Guidance for protecting against Intel® Processor Machine Check Error vulnerability (CVE-2018-12207)

የሚተገበረው ለ፦ Windows 10, version 1903, all editionsWindows 10, version 1809, all editionsWindows Server 2019, all editions

Summary


On November 12, 2019, Intel published a technical advisory around Intel® Processor Machine Check Error vulnerability that is assigned CVE-2018-12207. Microsoft has released updates to help mitigate this vulnerability for guest Virtual Machines (VMs) but the protection is disabled by default. Enabling this protection requires an action on the Hyper-V hosts running untrusted VMs. Follow the guidance in the "Registry setting" section to enable this protection on the Hyper-V hosts running untrusted VMs.

Registry setting


  • To enable the protection around Intel® Processor Machine Check Error vulnerability (CVE-2018-12207), run the following command in an elevated Command Prompt on the Hyper-V host that run untrusted VMs to set the following registry key:

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v IfuErrataMitigations /t REG_DWORD /d 1 /f

Note After executing this command, please shutdown and then restart all Guest VMs running on the Hyper-V host.

  • To disable the protection around Intel® Processor Machine Check Error vulnerability (CVE-2018-12207), run the following command in an elevated Command Prompt on the Hyper-V host that run untrusted VMs to set the following registry key:

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v IfuErrataMitigations /t REG_DWORD /d 0 /f

Note After executing this command, please shutdown and then restart all Guest VMs running on the Hyper-V host.