Stop error code if Retpoline-optimized driver is installed on Device Guard or Hyper-V Code Integrity-enabled computer

S’applique à : Windows 10, version 1803Windows 10, version 1709Windows 10, version 1703

Symptom


Consider the following scenario:

  • You are using a Windows-based computer that does not have the September 2018 Windows cumulative update (CU) or a later Windows CU installed.

    • Windows 10, version 1803
    • Windows 10, version 1709
    • Windows 10, version 1703
    • Windows 10, version 1607
    • Windows Server 2016 Version 1803
    • Windows Server 2016 Version 1709
    • Windows Server 2016
  • Device Guard, also known as Virtualization Based Security or Hyper-V Code Integrity, is enabled on the computer.

  • You try to install or update a SERVICE_BOOT_START kernel driver, such as a driver for the storage controller, anti-virus or file system filter driver, to support Retpoline (also known as return trampoline).

In this scenario, the computer crashes and generates a Stop error code. After the crash, the computer may not start up or recover.

Resolution


This issue is fixed in the September 2018 Windows 10 cumulative update and in later Windows 10 cumulative updates. 

Note This issue is not mentioned in the article for the update.

If the computer cannot start, use the Windows Recovery Environment (WinRE) functionality or the Windows Preinstallation Environment (Windows PE) functionality for recovery.

September 2018 update status


You can use the following method in the registry to check whether the September 2018 update is installed.

The HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion subkey contains information about the installed Windows version and its Windows update state.

The CurrentBuildNumber value contains the Windows build number that indicates the Windows release version.

The UBR (UpdateBuildRevision) value reflects the update level of each Windows version.

Note Windows updates are always cumulative. That is, later updates include previous updates. Therefore, you have to check only the current version number. Update versions are specific to each Windows release. 

The following table contains build number and UBR values (combined) for each Windows version that corresponds to the September 2018 update. For example, in Windows 10, version 1803, if the UBR value in the registry is greater than 320, the September 2018 update is installed.

Windows version Build number and UBR Earliest CU requirement
Windows 10, version 1607 and Windows Server 2016 14393.2515 KB 4457127
Windows 10, version 1703 15063.1358 KB 4457141
Windows 10, version 1709 and Windows Server, version 1709 16299.699 KB 4457136
Windows 10 version 1803 and Windows Server, version 1803 17134.320 KB 4458469

More information


Microsoft is working together with the Independent Software Vendors (ISVs) and Independent Hardware Vendors (IHVs) to determine how to recompile their drivers to achieve performance gains for kernel drivers that are affected by Spectre mitigations.

For more information about Spectre and Retpoline in relation to Windows, see the following articles:

ADV180002 | Guidance to mitigate speculative execution side-channel vulnerabilities

Protect your Windows devices against Spectre and Meltdown


Mitigating Spectre variant 2 with Retpoline on Windows