KB4073119: Windows client guidance for IT Pros to protect against silicon-based microarchitectural and speculative execution side-channel vulnerabilities

Si applica a
Windows Server 2012 Windows Server 2012 R2 Windows 10 Windows 10 Education, version 1607 Windows 10 Professional version 1607 Windows 10 Enterprise, version 1607 Windows 10 Enterprise version 1607 Windows 10 Enterprise, version 1809 Windows 10 Professional Education version 1607 Windows 10 Pro Education, version 1607 Windows Server 2016 Windows Server 2019 Windows Server 2022 Windows 10 Home and Pro, version 21H2 Windows 10 Enterprise and Education, version 21H2 Windows 10 IoT Enterprise, version 21H2 Windows 10 Home and Pro, version 22H2 Windows 10 Enterprise Multi-Session, version 22H2 Windows 10 Enterprise and Education, version 22H2 Windows 10 IoT Enterprise, version 22H2 Windows 11 Home and Pro, version 21H2 Windows 11 Enterprise Multi-Session, version 21H2 Windows 11 Enterprise and Education, version 21H2 Windows 11 IoT Enterprise, version 21H2 Windows 11 Home and Pro, version 22H2 Windows 11 Enterprise Multi-Session, version 22H2 Windows 11 Enterprise and Education, version 22H2 Windows 11 IoT Enterprise, version 22H2 Azure Local, version 22H2 Windows 11 Home and Pro, version 23H2 Windows 11 Enterprise and Education, version 23H2 Windows 11 Enterprise Multi-Session, version 23H2 DO_NOT_USE_Windows 11 IoT Enterprise, version 23H2

Change log
Change date Change description
July 19, 2023
  • Corrected the MMIO information in the "Mitigation settings for Windows clients" section
August 8, 2023
  • Removed content about CVE-2022-23816 as the CVE number is unused
August 9, 2023
  • Added "Branch Type Confusion" under the "Vulnerabilities" section
  • Updated the "CVE-2022-23825 | AMD CPU Branch Type Confusion (BTC)" registry section
  • Added "CVE-2023-20569 | AMD CPU Return Address Predictor" to "Summary" section
  • Added the "CVE-2023-20569 | AMD CPU Return Address Predictor" registry section
April 9, 2024
  • Added CVE-2022-0001 | Intel Branch History Injection
April 16, 2024
  • Added the "Enabling multiple mitigations" section

Summary

This article provides guidance for a new class of silicon-based microarchitectural and speculative execution side-channel vulnerabilities that affect many modern processors and operating systems. This includes Intel, AMD, and ARM. Specific details for these silicon-based vulnerabilities can be found in the following ADVs (Security Advisories) and CVEs (Common Vulnerabilities and Exposures):

Important

This issue also affects other operating systems, such as Android, Chrome, iOS, and macOS. Therefore, we advise customers to seek guidance from those vendors.

We have released several updates to help mitigate these vulnerabilities. We have also taken action to secure our cloud services. See the following sections for more details.

We have not yet received any information to indicate that these vulnerabilities were used to attack customers. We are working closely with industry partners including chip makers, hardware OEMs, and application vendors to protect customers. To get all available protections, firmware (microcode) and software updates are required. This includes microcode from device OEMs and, in some cases, updates to antivirus software.

This article addresses the following vulnerabilities:

Windows Update will also provide Internet Explorer and Edge mitigations. We will continue to improve these mitigations against this class of vulnerabilities.

To learn more about this class of vulnerabilities, see the following:

Vulnerabilities

Microarchitectural Data Sampling vulnerability

On May 14, 2019, Intel published information about a new subclass of speculative execution side-channel vulnerabilities known as Microarchitectural Data Sampling. These vulnerabilities are addressed in the following CVEs:

Important

These issues will affect other operating systems such as Android, Chrome, iOS, and MacOS. We advise you to seek guidance from these respective vendors.

We have released updates to help mitigate these vulnerabilities. To get all available protections, firmware (microcode) and software updates are required. This may include microcode from device OEMs. In some cases, installing these updates will have a performance impact. We have also acted to secure our cloud services. We strongly recommend deploying these updates.

For more information about this issue, see the following Security Advisory and use scenario-based guidance to determine actions necessary to mitigate the threat:

Note

We recommend that you install all the latest updates from Windows Update before you install any microcode updates.

Spectre Variant 1 vulnerability

On August 6, 2019 Intel released details about a Windows kernel information disclosure vulnerability. This vulnerability is a variant of the Spectre Variant 1 speculative execution side-channel vulnerability and has been assigned CVE-2019-1125.

On July 9, 2019 we released security updates for the Windows operating system to help mitigate this issue. Please note that we held back documenting this mitigation publicly until the coordinated industry disclosure on Tuesday, August 6, 2019.

Customers who have Windows Update enabled and have applied the security updates released on July 9, 2019 are protected automatically. There is no further configuration necessary.

Note

This vulnerability does not require a microcode update from your device manufacturer (OEM).

For more information about this vulnerability and applicable updates, see the Microsoft Security Update Guide:

Transaction Asynchronous Abort vulnerability

On November 12, 2019, Intel published a technical advisory around Intel Transactional Synchronization Extensions (Intel TSX) Transaction Asynchronous Abort vulnerability that is assigned CVE-2019-11135. We have released updates to help mitigate this vulnerability. By default, the OS protections are enabled for Windows Client OS editions.

MMIO Stale Data Sampling vulnerability

On June 14 2022, we published ADV220002 | Microsoft Guidance on Intel Processor MMIO Stale Data Vulnerabilities. Thes vulnerabilities are assigned in the following CVEs:

Recommended actions

You should take the following actions to help protect against these vulnerabilities:

  1. Apply all available Windows operating system updates, including the monthly Windows security updates.
  2. Apply the applicable firmware (microcode) update that is provided by the device manufacturer.
  3. Evaluate the risk to your environment based on the information that is provided in Microsoft Security Advisories ADV180002, ADV180012, ADV190013, and ADV220002,  in addition to the information provided in this article.
  4. Take action as required by using the advisories and registry key information that are provided in this article.

Note

Surface customers will receive a microcode update through Windows update. For a list of the latest available Surface device firmware (microcode) updates, see KB4073065.

Branch Type Confusion

On July 12, 2022, we published CVE-2022-23825 | AMD CPU Branch Type Confusion which describes that aliases in the branch predictor may cause certain AMD processors to predict the wrong branch type. This issue might potentially lead to information disclosure.

To help protect against this vulnerability, we recommend installing Windows updates that are dated on or after July 2022 and then take action as required by CVE-2022-23825 and registry key information that is provided in this knowledge base article.

For more information, see the AMD-SB-1037 security bulletin.

Return Address Predictor

On August 8, 2023, we published CVE-2023-20569 | AMD CPU Return Address Predictor (also known as Inception) which describes a new speculative side channel attack that can result in speculative execution at an attacker-controlled address. This issue affects certain AMD processors and might potentially lead to information disclosure.

To help protect against this vulnerability, we recommend installing Windows updates that are dated on or after August 2023 and then take action as required by CVE-2023-20569 and registry key information that is provided in this knowledge base article.

For more information, see the AMD-SB-7005 security bulletin.

Branch History Injection

On April 9, 2024 we published CVE-2022-0001 | Intel Branch History Injection which describes Branch History Injection (BHI) which is a specific form of intra-mode BTI. This vulnerability occurs when an attacker may manipulate branch history before transitioning from user to supervisor mode (or from VMX non-root/guest to root mode). This manipulation could cause an indirect branch predictor to select a specific predictor entry for an indirect branch, and a disclosure gadget at the predicted target will transiently execute. This may be possible because the relevant branch history may contain branches taken in previous security contexts, and in particular, other predictor modes.

Mitigation settings for Windows clients

Security advisories (ADVs) and CVEs provide information about the risk posed by these vulnerabilities, and how they help you identify the default state of mitigations for Windows client systems. The following table summarizes the requirement of CPU microcode and the default status of the mitigations on Windows clients.

CVE Requires CPU microcode/firmware? Mitigation Default status
CVE-2017-5753 No Enabled by default (no option to disable)
Please refer to ADV180002 for additional information.
CVE-2017-5715 Yes Enabled by default. Users of systems based on AMD processors should see FAQ #15 and users of ARM processors should see FAQ #20 on ADV180002 for additional action and this KB article for applicable registry key settings.
Note By default, Retpoline is enabled for devices running Windows 10, version 1809 or newer if Spectre Variant 2 (CVE-2017-5715) is enabled. For more information, around Retpoline, follow the guidance in the Mitigating Spectre variant 2 with Retpoline on Windows blog post.
CVE-2017-5754 No Enabled by default
Please refer to ADV180002 for additional information.
CVE-2018-3639 Intel: Yes
AMD: No
ARM: Yes
Intel and AMD: Disabled by default. See ADV180012 for more information and this KB article for applicable registry key settings.
ARM: Enabled by default without option to disable.
CVE-2019-11091 Intel: Yes Enabled by default.
See ADV190013 for more information and this article for applicable registry key settings.
CVE-2018-12126 Intel: Yes Enabled by default.
See ADV190013 for more information and this article for applicable registry key settings.
CVE-2018-12127 Intel: Yes Enabled by default.
See ADV190013 for more information and this article for applicable registry key settings.
CVE-2018-12130 Intel: Yes Enabled by default.
See ADV190013 for more information and this article for applicable registry key settings.
CVE-2019-11135 Intel: Yes Enabled by default.
See CVE-2019-11135 for more information and this article for applicable registry key settings.
CVE-2022-21123 (part of MMIO ADV220002) Intel: Yes Windows 10, version 1809 and later: Enabled by default.
Windows 10, version 1607 and earlier: Disabled by default.
See CVE-2022-21123 for more information and this article for applicable registry key settings.
CVE-2022-21125 (part of MMIO ADV220002) Intel: Yes Windows 10, version 1809 and later: Enabled by default.
Windows 10, version 1607 and earlier: Disabled by default.
See CVE-2022-21125 for more information.
CVE-2022-21127 (part of MMIO ADV220002) Intel: Yes Windows 10, version 1809 and later: Enabled by default.
Windows 10, version 1607 and earlier: Disabled by default.
See CVE-2022-21127 for more information.
CVE-2022-21166 (part of MMIO ADV220002) Intel: Yes Windows 10, version 1809 and later: Enabled by default.
Windows 10, version 1607 and earlier: Disabled by default.
See CVE-2022-21166 for more information.
CVE-2022-23825 (AMD CPU Branch Type Confusion) AMD: No See CVE-2022-23825 for more information and this article for applicable registry key settings.
CVE-2023-20569
(AMD CPU Return Address Predictor)
AMD: Yes See CVE-2023-20569 for more information and this article for applicable registry key settings.
CVE-2022-0001 Intel: No Disabled by default.
See CVE-2022-0001 for more information and this article for applicable registry key settings.

Note

By default, enabling mitigations that are off may affect device performance. The actual performance effect depends on multiple factors, such as the specific chipset in the device and the workloads that are running.

Registry settings

We provide the following registry information to enable mitigations that are not enabled by default, as documented in Security Advisories (ADVs) and CVEs. Additionally, we provide registry key settings for users who want to disable the mitigations when applicable for Windows clients.

Important

This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, see the following article in the Microsoft Knowledge Base:

322756 How to back up and restore the registry in Windows

Manage mitigations for CVE-2017-5715 (Spectre Variant 2) and CVE-2017-5754 (Meltdown)

Important

By default, Retpoline is enabled on Windows 10, version 1809 devices if Spectre, Variant 2 (CVE-2017-5715) is enabled. Enabling Retpoline on the latest version of Windows 10 may enhance performance on devices running Windows 10, version 1809 for Spectre variant 2, particularly on older processors.

To enable default mitigations for CVE-2017-5715 (Spectre Variant 2) and CVE-2017-5754 (Meltdown)
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
Restart the device for the changes to take effect.
To disable mitigations for CVE-2017-5715 (Spectre Variant 2) and CVE-2017-5754 (Meltdown)
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
Restart the device for the changes to take effect.

Note

A value of 3 is accurate for FeatureSettingsOverrideMask for both the "enable" and "disable" settings. (See the "FAQ" section for more details about registry keys.)

Manage mitigation for CVE-2017-5715 (Spectre Variant 2)
**To disable mitigations for CVE-2017-5715 (Spectre Variant 2) ⁠:⁠
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 1 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
Restart the device for the changes to take effect.
To enable default mitigations for CVE-2017-5715 (Spectre Variant 2) and CVE-2017-5754 (Meltdown):
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
Restart the device for the changes to take effect.
AMD and ARM processors only: Enable full mitigation for CVE-2017-5715 (Spectre Variant 2)

By default, user-to-kernel protection for CVE-2017-5715 is disabled for AMD and ARM CPUs. You must enable the mitigation to receive additional protections for CVE-2017-5715. For more information, see FAQ #15 in ADV180002 for AMD processors and FAQ #20 in ADV180002 for ARM processors.

Enable user-to-kernel protection on AMD and ARM processors together with other protections for CVE 2017-5715:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 64 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
Restart the device for the changes to take effect.
Manage mitigations for CVE-2018-3639 (Speculative Store Bypass), CVE-2017-5715 (Spectre Variant 2), and CVE-2017-5754 (Meltdown)
To enable mitigations for CVE-2018-3639 (Speculative Store Bypass), default mitigations for CVE-2017-5715 (Spectre Variant 2) and CVE-2017-5754 (Meltdown):
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 8 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
Restart the device for the changes to take effect.
Note: AMD processors are not vulnerable to CVE-2017-5754 (Meltdown). This registry key is used in systems with AMD processors to enable default mitigations for CVE-2017-5715 on AMD processors and the mitigation for CVE-2018-3639.
To disable mitigations for CVE-2018-3639 (Speculative Store Bypass) *and* mitigations for CVE-2017-5715 (Spectre Variant 2) and CVE-2017-5754 (Meltdown)
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
Restart the device for the changes to take effect.
AMD processors only: Enable full mitigation for CVE-2017-5715 (Spectre Variant 2) and CVE 2018-3639 (Speculative Store Bypass)

By default, user-to-kernel protection for CVE-2017-5715 is disabled for AMD processors. Customers must enable the mitigation to receive additional protections for CVE-2017-5715.  For more information, see FAQ #15 in ADV180002.

Enable user-to-kernel protection on AMD processors together with other protections for CVE 2017-5715 and protections for CVE-2018-3639 (Speculative Store Bypass):
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 72 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
Restart the device for the changes to take effect.
Manage Transaction Asynchronous Abort vulnerability, Microarchitectural Data Sampling, Spectre, Meltdown, Speculative Store Bypass Disable (SSBD), and L1 Terminal Fault (L1TF)
To enable mitigations for Intel Transactional Synchronization Extensions (Intel TSX) Transaction Asynchronous Abort vulnerability (CVE-2019-11135) and Microarchitectural Data Sampling ( CVE-2019-11091 , CVE-2018-12126 , CVE-2018-12127 , CVE-2018-12130 ) along with Spectre (CVE-2017-5753 & CVE-2017-5715) and Meltdown (CVE-2017-5754) variants, including Speculative Store Bypass Disable (SSBD) (CVE-2018-3639) as well as L1 Terminal Fault (L1TF) (CVE-2018-3615, CVE-2018-3620, and CVE-2018-3646) without disabling Hyper-Threading:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 72 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
If the Hyper-V feature is installed, add the following registry setting:
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f
If this is a Hyper-V host and the firmware updates have been applied: Fully shut down all Virtual Machines. This enables the firmware-related mitigation to be applied on the host before the VMs are started. Therefore, the VMs are also updated when they're restarted.
Restart the device for the changes to take effect.
To enable mitigations for Intel Transactional Synchronization Extensions (Intel TSX) Transaction Asynchronous Abort vulnerability (CVE-2019-11135) and Microarchitectural Data Sampling ( CVE-2019-11091 , CVE-2018-12126 , CVE-2018-12127 , CVE-2018-12130 ) along with Spectre (CVE-2017-5753 & CVE-2017-5715) and Meltdown (CVE-2017-5754) variants, including Speculative Store Bypass Disable (SSBD) (CVE-2018-3639) as well as L1 Terminal Fault (L1TF) (CVE-2018-3615, CVE-2018-3620, and CVE-2018-3646) with Hyper-Threading disabled:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 8264 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
If the Hyper-V feature is installed, add the following registry setting:
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f
If this is a Hyper-V host and the firmware updates have been applied: Fully shut down all Virtual Machines. This enables the firmware-related mitigation to be applied on the host before the VMs are started. Therefore, the VMs are also updated when they're restarted.
Restart the device for the changes to take effect.
To disable mitigations for Intel® Transactional Synchronization Extensions (Intel® TSX) Transaction Asynchronous Abort vulnerability (CVE-2019-11135) and Microarchitectural Data Sampling ( CVE-2019-11091 , CVE-2018-12126 , CVE-2018-12127 , CVE-2018-12130 ) along with Spectre (CVE-2017-5753 & CVE-2017-5715) and Meltdown (CVE-2017-5754) variants, including Speculative Store Bypass Disable (SSBD) (CVE-2018-3639) as well as L1 Terminal Fault (L1TF) (CVE-2018-3615, CVE-2018-3620, and CVE-2018-3646):
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
Restart the device for the changes to take effect.
CVE-2022-23825 \| AMD CPU Branch Type Confusion (BTC)

To enable the mitigation for CVE-2022-23825 on AMD processors⁠:⁠**

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 16777280 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

To be fully protected, customers might also need to disable Hyper-Threading (also known as Simultaneous Multi Threading (SMT)). Please see KB4073757 for guidance on protecting Windows devices.

CVE-2023-20569 \| AMD CPU Return Address Predictor

To enable the mitigation for CVE-2023-20569 on AMD processors:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 67108928 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

CVE-2022-0001 \| Intel Branch History Injection

To enable the mitigation for CVE-2022-0001 on Intel processors:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0x00800000 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 0x00000003 /f

Enabling multiple mitigations

To enable multiple mitigations, you must add the REG_DWORD value of each mitigation together.

For example:


Mitigation for Transaction Asynchronous Abort vulnerability, Microarchitectural Data Sampling, Spectre, Meltdown, MMIO, Speculative Store Bypass Disable (SSBD), and L1 Terminal Fault (L1TF) with Hyper-Threading disabled reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 8264 /f
NOTE 8264 (in Decimal) = 0x2048 (in Hex)
To enable BHI along with other existing settings, you will need to use bitwise OR of current value with 8,388,608 (0x800000).
0x800000 OR 0x2048(8264 in decimal) and it will become 8,396,872 (0x802048). Same with FeatureSettingsOverrideMask.
Mitigation for CVE-2022-0001 on Intel processors reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0x00800000 /f
Combined mitigation reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0x00802048 /f

Verify protections are enabled

To help verify that protections are enabled, we have published a PowerShell script that you can run on your devices. Install and run the script by using one of the following methods.

Method 1: PowerShell verification by using the PowerShell Gallery (Windows Server 2016 or WMF 5.0/5.1)
Install the PowerShell Module:
PS> Install-Module SpeculationControl
Run the PowerShell module to verify that protections are enabled:
PS> # Save the current execution policy so it can be reset
PS> $SaveExecutionPolicy = Get-ExecutionPolicy
PS> Set-ExecutionPolicy RemoteSigned -Scope Currentuser
PS> Import-Module SpeculationControl
PS> Get-SpeculationControlSettings
PS> # Reset the execution policy to the original state
PS> Set-ExecutionPolicy $SaveExecutionPolicy -Scope Currentuser
Method 2: PowerShell Verification by using a download from Technet (earlier operating system versions and earlier WMF versions)
Install the PowerShell Module from Technet ScriptCenter:
Go to https:⁠//aka.ms/SpeculationControlPS
Download SpeculationControl.zip to a local folder.
Extract the contents to a local folder, for example C:\ADV180002
Run the PowerShell module to verify that protections are enabled:
Start PowerShell, then (by using the previous example) copy and run the following commands:
PS> # Save the current execution policy so it can be reset
PS> $SaveExecutionPolicy = Get-ExecutionPolicy
PS> Set-ExecutionPolicy RemoteSigned -Scope Currentuser
PS> CD C:\ADV180002\SpeculationControl
PS> Import-Module .\SpeculationControl.psd1
PS> Get-SpeculationControlSettings
PS> # Reset the execution policy to the original state
PS> Set-ExecutionPolicy $SaveExecutionPolicy -Scope Currentuser

For a detailed explanation of the output of the PowerShell script, please see KB4074629.

Frequently asked questions

How can I tell whether I have the correct version of the CPU microcode?

The microcode is delivered through a firmware update. You should check with your CPU (chipset) and device manufacturers on availability of applicable firmware security updates for their specific device, including Intels Microcode Revision Guidance.

My operating system is not listed. When can I expect a fix to be released?

Addressing a hardware vulnerability through a software update presents significant challenges. Also, mitigations for older operating systems require extensive architectural changes. We are working with affected chip manufacturers to determine the best way to provide mitigations, which may be delivered in future updates.

Where can I find Surface firmware or hardware updates?

Updates for Microsoft Surface devices will be delivered to customers through Windows Update together with the updates for the Windows operating system. For a list of available Surface device firmware (microcode) updates, see KB4073065.

If your device is not from Microsoft, apply firmware from the device manufacturer. For more information, contact the OEM device manufacturer.

I have an x86 architecture, but I don’t see an update offered. Will I get one?

In February and March 2018, Microsoft released added protection for some x86-based systems. For more information see KB4073757 and the Microsoft Security Advisory ADV180002.

Where can I find Microsoft HoloLens operating system and firmware (microcode) updates?

Updates to Windows 10 for HoloLens are available to HoloLens customers through Windows Update.

After applying the February 2018 Windows Security Update, HoloLens customers do not have to take any additional action to update their device firmware. These mitigations will also be included in all future releases of Windows 10 for HoloLens.

I have not installed any of the 2018 Security Only updates. If I install the latest 2018 Security Only updates, am I protected from the vulnerabilities described?

No. Security Only updates are not cumulative. Depending on the operating system version you are running, you will have to install every monthly Security Only updates to be protected against these vulnerabilities. For example, if you are running Windows 7 for 32-bit Systems on an affected Intel CPU you must install all of the Security Only updates. We recommend installing these Security Only updates in the order of release.

Note An earlier version of this FAQ incorrectly stated that the February Security Only update included the security fixes released in January. In fact, it does not.

If I apply any of the applicable February security updates, will they disable the protections for CVE-2017-5715 in the same way that security update 4078130 did?

No. Security update 4078130 was a specific fix to prevent unpredictable system behaviors, performance issues, and/or unexpected reboots after installation of microcode. Applying the February security updates on Windows client operating systems enables all three mitigations.

I've heard Intel has released microcode updates. Where can I find them?

Intel recently announced they have completed their validations and started to release microcode for newer CPU platforms. Microsoft is making available Intel validated microcode updates around Spectre Variant 2 (CVE-2017-5715 "Branch Target Injection"). KB4093836 lists specific Knowledge Base articles by Windows version. Each specific KB contains the available Intel microcode updates by CPU.

Known Issue: Some users may experience network connectivity issues or lose IP address settings after installing the March 13, 2018 Security Update (KB4088875)

This issue was resolved in KB4093118.

I've heard AMD has released microcode updates. Where can I find and install these updates for my system?

AMD recently announced they have started to release microcode for newer CPU platforms around Spectre Variant 2 (CVE-2017-5715 "Branch Target Injection"). For more information refer to the AMD Security Updates and AMD Whitepaper: Architecture Guidelines around Indirect Branch Control. These are available from the OEM firmware channel.

I'm running Windows 10 April 2018 Update (version 1803). Is there Intel microcode available for my device? Where can I find it?

We are making available Intel validated microcode updates around Spectre Variant 2 (CVE-2017-5715 “Branch Target Injection ). To get the latest Intel microcode updates through Windows Update, customers must have installed Intel microcode on devices running a Windows 10 operating system prior to upgrading to the Windows 10 April 2018 Update (version 1803).

The microcode update is also available directly from Catalog if it was not installed on the device prior to upgrading the OS. Intel microcode is available through Windows Update, WSUS, or the Microsoft Update Catalog. For more information and download instructions, see KB4100347.

Where can I find information about the new speculative execution side-channel vulnerabilities (Speculative Store Bypass - CVE-2018-3639 and Rogue System Register Read - CVE-2018-3640)?

For more information, see the following resources:

Where can I find more information about Windows support for Speculative Store Bypass Disable (SSBD) in Intel processors

For details, see the “Recommended actions” and “FAQ” sections in  ADV180012 | Microsoft Guidance for Speculative Store Bypass.

How do I verify if SSBD is enabled or disabled?

To verify the status of SSBD, the Get-SpeculationControlSettings PowerShell script was updated to detect affected processors, status of the SSBD operating system updates, and state of the processor microcode if applicable. For more information and to obtain the PowerShell script, see KB4074629.

I've heard that Lazy FP State Restore (CVE-2018-3665) was announced. Will Microsoft release mitigations for it?

On June 13, 2018, an additional vulnerability involving side-channel speculative execution, known as Lazy FP State Restore, was announced and assigned CVE-2018-3665. No configuration (registry) settings are necessary for Lazy Restore FP Restore.

For more information about this vulnerability and for recommended actions, refer to security advisory ADV180016 | Microsoft Guidance for Lazy FP State Restore.

Note

No configuration (registry) settings are necessary for Lazy Restore FP Restore.

I've heard that CVE-2018-3693 (Bounds Check Bypass Store) is related to Spectre. Will Microsoft release mitigations for it?

Bounds Check Bypass Store (BCBS) was disclosed on July 10, 2018 and assigned CVE-2018-3693. We consider BCBS to belong to the same class of vulnerabilities as Bounds Check Bypass (Variant 1). We are not currently aware of any instances of BCBS in our software, but we are continuing to research this vulnerability class and will work with industry partners to release mitigations as required. We continue to encourage researchers to submit any relevant findings to Microsoft’s Speculative Execution Side Channel bounty program, including any exploitable instances of BCBS. Software developers should review the developer guidance that was updated for BCBS at https:⁠//aka.ms/sescdevguide.

I've heard that L1 Terminal Fault (L1TF) was disclosed. Where can I find more information about it and Windows support for it?

On August 14, 2018,  L1 Terminal Fault (L1TF) was announced and assigned multiple CVEs. These new speculative execution side-channel vulnerabilities can be used to read the content of memory across a trusted boundary and, if exploited, can lead to information disclosure. An attacker could trigger the vulnerabilities through multiple vectors, depending on the configured environment. L1TF affects Intel® Core® processors and Intel® Xeon® processors.

For more information about this vulnerability and a detailed view of affected scenarios, including Microsoft's approach to mitigating L1TF,  see the following resources:

Where can I find and install ARM64 firmware that mitigate CVE-2017-5715 - Branch target injection (Spectre Variant 2)?

Customers using 64-bit ARM processors should check with the device OEM for firmware support because ARM64 operating system protections that mitigate CVE-2017-5715 | Branch target injection (Spectre, Variant 2) require the latest firmware update from device OEMs to take effect.

Where can I find information about Intel’s disclosure around Microarchitectural Data Sampling (CVE-2018-12126, CVE-2018-12130, CVE-2018-12127?)

For more information, refer to the following security advisories

Where can I find information about Intel’s disclosure around Microarchitectural Data Sampling vulnerabilities ( CVE-2019-11091, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130)?

For more information, refer to the following security advisories

Where can I find the scenario-based guidance to determine actions necessary to mitigate Microarchitectural Data Sampling vulnerabilities?

Further guidance can be found in Windows guidance to protect against speculative execution side-channel vulnerabilities

Do I need to disable Hyper-Threading for MDS on my device?

Please refer to the guidance in Windows guidance to protect against speculative execution side-channel vulnerabilities

Where can I find guidance for Azure?

For Azure guidance, please refer to this article: Guidance for mitigating speculative execution side-channel vulnerabilities in Azure.

Where can I learn more about Retpoline enablement on Windows 10, version 1809?

For more information about Retpoline enablement, refer to our blog post: Mitigating Spectre variant 2 with Retpoline on Windows.

I've heard there is a variant of the Spectre Variant 1 speculative execution side channel vulnerability. Where can I learn more?

For details about this vulnerability, see the Microsoft Security Guide: CVE-2019-1125 | Windows Kernel Information Disclosure Vulnerability.

Does CVE-2019-1125 \| Windows Kernel Information Disclosure Vulnerability affect Microsoft’s cloud services?

We’re not aware of any instance of this information disclosure vulnerability affecting our cloud service infrastructure.

If updates for CVE-2019-1125 \| Windows Kernel Information Disclosure Vulnerability were released on July 9, 2019, why were the details published on August 6, 2019?

As soon as we became aware of this issue, we worked quickly to address it and release an update. We strongly believe in close partnerships with both researchers and industry partners to make customers more secure, and did not publish details until Tuesday, August 6, consistent with coordinated vulnerability disclosure practices.

Where can I find the scenario-based guidance to determine actions necessary to mitigate Intel Transactional Synchronization Extensions (Intel TSX) Transaction Asynchronous Abort vulnerability (CVE-2019-11135)?

Further guidance can be found in Windows guidance to protect against speculative execution side-channel vulnerabilities.

Do I need to disable Hyper-Threading for Intel Transactional Synchronization Extensions (Intel TSX) Transaction Asynchronous Abort vulnerability (CVE-2019-11135) on my device?

Further guidance can be found in Windows guidance to protect against speculative execution side-channel vulnerabilities.

Is there a way to disable Intel Transactional Synchronization Extensions (Intel TSX) capability?

Further guidance can be found in Guidance for disabling Intel® Transactional Synchronization Extensions (Intel® TSX) capability.

References

Third-party information disclaimer

We provide third-party contact information to help you find technical support. This contact information may change without notice. We do not guarantee the accuracy of this third-party contact information.