KB4074629: Understanding SpeculationControl PowerShell script output

Method 1: PowerShell verification by using the PowerShell Gallery (Windows Server 2016 or WMF 5.0/5.1)

Install the PowerShell module

PS> Install-Module SpeculationControl

Run the SpeculationControl PowerShell module to verify that protections are enabled

PS> # Save the current execution policy so it can be reset

PS> $SaveExecutionPolicy = Get-ExecutionPolicy

PS> Set-ExecutionPolicy RemoteSigned -Scope Currentuser

PS> Import-Module SpeculationControl

PS> Get-SpeculationControlSettings

PS> # Reset the execution policy to the original state

PS> Set-ExecutionPolicy $SaveExecutionPolicy -Scope Currentuser

Method 2: PowerShell verification by using a download from TechNet (earlier OS versions/earlier WMF versions)

Install the PowerShell module from TechNet ScriptCenter

1. Go to https://aka.ms/SpeculationControlPS.

2. Download SpeculationControl.zip to a local folder.

3. Extract the contents to a local folder, for example C:\ADV180002

Run the PowerShell module to verify that protections are enabled

Start PowerShell, and then (using the example above) copy and run the following commands:

PS> # Save the current execution policy so it can be reset

PS> $SaveExecutionPolicy = Get-ExecutionPolicy

PS> Set-ExecutionPolicy RemoteSigned -Scope Currentuser

PS> CD C:\ADV180002\SpeculationControl

PS> Import-Module .\SpeculationControl.psd1

PS> Get-SpeculationControlSettings

PS> # Reset the execution policy to the original state

PS> Set-ExecutionPolicy $SaveExecutionPolicy -Scope Currentuser

Output

Explanation

Speculation control settings for CVE-2017-5715 [branch target injection]

This section provides system status for variant 2, CVE-2017-5715, branch target injection.

Hardware support for branch target injection mitigation is present

Maps to BTIHardwarePresent. This line tells you whether hardware features are present to support the branch target injection mitigation. The device OEM is responsible for providing the updated BIOS/firmware that contains the microcode provided by CPU manufacturers. If this line is True, the required hardware features are present. If the line is False, the required hardware features are not present. Therefore, the branch target injection mitigation cannot be enabled.

Note BTIHardwarePresent will be True in guest VMs if the OEM update is applied to the host and guidance is followed.

Windows OS support for branch target injection mitigation is present

Maps to BTIWindowsSupportPresent. This line tells you whether Windows operating system support is present for the branch target injection mitigation. If it is True, the operating system supports enabling the branch target injection mitigation (and therefore has installed the January 2018 update). If it is False, the January 2018 update is not installed on the device, and the branch target injection mitigation cannot be enabled.

Note If a guest VM cannot detect the host hardware update, BTIWindowsSupportEnabled will always be False.

Windows OS support for branch target injection mitigation is enabled

Maps to BTIWindowsSupportEnabled. This line tells you whether Windows operating system support is enabled for the branch target injection mitigation. If it is True, hardware support and OS support for the branch target injection mitigation is enabled for the device, thus protecting against CVE-2017-5715. If it is False, one of the following conditions is true:

• Hardware support is not present.

• OS support is not present.

• The mitigation is disabled by system policy.

Windows OS support for branch target injection mitigation is disabled by system policy

Maps to BTIDisabledBySystemPolicy. This line tells you if the branch target injection mitigation is disabled by system policy (such as an administrator-defined policy). System policy refers to the registry controls as documented in KB4072698. If it is True, the system policy is responsible for disabling the mitigation. If it is False, the mitigation is disabled by a different cause.

Windows OS support for branch target injection mitigation is disabled by absence of hardware support

Maps to BTIDisabledByNoHardwareSupport. This line tells you whether the branch target injection mitigation is disabled due to the absence of hardware support. If it is True, the absence of hardware support is responsible for disabling the mitigation. If it is False, the mitigation is disabled by a different cause.

Note If a guest VM cannot detect the host hardware update, BTIDisabledByNoHardwareSupport will always be True.

Speculation control settings for CVE-2017-5754 [rogue data cache load]

This section provides summary system status for variant 3, CVE-2017-5754, rogue data cache load. The mitigation for this is known as kernel Virtual Address (VA) shadow or the rogue data cache load mitigation.

Hardware is vulnerable to rogue data cache load

Maps to RdclHardwareProtected. This line tells you whether the hardware is vulnerable to CVE-2017-5754. If it is True, the hardware is believed to be vulnerable to CVE-2017-5754. If it is False, the hardware is known not to be vulnerable to CVE-2017-5754.

Windows OS support for rogue data cache load mitigation is present

Maps to KVAShadowWindowsSupportPresent. This line tells you whether Windows operating system support for the kernel VA shadow feature is present.

Windows OS support for rogue data cache load mitigation is enabled

Maps to KVAShadowWindowsSupportEnabled. This line tells you whether the kernel VA shadow feature is enabled. If it is True, the hardware is believed to be vulnerable to CVE-2017-5754, Windows operating system support is present, and the feature is enabled.

Hardware requires kernel VA shadowing

Maps to KVAShadowRequired. This line tells you whether your system requires kernel VA shadowing to mitigate a vulnerability.

Windows OS support for kernel VA shadow is present

Maps to KVAShadowWindowsSupportPresent. This line tells you whether Windows operating system support for the kernel VA shadow feature is present. If it is True, the January 2018 update is installed on the device, and kernel VA shadow is supported. If it is False, the January 2018 update is not installed, and kernel VA shadow support does not exist.

Windows OS support for kernel VA shadow is enabled

Maps to KVAShadowWindowsSupportEnabled. This line tells you whether the kernel VA shadow feature is enabled. If it is True, Windows operating system support is present, and the feature is enabled. The Kernel VA shadow feature is currently enabled by default on client versions of Windows and is disabled by default on versions of Windows Server. If it is False, either Windows operating system support is not present, or the feature is not enabled.

Windows OS support for PCID performance optimization is enabled

Note PCID is not required for security. It only indicates if a performance improvement is enabled. PCID is not supported with Windows Server 2008 R2

Maps to KVAShadowPcidEnabled. This line tells you whether an additional performance optimization is enabled for kernel VA shadow. If it is True, kernel VA shadow is enabled, hardware support for PCID is present, and PCID optimization for kernel VA shadow is enabled. If it is False, either the hardware or the OS may not support PCID. It is not a security weakness for the PCID optimization not to be enabled.

Windows OS support for Speculative Store Bypass Disable is present

Maps to SSBDWindowsSupportPresent. This line tells you whether Windows operating system support for Speculative Store Bypass Disable is present. If it is True, the January 2018 update is installed on the device, and kernel VA shadow is supported. If it is False, the January 2018 update is not installed, and kernel VA shadow support does not exist.

Hardware requires Speculative Store Bypass Disable

Maps to SSBDHardwareVulnerablePresent. This line tells you whether the hardware is vulnerable to CVE-2018-3639. If it is True, the hardware is believed to be vulnerable to CVE-2018-3639. If it is False, the hardware is known not to be vulnerable to CVE-2018-3639.

Hardware support for Speculative Store Bypass Disable is present

Maps to SSBDHardwarePresent. This line tells you whether hardware features are present to support Speculative Store Bypass Disable. The device OEM is responsible for providing the updated BIOS/firmware that contains the microcode provided by Intel. If this line is True, the required hardware features are present. If the line is False, the required hardware features are not present. Therefore, Speculative Store Bypass Disable cannot be turned on.

Note SSBDHardwarePresent will be True in guest VMs if the OEM update is applied to the host.

Windows OS support for Speculative Store Bypass Disable is turned on

Maps to SSBDWindowsSupportEnabledSystemWide. This line tells you whether Speculative Store Bypass Disable is turned on in the Windows operating system. If it is True, hardware support and OS support for Speculative Store Bypass Disable is on for the device preventing a Speculative Store Bypass from occurring, thus eliminating the security risk completely. If it is False, one of the following conditions is true:

• Hardware support is not present.

• OS support is not present.

• Speculative Store Bypass Disable is not enabled through registry keys. See the following articles for instructions about how to enable them:

  • KB4073119: Windows client guidance for IT Pros to protect against silicon-based microarchitectural and speculative execution side-channel vulnerabilities

  • KB4072698: Windows Server and Azure Stack HCI guidance to protect against silicon-based microarchitectural and speculative execution side-channel vulnerabilities

Speculation control settings for CVE-2018-3620 [L1 terminal fault]

This section provides summary system status for L1TF (operating system) referred to by CVE-2018-3620. This mitigation ensures that safe page frame bits are used for not present or invalid page table entries.

Note This section does not provide a summary of the mitigation status for L1TF (VMM) referred to by CVE-2018-3646.

Hardware is vulnerable to L1 terminal fault: True

Maps to L1TFHardwareVulnerable. This line tells you whether the hardware is vulnerable to L1 Terminal Fault (L1TF, CVE-2018-3620). If it is True, the hardware is believed to be vulnerable to CVE-2018-3620. If it is False, the hardware is known not to be vulnerable to CVE-2018-3620.

Windows OS support for L1 terminal fault mitigation is present: True

Maps to L1TFWindowsSupportPresent. This line tells you whether Windows operating system support for the L1 Terminal Fault (L1TF) operating system mitigation is present. If it is True, the August 2018 update is installed on the device, and the mitigation for CVE-2018-3620 is present. If it is False, the August 2018 update is not installed, and the mitigation for CVE-2018-3620 is not present.

Windows OS support for L1 terminal fault mitigation is enabled: True

Maps to L1TFWindowsSupportEnabled. This line tells you whether the Windows operating system mitigation for L1 Terminal Fault (L1TF, CVE-2018-3620) is enabled. If it is True, the hardware is believed to be vulnerable to CVE-2018-3620, Windows operating system support for the mitigation is present, and the mitigation is enabled. If it is False, either the hardware is not vulnerable, Windows operating system support is not present, or the mitigation is not enabled.

Speculation control settings for MDS [Microarchitectural Data Sampling]

This section provides system status for the MDS set of vulnerabilities, CVE-2018-11091, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, and ADV220002.

Windows OS support for MDS mitigation is present

Maps to MDSWindowsSupportPresent. This line tells you whether the Windows operating system support for the Microarchitectural Data Sampling (MDS) operating system mitigation is present. If it is True, the May 2019 update is installed on the device, and the mitigation for MDS is present. If it is False, the May 2019 update is not installed, and the mitigation for MDS is not present.

Hardware is vulnerable to MDS

Maps to MDSHardwareVulnerable. This line tells you whether the hardware is vulnerable to Microarchitectural Data Sampling (MDS) set of vulnerabilities (CVE-2018-11091, CVE-2018-12126, CVE-2018-12127, CVE-2018-12139). If it is True, the hardware is believed to be affected by these vulnerabilities. If it is False, the hardware is known not to be vulnerable.

Windows OS support for MDS mitigation is enabled

Maps to MDSWindowsSupportEnabled. This line tells you whether the Windows operating system mitigation for Microarchitectural Data Sampling (MDS) is enabled. If it is True, the hardware is believed to be affected by the MDS vulnerabilities, the Windows operating system support for the mitigation is present, and the mitigation is enabled. If it is False, either the hardware is not vulnerable, Windows operating system support is not present, or the mitigation is not enabled.

Windows OS support for SBDR mitigation is present

Maps to FBClearWindowsSupportPresent. This line tells you whether the Windows operating system support for the SBDR operating system mitigation is present. If it is True, the June 2022 update is installed on the device, and the mitigation for SBDR is present. If it is False, the June 2022 update is not installed, and the mitigation for SBDR is not present.

Hardware is vulnerable to SBDR

Maps to SBDRSSDPHardwareVulnerable. This line tells you whether the hardware is vulnerable to SBDR [shared buffers data read] set of vulnerabilities (CVE-2022-21123). If it is True, the hardware is believed to be affected by these vulnerabilities. If it is False, the hardware is known not to be vulnerable.

Windows OS support for SBDR mitigation is enabled

Maps to FBClearWindowsSupportEnabled. This line tells you whether the Windows operating system mitigation for SBDR [shared buffers data read] is enabled. If it is True, the hardware is believed to be affected by the SBDR vulnerabilities, the windows operating support for the mitigation is present, and the mitigation is enabled. If it is False, either the hardware is not vulnerable, Windows operating system support is not present, or the mitigation is not enabled.

Windows OS support for FBSDP mitigation is present

Maps to FBClearWindowsSupportPresent. This line tells you whether the Windows operating system support for the FBSDP operating system mitigation is present. If it is True, the June 2022 update is installed on the device, and the mitigation for FBSDP is present. If it is False, the June 2022 update is not installed, and the mitigation for FBSDP is not present.

Hardware is vulnerable to FBSDP

Maps to FBSDPHardwareVulnerable. This line tells you whether the hardware is vulnerable to FBSDP [fill buffer stale data propagator] set of vulnerabilities (CVE-2022-21125, CVE-2022-21127, and CVE-2022-21166). If it is True, the hardware is believed to be affected by these vulnerabilities. If it is False, the hardware is known not to be vulnerable.

Windows OS support for FBSDP mitigation is enabled

Maps to FBClearWindowsSupportEnabled. This line tells you whether the Windows operating system mitigation for FBSDP [fill buffer stale data propagator] is enabled. If it is True, the hardware is believed to be affected by the FBSDP vulnerabilities, the Windows operating support for the mitigation is present, and the mitigation is enabled. If it is False, either the hardware is not vulnerable, Windows operating system support is not present, or the mitigation is not enabled.

Windows OS support for PSDP mitigation is present

Maps to FBClearWindowsSupportPresent. This line tells you whether the Windows operating system support for the PSDP operating system mitigation is present. If it is True, the June 2022 update is installed on the device, and the mitigation for PSDP is present. If it is False, the June 2022 update is not installed, and the mitigation for PSDP is not present.

Hardware is vulnerable to PSDP

Maps to PSDPHardwareVulnerable. This line tells you whether the hardware is vulnerable to PSDP [primary stale data propagator] set of vulnerabilities. If it is True, the hardware is believed to be affected by these vulnerabilities. If it is False, the hardware is known not to be vulnerable.

Windows OS support for PSDP mitigation is enabled

Maps to FBClearWindowsSupportEnabled. This line tells you whether the Windows operating system mitigation for PSDP [primary stale data propagator] is enabled. If it is True, the hardware is believed to be affected by the PSDP vulnerabilities, the windows operating support for the mitigation is present, and the mitigation is enabled. If it is False, either the hardware is not vulnerable, Windows operating system support is not present, or the mitigation is not enabled.

Registry key

Mapping

FeatureSettingsOverride – Bit 0

Maps to - Branch target injection - BTIWindowsSupportEnabled

FeatureSettingsOverride – Bit 1

Maps to - Rogue data cache load - VAShadowWindowsSupportEnabled