on the following url
https://docs.google.com/spreadsheets/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview?usp=sharing&sle=true

2. Update Windows Client based on the specific update (via Intune,SCCM or manually)

Windows Server 2016 KB4056890
Windows Server 2012 R2 KB4056898
Windows Server 2012 there are no update right now
Windows Server 2008 R2 KB4056897

Windows Server 2008 there are no update right now

image

3. Update BIOS/firmware update provided by your device OEM
4. Enable speculative execution side-channel to mitigate the vulnerabilities with the following registry values

reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” /v FeatureSettingsOverride /t REG_DWORD /d 0 /f

reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

for VM configure the value below more information
reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization” /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d “1.0” /f

If this is a Hyper-V host: fully shutdown all Virtual Machines, restart the server for changes to take effect.

Once finish all updates and settings the Get-SpeculationControlSettings need to be green with True status

Complete Meltdown and Spectre patches

Notes

– At least for now the firmware update isn’t require for guest machines such, Azure VM, Hyper-V and VMware
– Currently, the update is causing server load issues so we recommend that you test before updates are made
– The values FeatureSettingsOverride and FeatureSettingsOverrideMask may affect performance

More Information

1. Guidance for Windows Server users
2. Security advisory ADV180002 
3. Update
Compatibility warning for users with third-party anti-virus software
4.
Microsoft Update Catalog

(Visited 1,453 times, 2 visits today)

Leave a Reply

Your email address will not be published. Required fields are marked *