Windows Server speculative execution side-channel vulnerabilities protection

Summary

This article will be updated as additional information becomes available. Please check back here regularly for updates and new FAQ.

Microsoft is aware of a new publicly disclosed class of vulnerabilities that are called “speculative execution side-channel attacks” and that affect many modern processors including Intel, AMD, VIA, and ARM.

Note This issue also affects other operating systems, such as Android, Chrome, iOS, and macOS. Therefore, we advise customers to seek guidance from those vendors.

Microsoft has released several updates to help mitigate these vulnerabilities. We have also taken action to secure our cloud services. See the following sections for more details.

Microsoft has not yet received any information to indicate that these vulnerabilities were used to attack customers. Microsoft is working closely with industry partners including chip makers, hardware OEMs, and app vendors to protect customers. To get all available protections, firmware (microcode) and software updates are required. This includes microcode from device OEMs and, in some cases, updates to antivirus software.

This article addresses the following vulnerabilities:

Windows Update will also provide Internet Explorer and Edge mitigations. We will continue to improve these mitigations against this class of vulnerabilities.

To learn more about this class of vulnerabilities, see

UPDATED ON May 14, 2019: On May 14, 2019, Intel published information about a new subclass of speculative execution side-channel vulnerabilities known as Microarchitectural Data Sampling. They have been assigned the following CVEs:

Important: These issues will affect other systems such as Android, Chrome, iOS, and MacOS. We advise customers seek guidance from their respective vendors.

Microsoft has released updates to help mitigate these vulnerabilities. To get all available protections, firmware (microcode) and software updates are required. This may include microcode from device OEMs. In some cases, installing these updates will have a performance impact. We have also acted to secure our cloud services. We strongly recommend deploying these updates.

For more information about this issue, see the following Security Advisory and use scenario-based guidance to determine actions necessary to mitigate the threat:

Note: We recommend that you install all of the latest updates from Windows Update before you install any microcode updates.

Recommended actions

Customers should take the following actions to help protect against the vulnerabilities:

Apply all available Windows operating system updates, including the monthly Windows security updates.
Apply the applicable firmware (microcode) update that is provided by the device manufacturer.
Evaluate the risk to your environment based on the information that is provided on Microsoft Security Advisories: ADV180002, ADV180012, ADV190013, and information provided in this Knowledge Base article.
Take action as required by using the advisories and registry key information that are provided in this Knowledge Base article.

Note Surface customers will receive a microcode update through Windows update. For a list of the latest Surface device firmware (microcode) updates, see KB 4073065.

Mitigation Settings for Windows Server

Security advisories ADV180002, ADV180012, and ADV190013 provide information about the risk that is posed by these vulnerabilities. They also help you identify the these vulnerabilities and identify the default state of mitigations for Windows Server systems. The below table summarizes the requirement of CPU microcode and the default status of the mitigations on Windows Server.

CVE	Requires CPU microcode/firmware?	Mitigation Default status
CVE-2017-5753	No	Enabled by default (no option to disable) Please refer to ADV180002 for additional information
CVE-2017-5715	Yes	Disabled by default. Please refer to ADV180002 for additional information and this KB article for applicable registry key settings. Note: “Retpoline” is enabled by default for devices running Windows 10 1809 or newer if Spectre Variant 2 (CVE-2017-5715) is enabled. For more information, around “Retpoline”, follow Mitigating Spectre variant 2 with Retpoline on Windows blog post.
CVE-2017-5754	No	Windows Server 2019: Enabled by default. Windows Server 2016 and earlier: Disabled by default. Please refer to ADV180002 for additional information.
CVE-2018-3639	Intel: Yes AMD: No	Disabled by default. See ADV180012 for more information and this KB article for applicable registry key settings.
CVE-2018-11091	Intel: Yes	Windows Server 2019: Enabled by default. Windows Server 2016 and earlier: Disabled by default. See ADV190013 for more information and this KB article for applicable registry key settings.
CVE-2018-12126	Intel: Yes	Windows Server 2019: Enabled by default. Windows Server 2016 and earlier: Disabled by default. See ADV190013 for more information and this KB article for applicable registry key settings.
CVE-2018-12127	Intel: Yes	Windows Server 2019: Enabled by default. Windows Server 2016 and earlier: Disabled by default. See ADV190013 for more information and this KB article for applicable registry key settings.
CVE-2018-12130	Intel: Yes	Windows Server 2019: Enabled by default. Windows Server 2016 and earlier: Disabled by default. See ADV190013 for more information and this KB article for applicable registry key settings.

Customers who want to obtain all available protections against these vulnerabilities must make registry key changes to enable these mitigations that are disabled by default.

Enabling these mitigations may affect performance. The scale of the performance effects depends on multiple factors, such as the specific chipset in your physical host and the workloads that are running. We recommend that customers assess the performance effects for their environment and make any necessary adjustments.

Your server is at increased risk if it's in one of the following categories:

Hyper-V hosts – Requires protection for VM-to-VM and VM-to-host attacks.
Remote Desktop Services Hosts (RDSH) – Requires protection from one session to another session or from session-to-host attacks.
Physical hosts or virtual machines that are running untrusted code, such as containers or untrusted extensions for database, untrusted web content, or workloads that run code that's from external sources. These require protection from untrusted process-to-another-process or untrusted-process-to-kernel attacks.

Use the following registry key settings to enable the mitigations on the server, and restart the system for the changes to take effect.

Note Enabling mitigations that are off by-default may affect performance. The actual performance effect depends on multiple factors, such as the specific chipset in the device and the workloads that are running.

Registry settings

We are providing the following registry information to enable mitigations that are not enabled by default, as documented in Security Advisories ADV180002, ADV180012, and ADV190013.

Additionally, we are providing registry key settings for users who want to disable the mitigations that are related to CVE-2017-5715 and CVE-2017-5754 for Windows clients.

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

322756 How to back up and restore the registry in Windows

Manage mitigations for CVE-2017-5715 (Spectre Variant 2) and CVE-2017-5754 (Meltdown)

Important note: Retpoline is enabled by default on Windows 10, version 1809 servers if Spectre, Variant 2 (CVE-2017-5715) is enabled. Enabling Retpoline on the latest version of Windows 10 may enhance performance on servers running Windows 10, version 1809 for Spectre variant 2, particularly on older processors.

To enable mitigations for CVE-2017-5715 (Spectre Variant 2) and CVE-2017-5754 (Meltdown)

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

If the Hyper-V feature is installed, add the following registry setting:

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f

If this is a Hyper-V host and the firmware updates have been applied: Fully shut down all Virtual Machines. This enables the firmware-related mitigation to be applied on the host before the VMs are started. Therefore, the VMs are also updated when they're restarted.

Restart the computer for the changes to take effect.

To disable mitigations for CVE-2017-5715 (Spectre Variant 2) and CVE-2017-5754 (Meltdown)

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

Restart the computer for the changes to take effect.

Note Setting FeatureSettingsOverrideMask to 3 is accurate for both the "enable" and "disable" settings. (See the "FAQ" section for more details about registry keys.)

Manage the mitigation for CVE-2017-5715 (Spectre Variant 2)

To disable Variant 2: (CVE-2017-5715 "Branch Target Injection") mitigation:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 1 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

Restart the computer for the changes to take effect.

To enable Variant 2: (CVE-2017-5715 "Branch Target Injection") mitigation:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

Restart the computer for the changes to take effect.

AMD processors only: Enable the full mitigation for CVE-2017-5715 (Spectre Variant 2)

By default, user-to-kernel protection for CVE-2017-5715 is disabled for AMD CPUs. Customers must enable the mitigation to receive additional protections for CVE-2017-5715. For more information, see FAQ #15 in ADV180002.

Enable user-to-kernel protection on AMD processors along with other protections for CVE 2017-5715:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 64 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

If the Hyper-V feature is installed, add the following registry setting:

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f

If this is a Hyper-V host and the firmware updates have been applied: Fully shut down all Virtual Machines. This enables the firmware-related mitigation to be applied on the host before the VMs are started. Therefore, the VMs are also updated when they're restarted.

Restart the computer for the changes to take effect.

Manage mitigations for CVE-2018-3639 (Speculative Store Bypass), CVE-2017-5715 (Spectre Variant 2), and CVE-2017-5754 (Meltdown)

To enable mitigations for CVE-2018-3639 (Speculative Store Bypass), CVE-2017-5715 (Spectre Variant 2), and CVE-2017-5754 (Meltdown):

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 8 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

If the Hyper-V feature is installed, add the following registry setting:

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f

If this is a Hyper-V host and the firmware updates have been applied: Fully shut down all Virtual Machines. This enables the firmware-related mitigation to be applied on the host before the VMs are started. Therefore, the VMs are also updated when they're restarted.

Restart the computer for the changes to take effect.

To disable mitigations for CVE-2018-3639 (Speculative Store Bypass) AND mitigations for CVE-2017-5715 (Spectre Variant 2) and CVE-2017-5754 (Meltdown)

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

Restart the computer for the changes to take effect.

AMD processors only: Enable the full mitigation for CVE-2017-5715 (Spectre Variant 2) and CVE 2018-3639 (Speculative Store Bypass)

By default, user-to-kernel protection for CVE-2017-5715 is disabled for AMD processors. Customers must enable the mitigation to receive additional protections for CVE-2017-5715. For more information, see FAQ #15 in ADV180002.

Enable user-to-kernel protection on AMD processors along with other protections for CVE 2017-5715 and protections for CVE-2018-3639 (Speculative Store Bypass):

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 72 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

If the Hyper-V feature is installed, add the following registry setting:

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f

If this is a Hyper-V host and the firmware updates have been applied: Fully shut down all Virtual Machines. This enables the firmware-related mitigation to be applied on the host before the VMs are started. Therefore, the VMs are also updated when they're restarted.

Restart the computer for the changes to take effect.

Manage Microarchitectural Data Sampling (CVE-2018-11091, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130) along with Spectre [ CVE-2017-5753 & CVE-2017-5715 ] and Meltdown [ CVE-2017-5754 ] variants, including Speculative Store Bypass Disable (SSBD) [ CVE-2018-3639 ] as well as L1 Terminal Fault (L1TF) [ CVE-2018-3615, CVE-2018-3620, and CVE-2018-3646 ]

To enable mitigations for Microarchitectural Data Sampling (CVE-2018-11091, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130) along with Spectre [ CVE-2017-5753 & CVE-2017-5715 ] and Meltdown [ CVE-2017-5754 ] variants, including Speculative Store Bypass Disable (SSBD) [ CVE-2018-3639 ] as well as L1 Terminal Fault (L1TF) [ CVE-2018-3615, CVE-2018-3620, and CVE-2018-3646 ] without disabling Hyper-Threading:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 72 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

If the Hyper-V feature is installed, add the following registry setting:

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f

If this is a Hyper-V host and the firmware updates have been applied: Fully shut down all Virtual Machines. This enables the firmware-related mitigation to be applied on the host before the VMs are started. Therefore, the VMs are also updated when they're restarted.

Restart the computer for the changes to take effect.

To enable mitigations for Microarchitectural Data Sampling (CVE-2018-11091, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130) along with Spectre [ CVE-2017-5753 & CVE-2017-5715 ] and Meltdown [ CVE-2017-5754 ] variants, including Speculative Store Bypass Disable (SSBD) [ CVE-2018-3639 ] as well as L1 Terminal Fault (L1TF) [ CVE-2018-3615, CVE-2018-3620, and CVE-2018-3646 ] with Hyper-Threading disabled:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 8264 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

If the Hyper-V feature is installed, add the following registry setting:

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f

If this is a Hyper-V host and the firmware updates have been applied: Fully shut down all Virtual Machines. This enables the firmware-related mitigation to be applied on the host before the VMs are started. Therefore, the VMs are also updated when they're restarted.

Restart the computer for the changes to take effect.

To disable mitigations for Microarchitectural Data Sampling (CVE-2018-11091, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130) along with Spectre [ CVE-2017-5753 & CVE-2017-5715 ] and Meltdown [ CVE-2017-5754 ] variants, including Speculative Store Bypass Disable (SSBD) [ CVE-2018-3639 ] as well as L1 Terminal Fault (L1TF) [ CVE-2018-3615, CVE-2018-3620, and CVE-2018-3646 ]:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

Restart the computer for the changes to take effect.

Verifying that protections are enabled

To help customers verify that protections are enabled, Microsoft has published a PowerShell script that customers can run on their systems. Install and run the script by running the following commands.

PowerShell verification by using the PowerShell Gallery (Windows Server 2016 or WMF 5.0/5.1)

Install the PowerShell Module:

PS> Install-Module SpeculationControl

Run the PowerShell module to verify that protections are enabled:

PS> # Save the current execution policy so it can be reset

PS> $SaveExecutionPolicy = Get-ExecutionPolicy

PS> Set-ExecutionPolicy RemoteSigned -Scope Currentuser

PS> Import-Module SpeculationControl

PS> Get-SpeculationControlSettings

PS> # Reset the execution policy to the original state

PS> Set-ExecutionPolicy $SaveExecutionPolicy -Scope Currentuser

PowerShell verification by using a download from Technet (Earlier operating system versions and Earlier WMF versions)

Install the PowerShell module from Technet ScriptCenter:

Go to https://aka.ms/SpeculationControlPS.
Download SpeculationControl.zip to a local folder.
Extract the contents to a local folder. For example: C:\ADV180002

Run the PowerShell module to verify that protections are enabled:

Start PowerShell, and then use the previous example to copy and run the following commands:

PS> # Save the current execution policy so it can be reset

PS> $SaveExecutionPolicy = Get-ExecutionPolicy

PS> Set-ExecutionPolicy RemoteSigned -Scope Currentuser

PS> CD C:\ADV180002\SpeculationControl

PS> Import-Module .\SpeculationControl.psd1

PS> Get-SpeculationControlSettings

PS> # Reset the execution policy to the original state

PS> Set-ExecutionPolicy $SaveExecutionPolicy -Scope Currentuser

For a detailed explanation of the output of the PowerShell script, see Knowledge Base article 4074629.

Frequently asked questions

Show all

I wasn't offered the Windows security updates that were released in January and February 2018. What should I do?

How can I tell whether I have the correct version of the CPU microcode?

What are the performance effects of the mitigations?

I'm running Windows Server in a third-party hosted environment or cloud. What should I do?

In addition to the guidance that's in this article regarding virtual machines, you should contact your service provider to make sure that the hosts that are running your virtual machines are adequately protected.

For Windows Server virtual machines that are running in Azure, see Guidance for mitigating speculative execution side-channel vulnerabilities in Azure. For guidance on using Azure Update Management to mitigate this issue on guest VMs, see Microsoft Knowledge Base article 4077467.

Are there any Windows Server container-specific guidelines?

Do the software and hardware updates have to be installed in a particular order?

Will there be multiple restarts?

Can you provide more details about the registry keys?

Here are the details for the registry keys:

FeatureSettingsOverride represents a bitmap that overrides the default setting and controls which mitigations will be disabled. Bit 0 controls the mitigation that corresponds to CVE-2017-5715. Bit 1 controls the mitigation that corresponds to CVE-2017-5754. The bits are set to 0 to enable the mitigation and to 1 to disable the mitigation.

FeatureSettingsOverrideMask represents a bitmap mask that's used together with FeatureSettingsOverride. In this situation, we use the value 3 (represented as 11 in the binary numeral or base-2 numeral system) to indicate the first two bits that correspond to the available mitigations. This registry key is set to 3 both to enable or to disable the mitigations.

MinVmVersionForCpuBasedMitigations is for Hyper-V hosts. This registry key defines the minimum VM version that's required for you to use the updated firmware capabilities (CVE-2017-5715). Set this to 1.0 to cover all VM versions. Notice that this registry value will be ignored (benign) on non-Hyper-V hosts. For more details, see Protecting guest virtual machines from CVE-2017-5715 (branch target injection).

Can I set the registry keys before I install the update, and then install the update and restart for the changes to take effect?

Can you provide more details about the output of the PowerShell verification script?

If the firmware (microcode) update is not yet available from my OEM, is there still a way to protect my Hyper-V host?

If I'm on the Security Only branch, what Security Only updates do I need to install to be protect against these vulnerabilities?

Security Only updates are not cumulative. Depending on your operating system version, you may need to install several security updates for full protection. In general, customers will need to install the January, February, March, and April 2018 updates. Systems that have AMD processors need an additional update as shown in the following table:

Operating System version	Security Update
Windows 8.1, Windows Server 2012 R2	4338815 - Monthly Rollup
	4338824 - Security Only
Windows 7 SP1, Windows Server 2008 R2 SP1, or Windows Server 2008 R2 SP1 (Server Core installation)	4284826 - Monthly Rollup
	4284867 - Security Only
Windows Server 2008 SP2	4340583 - Security Update

We recommend that you install the Security Only updates in the order of release.

Note An earlier version of this FAQ incorrectly stated that the February Security Only update included the security fixes that were released in January. In fact, it does not.

If I apply any of the applicable security updates, will they disable the protections for CVE-2017-5715 in the same way that security update KB 4078130 did?

No. Security update KB 4078130 was a specific fix to prevent unpredictable system behaviors, performance issues, and unexpected restarts after the installation of microcode. Applying the security updates on Windows client operating systems enables all three mitigations. On Windows Server operating systems, you still have to enable the mitigations after you do proper testing. For more information, see Microsoft Knowledge Base article 4072698.

Known issue: Some users may experience network connectivity issues or lose IP address settings after they install the March 13, 2018, Security Update (KB 4088875).

Intel has identified restart issues that involve microcode on some older processors. What should I do?

In February 2018, Intel announced that they had completed their validations and started to release microcode for newer CPU platforms. Microsoft is making available Intel validated microcode updates that concern Spectre Variant 2 Spectre Variant 2 (CVE-2017-5715 – "Branch Target Injection"). KB 4093836 lists specific Knowledge Base articles by Windows version. Each specific KB article contains the available Intel microcode updates by CPU.

January 11, 2018: Intel reported issues in recently released microcode that was meant to address Spectre variant 2 (CVE-2017-5715 – "Branch Target Injection"). Specifically, Intel noted that this microcode can cause “higher than expected reboots and other unpredictable system behavior” and that these scenarios may cause “data loss or corruption. ” Our experience is that system instability can cause data loss or corruption in some circumstances. On January 22, Intel recommended that customers stop deploying the current microcode version on affected processors while Intel performs additional testing on the updated solution. We understand that Intel is continuing to investigate the potential effect of the current microcode version. We encourage customers to review their guidance on an ongoing basis to inform their decisions.

While Intel tests, updates, and deploys new microcode, we are making available an out-of-band (OOB) update, KB 4078130, that specifically disables only the mitigation against CVE-2017-5715. In our testing, this update has been found to prevent the described behavior. For the full list of devices, see the microcode revision guidance from Intel. This update covers Windows 7 Service Pack 1 (SP1), Windows 8.1, and all versions of Windows 10, both client and server. If you're running an affected device, this update can be applied by downloading it from the Microsoft Update Catalog website. Application of this payload specifically disables only the mitigation against CVE-2017-5715.

As of this time, there are no known reports that indicate that this Spectre Variant 2 (CVE-2017-5715 – "Branch Target Injection") has been used to attack customers. We recommend that, when appropriate, Windows users reenable the mitigation against CVE-2017-5715 when Intel reports that this unpredictable system behavior has been resolved for your device.

I've heard that Intel has released microcode updates. Where can I find them?

In February 2018, Intel announced that they have completed their validations and started to release microcode for newer CPU platforms. Microsoft is making available Intel-validated microcode updates that are related to Spectre Variant 2 Spectre Variant 2 (CVE-2017-5715 – "Branch Target Injection"). KB 4093836 lists specific Knowledge Base articles by Windows version. The KBs list available Intel microcode updates by CPU.

For more information, see AMD Security Updates and AMD Whitepaper: Architecture Guidelines around Indirect Branch Control. These are available from the OEM firmware channel.

I'm running Windows 10 April 2018 Update (version 1803). Is Intel microcode available for my device? Where can I find it?

Microsoft is making available Intel-validated microcode updates that concern Spectre Variant 2 (CVE-2017-5715 – “Branch Target Injection ”). To get the latest Intel microcode updates through Windows Update, customers must have installed Intel microcode on devices running a Windows 10 operating system prior to upgrading to the Windows 10 April 2018 Update (version 1803).

The microcode update is also available directly from the Microsoft Update Catalog if it was not installed on the device before upgrading the system. Intel microcode is available through Windows Update, Windows Server Update Services (WSUS), or the Microsoft Update Catalog. For more information and download instructions, see KB 4100347.

Where can I find information about the new speculative execution side-channel vulnerabilities (Speculative Store Bypass - CVE-2018-3639 and Rogue System Register Read - CVE-2018-3640)?

Where can I find more information about Windows support for Speculative Store Bypass Disable (SSBD) in Intel processors?

How do I determine whether SSBD is enabled or disabled?

I've heard about "Lazy FP State Restore" ( CVE-2018-3665 ). Will Microsoft release mitigations for it?

On June 13, 2018, an additional vulnerability that involves side-channel speculative execution, known as Lazy FP State Restore, was announced and assigned CVE-2018-3665. For information about this vulnerability and recommended actions, see the Security Advisory ADV180016 | Microsoft Guidance for Lazy FP State Restore.

Note There are no required configuration (registry) settings for Lazy Restore FP Restore.

I've heard that CVE-2018-3693 ("Bounds Check Bypass Store") is related to Spectre. Will Microsoft release mitigations for it?

Bounds Check Bypass Store (BCBS) was disclosed on July 10, 2018, and assigned CVE-2018-3693. We consider BCBS to belong to the same class of vulnerabilities as Bounds Check Bypass (Variant 1). We aren't currently aware of any instances of BCBS in our software. However, we are continuing to research this vulnerability class and will work with industry partners to release mitigations as required. We encourage researchers to submit any relevant findings to the Microsoft Speculative Execution Side Channel bounty program, including any exploitable instances of BCBS. Software developers should review the developer guidance that's been updated for BCBS at C++ Developer Guidance for Speculative Execution Side Channels.

I've heard that L1 Terminal Fault (L1TF) was disclosed. Where can I find more information about it and Windows support for it?

On August 14, 2018, L1 Terminal Fault (L1TF) was announced and assigned multiple CVEs. These new speculative execution side-channel vulnerabilities can be used to read the content of memory across a trusted boundary and, if exploited, could lead to information disclosure. There are multiple vectors by which an attacker could trigger the vulnerabilities, depending on the configured environment. L1TF affects Intel® Core® processors and Intel® Xeon® processors.

For more information about this vulnerability and a detailed view of affected scenarios, including Microsoft's approach to mitigating L1TF, see the following resources:

How do I disable Hyper-Threading for L1TF on my device?

Where can I get ARM64 firmware that mitigates CVE-2017-5715 - Branch target injection (Spectre Variant 2)?

Where can I find information about Intel’s disclosure around Microarchitectural Data Sampling ( CVE-2018-11091 , CVE-2018-12126 , CVE-2018-12127 , CVE-2018-12130 )

Where can I find the scenario-based guidance to determine actions necessary to mitigate Microarchitectural Data Sampling vulnerabilities?

How do I disable Hyper-Threading for MDS on my device?

Windows has released updates for x64-bit operating systems. When will you release mitigations for 32b-bit?

Where can I find guidance for Azure?

Where can I learn more about Retpoline enablement on Windows 10, version 1809?

References

Third-party information disclaimer

Windows Server guidance to protect against speculative execution side-channel vulnerabilities

Summary

Recommended actions

Mitigation Settings for Windows Server

Registry settings

Manage mitigations for CVE-2017-5715 (Spectre Variant 2) and CVE-2017-5754 (Meltdown)

Manage the mitigation for CVE-2017-5715 (Spectre Variant 2)

AMD processors only: Enable the full mitigation for CVE-2017-5715 (Spectre Variant 2)

Manage mitigations for CVE-2018-3639 (Speculative Store Bypass), CVE-2017-5715 (Spectre Variant 2), and CVE-2017-5754 (Meltdown)

AMD processors only: Enable the full mitigation for CVE-2017-5715 (Spectre Variant 2) and CVE 2018-3639 (Speculative Store Bypass)

Verifying that protections are enabled

Frequently asked questions

Operating System version

Security Update

References

This site in other countries/regions