Metltdown/Spectre Mitigations on Windows 2008 R2 guest on VmWare ESXi5.5

I do see that I can't enable the Meltdown/Spectre mitigations in Windows Server 2008 R2 is a similar question, but I suppose that the environment differences may justify different remedies.

After installing the Meltdown/Spectre related Windows updates and registry keys, and verifying that the relevant Vmware patch is installed (more precisely, ESXi550-201709101-SG is listed as "considered obsolete by the host", as is ESXi550-201709102-SG, but ESXi550-201709103-SG is installed).

The Microsoft testing tool gives me only

Speculation control settings for CVE-2017-5715 [branch target injection]

Hardware support for branch target injection mitigation is present: False
Windows OS support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is enabled: False
Windows OS support for branch target injection mitigation is disabled by system policy: False
Windows OS support for branch target injection mitigation is disabled by absence of hardware support: True

Speculation control settings for CVE-2017-5754 [rogue data cache load]

Hardware requires kernel VA shadowing: True
Windows OS support for kernel VA shadow is present: True
Windows OS support for kernel VA shadow is enabled: True
Windows OS support for PCID performance optimization is enabled: False [not required for security]

Suggested actions

 * Install BIOS/firmware update provided by your device OEM that enables hardware support for the branch target injection mitigation.


BTIHardwarePresent             : False
BTIWindowsSupportPresent       : True
BTIWindowsSupportEnabled       : False
BTIDisabledBySystemPolicy      : False
BTIDisabledByNoHardwareSupport : True
KVAShadowRequired              : True
KVAShadowWindowsSupportPresent : True
KVAShadowWindowsSupportEnabled : True
KVAShadowPcidEnabled           : False

I dare to interprete these (in particular regarding CVE-2017-5715) as

• CPU is vulnerable
• Windows updates have been installed
• Registry settings are missing
• GPO is not a problem
• Appropriate Microcode/Firmware is missing

This confuses me.
For one, the registry settings should be ok according to the following export excerpt:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management]
"FeatureSettingsOverride"=dword:00000000
"FeatureSettingsOverrideMask"=dword:00000003
"FeatureSettings"=dword:00000003

Additionally, I don't understand why the required microcode is missing (and hence BIOS/firmware update is suggested) given that the underlying VmWare host has ESXi550-201709103-SG installed (note though that ESXi550-201709101-SG comes with a footnote that it mitigates against CVE-2017-5715 but not against CVE-2017-5753)

What should I do?

Update

Meanwhile, I did also install BIOS/firmware (specifically, for the underlying ProLiant BL460c Gen 9 blade, I installed BIOS version 2.54 12-07-2017 (Fixes: "Updated the Intel processor microcode to the latest version.").
The blade/host as well as the guest have been rebooted afterwards, but I still get the same test results (FTFFTTTTF and I am still suggested to "Install BIOS/firmware update provided by your device OEM …").
I even had the guest boot into its BIOS and flipped through the settings to see if something needed to be enabled (apparently this is not the case).

Update 2

Out of curiosity, I tried the Linux testing tool as well. That tells me "Hardware (CPU microcode) support for mitigation: YES" even on a blade that had only ESXi550-201709103-SG installed, but not yet ProLiant BIOS 2.54.