I have installed the patch released today as detailed here and then set the two registry keys as mentioned:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
However, when I run the provided PowerShell module to check, it is informing me the mitigations are still not enabled:
PS C:\Users\Administrator> get-speculationcontrolsettings
Speculation control settings for CVE-2017-5715 [branch target injection]
Hardware support for branch target injection mitigation is present: False
Windows OS support for branch target injection mitigation is present: False
Windows OS support for branch target injection mitigation is enabled: False
Speculation control settings for CVE-2017-5754 [rogue data cache load]
Hardware requires kernel VA shadowing: True
Windows OS support for kernel VA shadow is present: False
Windows OS support for kernel VA shadow is enabled: False
Suggested actions
* Install BIOS/firmware update provided by your device OEM that enables hardware support for the branch target injection mitigation.
* Install the latest available updates for Windows with support for speculation control mitigations.
* Follow the guidance for enabling Windows support for speculation control mitigations are described in https://support.microsoft.com/help/4072698
BTIHardwarePresent : False
BTIWindowsSupportPresent : False
BTIWindowsSupportEnabled : False
BTIDisabledBySystemPolicy : False
BTIDisabledByNoHardwareSupport : False
KVAShadowRequired : True
KVAShadowWindowsSupportPresent : False
KVAShadowWindowsSupportEnabled : False
KVAShadowPcidEnabled : False
Why is this? What else do I have to do? I have rebooted the server for good measure with no improvement.
Update after answer from @Paul:
I've now installed the correct update (wally), and this is the output of the PowerShell cmdlet:
PS C:\Users\Administrator> get-speculationcontrolsettings
Speculation control settings for CVE-2017-5715 [branch target injection]
Hardware support for branch target injection mitigation is present: False
Windows OS support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is enabled: False
Windows OS support for branch target injection mitigation is disabled by system policy: True
Windows OS support for branch target injection mitigation is disabled by absence of hardware support: True
Speculation control settings for CVE-2017-5754 [rogue data cache load]
Hardware requires kernel VA shadowing: True
Windows OS support for kernel VA shadow is present: True
Windows OS support for kernel VA shadow is enabled: False
Suggested actions
* Install BIOS/firmware update provided by your device OEM that enables hardware support for the branch target injection mitigation.
* Follow the guidance for enabling Windows support for speculation control mitigations are described in https://support.microsoft.com/help/4072698
BTIHardwarePresent : False
BTIWindowsSupportPresent : True
BTIWindowsSupportEnabled : False
BTIDisabledBySystemPolicy : True
BTIDisabledByNoHardwareSupport : True
KVAShadowRequired : True
KVAShadowWindowsSupportPresent : True
KVAShadowWindowsSupportEnabled : False
KVAShadowPcidEnabled : False
Is this everything I can do pending a microcode update?
Best Answer
Firstly the above output is saying that the required windows patch has not been installed:
and
Is your AV preventing it? - see here
Secondly CVE-2017-5715 will also require a CPU Microcode update which means a BIOS update when/if it becomes available. Intel have apparently released the code but it's down to OEMs to provide updated BIOS's that incorporate it and that may take a while.
All you can do right now is install the Windows patch. Once the correct patch is installed you should be covered for Meltdown but will still need a subsequent BIOS update to fully cover off Spectre.
FYI here is the output for my (patched) windows 10 system:
You will note that for CVE-2017-5715 it shows that the patch is installed but not enabled due to "absence of hardware support" i.e. the microcode update.
You will also note that for CVE-2017-5754 it simply says that it's not required - this is because I'm running on an AMD CPU.
As for your side note, I can't say for sure without testing but if you look closely, for disable the FeatureSettingsOverride key is being set to 3, not 0 as is required to enable it so I assume that you need the same mask for both but either a 0 (enable) or 3 (disable) for the FeatureSettingsOverride key.