Note: This article will be updated as additional information becomes available. Please check back here regularly for updates and new FAQs.

Vulnerabilities

On May 14, 2019, Intel published information about a new subclass of speculative execution side-channel vulnerabilities known as Microarchitectural Data Sampling. These vulnerabilities are addressed in the following CVEs:

Important: These issues will affect other operating systems such as Android, Chrome, iOS, and MacOS. We advise you to seek guidance from these respective vendors.

We have released updates to help mitigate these vulnerabilities. To get all available protections, firmware (microcode) and software updates are required. This may include microcode from device OEMs. In some cases, installing these updates will have a performance impact. We have also acted to secure our cloud services. We strongly recommend deploying these updates.

For more information about this issue, see the following Security Advisory and use scenario-based guidance to determine actions necessary to mitigate the threat:

Note: We recommend that you install all the latest updates from Windows Update before you install any microcode updates.

On August 6, 2019 Intel released details about a Windows kernel information disclosure vulnerability. This vulnerability is a variant of the Spectre Variant 1 speculative execution side-channel vulnerability and has been assigned CVE-2019-1125.

On July 9, 2019 we released security updates for the Windows operating system to help mitigate this issue. Please note that we held back documenting this mitigation publicly until the coordinated industry disclosure on Tuesday, August 6, 2019.

Customers who have Windows Update enabled and have applied the security updates released on July 9, 2019 are protected automatically. There is no further configuration necessary.

Note: This vulnerability does not require a microcode update from your device manufacturer (OEM).

For more information about this vulnerability and applicable updates, see the Microsoft Security Update Guide:

On November 12, 2019, Intel published a technical advisory around Intel Transactional Synchronization Extensions (Intel TSX) Transaction Asynchronous Abort vulnerability that is assigned CVE-2019-11135. We have released updates to help mitigate this vulnerability. By default, the OS protections are enabled for Windows Client OS editions.

On June 14 2022, we published ADV220002 | Microsoft Guidance on Intel Processor MMIO Stale Data Vulnerabilities. Thes vulnerabilities are assigned in the following CVEs:

Recommended actions

You should take the following actions to help protect against these vulnerabilities:

  1. Apply all available Windows operating system updates, including the monthly Windows security updates.

  2. Apply the applicable firmware (microcode) update that is provided by the device manufacturer.

  3. Evaluate the risk to your environment based on the information that is provided in Microsoft Security Advisories ADV180002, ADV180012, ADV190013, and ADV220002, in addition to the information provided in this article.

  4. Take action as required by using the advisories and registry key information that are provided in this article.

Note: Surface customers will receive a microcode update through Windows update. For a list of the latest available Surface device firmware (microcode) updates, see KB4073065.

Mitigation settings for Windows clients

Security advisories ADV180002ADV180012, ADV190013, and ADV220002 provide information about the risk posed by these vulnerabilities, and how they help you identify the default state of mitigations for Windows client systems. The following table summarizes the requirement of CPU microcode and the default status of the mitigations on Windows clients.

CVE

Requires CPU microcode/firmware?

Mitigation Default status

CVE-2017-5753

No

Enabled by default (no option to disable)

Please refer to ADV180002 for additional information.

CVE-2017-5715

Yes

Enabled by default. Users of systems based on AMD processors should see FAQ #15  and users of ARM processors should see FAQ #20 on ADV180002 for additional action and this KB article for applicable registry key settings.

Note By default, Retpoline is enabled for devices running Windows 10, version 1809 or newer if Spectre Variant 2 (CVE-2017-5715) is enabled. For more information, around Retpoline, follow the guidance in the Mitigating Spectre variant 2 with Retpoline on Windows blog post.

CVE-2017-5754

No

Enabled by default

Please refer to ADV180002 for additional information.

CVE-2018-3639

Intel: Yes
AMD: No
ARM: Yes

Intel and AMD: Disabled by default. See ADV180012 for more information and this KB article for applicable registry key settings.

ARM: Enabled by default without option to disable.

CVE-2019-11091

Intel: Yes

Enabled by default.

See ADV190013 for more information and this article for applicable registry key settings.

CVE-2018-12126

Intel: Yes

Enabled by default.

See ADV190013 for more information and this article for applicable registry key settings.

CVE-2018-12127

Intel: Yes

Enabled by default.

See ADV190013 for more information and this article for applicable registry key settings.

CVE-2018-12130

Intel: Yes

Enabled by default.

See ADV190013 for more information and this article for applicable registry key settings.

CVE-2019-11135

Intel: Yes

Enabled by default.

See CVE-2019-11135 for more information and this article for applicable registry key settings.

CVE-2022-21123 (part of MMIO ADV220002)

Intel: Yes

Windows Server 2019, Windows Server 2022: Enabled by default. 
Windows Server 2016 and earlier: Disabled by default. 

See CVE-2022-21123 for more information and this article for applicable registry key settings.

CVE-2022-21125 (part of MMIO ADV220002)

Intel: Yes

Windows Server 2019, Windows Server 2022: Enabled by default. 
Windows Server 2016 and earlier: Disabled by default. 

See CVE-2022-21125 for more information.

CVE-2022-21127 (part of MMIO ADV220002)

Intel: Yes

Server 2019, Windows Server 2022: Enabled by default. 
Windows Server 2016 and earlier: Disabled by default. 

See CVE-2022-21127 for more information.

CVE-2022-21166 (part of MMIO ADV220002)

Intel: Yes

Windows Server 2019, Windows Server 2022: Enabled by default. 
Windows Server 2016 and earlier: Disabled by default. 

See CVE-2022-21166 for more information.

CVE-2022-23825 (AMD CPU Branch Type Confusion)

AMD: No

See CVE-2022-23825 for more information and this article for applicable registry key settings.

CVE-2022-23816 (AMD CPU Branch Type Confusion)

AMD: No

See CVE-2022-23816 for more information and this article for applicable registry key settings.

Note: By default, enabling mitigations that are off may affect device performance. The actual performance effect depends on multiple factors, such as the specific chipset in the device and the workloads that are running.

Registry settings

We provide the following registry information to enable mitigations that are not enabled by default, as documented in Security Advisories ADV180002 and ADV180012. Additionally, we provide registry key settings for users who want to disable the mitigations that are related to CVE-2017-5715 and CVE-2017-5754 for Windows clients.

Important: This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, see the following article in the Microsoft Knowledge Base:

322756 How to back up and restore the registry in Windows

Important: By default, Retpoline is enabled on Windows 10, version 1809 devices if Spectre, Variant 2 (CVE-2017-5715) is enabled. Enabling Retpoline on the latest version of Windows 10 may enhance performance on devices running Windows 10, version 1809 for Spectre variant 2, particularly on older processors.

To enable default mitigations for CVE-2017-5715 (Spectre Variant 2) and CVE-2017-5754 (Meltdown)

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

Restart the device for the changes to take effect.

To disable mitigations for CVE-2017-5715 (Spectre Variant 2) and CVE-2017-5754 (Meltdown)

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

Restart the device for the changes to take effect.

Note: A value of 3 is accurate for FeatureSettingsOverrideMask for both the "enable" and "disable" settings. (See the "FAQ" section for more details about registry keys.)

To disable mitigations for  CVE-2017-5715 (Spectre  Variant 2) :

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 1 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

Restart the device for the changes to take effect.

To enable default mitigations for  CVE-2017-5715 (Spectre Variant 2) and CVE-2017-5754 (Meltdown):

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

Restart the device for the changes to take effect.

By default, user-to-kernel protection for CVE-2017-5715 is disabled for AMD and ARM CPUs. You must enable the mitigation to receive additional protections for CVE-2017-5715. For more information, see FAQ #15 in ADV180002 for AMD processors and FAQ #20 in ADV180002 for ARM processors.

Enable user-to-kernel protection on AMD and ARM processors together with other protections for CVE 2017-5715:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 64 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

Restart the device for the changes to take effect.

To enable mitigations for CVE-2018-3639 (Speculative Store Bypass), default mitigations for CVE-2017-5715 (Spectre Variant 2) and CVE-2017-5754 (Meltdown):

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 8 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

Restart the device for the changes to take effect.

Note: AMD processors are not vulnerable to CVE-2017-5754 (Meltdown). This registry key is used in systems with AMD processors to enable default mitigations for CVE-2017-5715 on AMD processors and the mitigation for CVE-2018-3639.

To disable mitigations for CVE-2018-3639 (Speculative Store Bypass) *and* mitigations for CVE-2017-5715 (Spectre Variant 2) and CVE-2017-5754 (Meltdown)

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

Restart the device for the changes to take effect.

By default, user-to-kernel protection for CVE-2017-5715 is disabled for AMD processors. Customers must enable the mitigation to receive additional protections for CVE-2017-5715.  For more information, see FAQ #15 in ADV180002.

Enable user-to-kernel protection on AMD processors together with other protections for CVE 2017-5715 and protections for CVE-2018-3639 (Speculative Store Bypass):

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 72 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

Restart the device for the changes to take effect.

To enable mitigations for Intel Transactional Synchronization Extensions (Intel TSX) Transaction Asynchronous Abort vulnerability (CVE-2019-11135) and Microarchitectural Data Sampling ( CVE-2019-11091 , CVE-2018-12126 , CVE-2018-12127 , CVE-2018-12130 ) along with Spectre (CVE-2017-5753 & CVE-2017-5715) and Meltdown (CVE-2017-5754) variants, including Speculative Store Bypass Disable (SSBD) (CVE-2018-3639) as well as L1 Terminal Fault (L1TF) (CVE-2018-3615, CVE-2018-3620, and CVE-2018-3646) without disabling Hyper-Threading:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 72 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

If the Hyper-V feature is installed, add the following registry setting:

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f

If this is a Hyper-V host and the firmware updates have been applied: Fully shut down all Virtual Machines. This enables the firmware-related mitigation to be applied on the host before the VMs are started. Therefore, the VMs are also updated when they're restarted.

Restart the device for the changes to take effect.

To enable mitigations for Intel Transactional Synchronization Extensions (Intel TSX) Transaction Asynchronous Abort vulnerability (CVE-2019-11135) and Microarchitectural Data Sampling ( CVE-2019-11091 , CVE-2018-12126 , CVE-2018-12127 , CVE-2018-12130 ) along with Spectre (CVE-2017-5753 & CVE-2017-5715) and Meltdown (CVE-2017-5754) variants, including Speculative Store Bypass Disable (SSBD) (CVE-2018-3639) as well as L1 Terminal Fault (L1TF) (CVE-2018-3615, CVE-2018-3620, and CVE-2018-3646) with Hyper-Threading disabled:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 8264 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

If the Hyper-V feature is installed, add the following registry setting:

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f

If this is a Hyper-V host and the firmware updates have been applied: Fully shut down all Virtual Machines. This enables the firmware-related mitigation to be applied on the host before the VMs are started. Therefore, the VMs are also updated when they're restarted.

Restart the device for the changes to take effect.

To disable mitigations for Intel® Transactional Synchronization Extensions (Intel® TSX) Transaction Asynchronous Abort vulnerability (CVE-2019-11135) and  Microarchitectural Data Sampling ( CVE-2019-11091 , CVE-2018-12126 , CVE-2018-12127 , CVE-2018-12130 ) along with Spectre (CVE-2017-5753 & CVE-2017-5715) and Meltdown (CVE-2017-5754) variants, including Speculative Store Bypass Disable (SSBD) (CVE-2018-3639) as well as L1 Terminal Fault (L1TF) (CVE-2018-3615, CVE-2018-3620, and CVE-2018-3646):

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

Restart the device for the changes to take effect.

Enable user-to-kernel protection on AMD processors:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 16777280 /f 

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f 

To be fully protected, customers might also need to disable Hyper-Threading (also known as Simultaneous Multi Threading (SMT)). Please see KB4073757 for guidance on protecting Windows devices. 

Verify protections are enabled

To help verify that protections are enabled, we have published a PowerShell script that you can run on your devices. Install and run the script by using one of the following methods.

Install the PowerShell Module:

PS> Install-Module SpeculationControl

Run the PowerShell module to verify that protections are enabled:

PS> # Save the current execution policy so it can be reset

PS> $SaveExecutionPolicy = Get-ExecutionPolicy

PS> Set-ExecutionPolicy RemoteSigned -Scope Currentuser

PS> Import-Module SpeculationControl

PS> Get-SpeculationControlSettings

PS> # Reset the execution policy to the original state

PS> Set-ExecutionPolicy $SaveExecutionPolicy -Scope Currentuser

Install the PowerShell Module from Technet ScriptCenter:

Go to https://aka.ms/SpeculationControlPS

Download SpeculationControl.zip to a local folder.

Extract the contents to a local folder, for example C:\ADV180002

Run the PowerShell module to verify that protections are enabled:

Start PowerShell, then (by using the previous example) copy and run the following commands:

PS> # Save the current execution policy so it can be reset

PS> $SaveExecutionPolicy = Get-ExecutionPolicy

PS> Set-ExecutionPolicy RemoteSigned -Scope Currentuser

PS> CD C:\ADV180002\SpeculationControl

PS> Import-Module .\SpeculationControl.psd1

PS> Get-SpeculationControlSettings

PS> # Reset the execution policy to the original state

PS> Set-ExecutionPolicy $SaveExecutionPolicy -Scope Currentuser

For a detailed explanation of the output of the PowerShell script, please see KB4074629.

Frequently asked questions

The microcode is delivered through a firmware update. You should check with your CPU (chipset) and device manufacturers on availability of applicable firmware security updates for their specific device, including Intels Microcode Revision Guidance.

Addressing a hardware vulnerability through a software update presents significant challenges. Also, mitigations for older operating systems require extensive architectural changes. We are working with affected chip manufacturers to determine the best way to provide mitigations, which may be delivered in future updates.

Updates for Microsoft Surface devices will be delivered to customers through Windows Update together with the updates for the Windows operating system. For a list of available Surface device firmware (microcode) updates, see KB4073065.

If your device is not from Microsoft, apply firmware from the device manufacturer. For more information, contact the OEM device manufacturer.

In February and March 2018, Microsoft released added protection for some x86-based systems. For more information see KB4073757 and the Microsoft Security Advisory ADV180002.

Updates to Windows 10 for HoloLens are available to HoloLens customers through Windows Update.

After applying the February 2018 Windows Security Update, HoloLens customers do not have to take any additional action to update their device firmware. These mitigations will also be included in all future releases of Windows 10 for HoloLens.

No. Security Only updates are not cumulative. Depending on the operating system version you are running, you will have to install every monthly Security Only updates to be protected against these vulnerabilities. For example, if you are running Windows 7 for 32-bit Systems on an affected Intel CPU you must install all of the Security Only updates. We recommend installing these Security Only updates in the order of release.

Note An earlier version of this FAQ incorrectly stated that the February Security Only update included the security fixes released in January. In fact, it does not.

No. Security update 4078130 was a specific fix to prevent unpredictable system behaviors, performance issues, and/or unexpected reboots after installation of microcode. Applying the February security updates on Windows client operating systems enables all three mitigations.

Intel recently announced they have completed their validations and started to release microcode for newer CPU platforms. Microsoft is making available Intel validated microcode updates around Spectre Variant 2 (CVE-2017-5715 "Branch Target Injection"). KB4093836 lists specific Knowledge Base articles by Windows version. Each specific KB contains the available Intel microcode updates by CPU.

This issue was resolved in KB4093118.

AMD recently announced they have started to release microcode for newer CPU platforms around Spectre Variant 2 (CVE-2017-5715 "Branch Target Injection"). For more information refer to the AMD Security Updates and AMD Whitepaper: Architecture Guidelines around Indirect Branch Control. These are available from the OEM firmware channel.

We are making available Intel validated microcode updates around Spectre Variant 2 (CVE-2017-5715 “Branch Target Injection ). To get the latest Intel microcode updates through Windows Update, customers must have installed Intel microcode on devices running a Windows 10 operating system prior to upgrading to the Windows 10 April 2018 Update (version 1803).

The microcode update is also available directly from Catalog if it was not installed on the device prior to upgrading the OS. Intel microcode is available through Windows Update, WSUS, or the Microsoft Update Catalog. For more information and download instructions, see KB4100347.

For details, see the “Recommended actions” and “FAQ” sections in  ADV180012 | Microsoft Guidance for Speculative Store Bypass.

To verify the status of SSBD, the Get-SpeculationControlSettings PowerShell script was updated to detect affected processors, status of the SSBD operating system updates, and state of the processor microcode if applicable. For more information and to obtain the PowerShell script, see KB4074629.

On June 13, 2018, an additional vulnerability involving side-channel speculative execution, known as Lazy FP State Restore, was announced and assigned CVE-2018-3665. No configuration (registry) settings are necessary for Lazy Restore FP Restore.

For more information about this vulnerability and for recommended actions, refer to security advisory ADV180016 | Microsoft Guidance for Lazy FP State Restore.

Note: No configuration (registry) settings are necessary for Lazy Restore FP Restore.

Bounds Check Bypass Store (BCBS) was disclosed on July 10, 2018 and assigned CVE-2018-3693. We consider BCBS to belong to the same class of vulnerabilities as Bounds Check Bypass (Variant 1). We are not currently aware of any instances of BCBS in our software, but we are continuing to research this vulnerability class and will work with industry partners to release mitigations as required. We continue to encourage researchers to submit any relevant findings to Microsoft’s Speculative Execution Side Channel bounty program, including any exploitable instances of BCBS. Software developers should review the developer guidance that was updated for BCBS at https://aka.ms/sescdevguide.

On August 14, 2018,  L1 Terminal Fault (L1TF) was announced and assigned multiple CVEs. These new speculative execution side-channel vulnerabilities can be used to read the content of memory across a trusted boundary and, if exploited, can lead to information disclosure. An attacker could trigger the vulnerabilities through multiple vectors, depending on the configured environment. L1TF affects Intel® Core® processors and Intel® Xeon® processors.

For more information about this vulnerability and a detailed view of affected scenarios, including Microsoft's approach to mitigating L1TF,  see the following resources:

Customers using 64-bit ARM processors should check with the device OEM for firmware support because ARM64 operating system protections that mitigate CVE-2017-5715 | Branch target injection (Spectre, Variant 2) require the latest firmware update from device OEMs to take effect.

For Azure guidance, please refer to this article: Guidance for mitigating speculative execution side-channel vulnerabilities in Azure.  

For more information about Retpoline enablement, refer to our blog post: Mitigating Spectre variant 2 with Retpoline on Windows

For details about this vulnerability, see the Microsoft Security Guide: CVE-2019-1125 | Windows Kernel Information Disclosure Vulnerability.

We’re not aware of any instance of this information disclosure vulnerability affecting our cloud service infrastructure.

As soon as we became aware of this issue, we worked quickly to address it and release an update. We strongly believe in close partnerships with both researchers and industry partners to make customers more secure, and did not publish details until Tuesday, August 6, consistent with coordinated vulnerability disclosure practices.

References

We provide third-party contact information to help you find technical support. This contact information may change without notice. We do not guarantee the accuracy of this third-party contact information.

Need more help?

Expand your skills
Explore Training
Get new features first
Join Microsoft Insiders

Was this information helpful?

What affected your experience?

Thank you for your feedback!

×