Publish history

1/10/18 - Speculative Execution Side-Channel Vulnerabilities.cab (original release)

1/11/18 - Speculative Execution Side-Channel Vulnerabilities_2012.cab (release that fixes import error on older versions of ConfigMgr because of preselected platforms)

1/23/18 - ADV180002 - Speculative Execution Side-Channel Vulnerabilities_01.22.18.cab (release that fixes the "Error 0x80070001 “Incorrect Function" error on two settings when deployed to multi-proc machines)

8/2/18 - ADV180002 - Speculative Execution Side-Channel Vulnerabilities_2018.07.31.cab (release that adds detection for the mitigations for CVE-2018-3639 speculative store bypass)

8/20/18 - ADV180002 - Speculative Execution Side-Channel Vulnerabilities_2018.08.15.cab (release that adds detection for the mitigations for CVE-2018-3620 - L1 Terminal Fault)

6/5/19 - Speculative Execution Side-Channel Vulnerabilities_2019.06.03.cab (release that adds detection for the mitigations for CVE-2019-11091 - Microarchitectural Data Sampling)

This Compliance Settings configuration baseline is used to confirm whether a system has enabled the protections needed to protect against the speculative-execution side-channel vulnerabilities as described in Microsoft Security Advisory ADV180002, Microsoft Security Advisory ADV180012, Microsoft Security Advisory ADV180018 and Microsoft Security Advisory ADV190013. It is based on the functionality in the PowerShell module Get_SpeculationControlSettings.  It requires at least PowerShell 3.0. 

  1. To import this configuration baseline, download the .cab file and follow the instructions here: https://docs.microsoft.com/en-us/sccm/compliance/deploy-use/import-configuration-data.
  2. The configuration baseline contains five configuration items (CIs)
    • CI: CVE-2017-5715 - Branch target injection
    • CI: CVE-2017-5754 - Rogue data cache load
    • CI: CVE-2018-3639 - Speculative store bypass
    • CI: CVE-2018-3620 - L1 Terminal Fault
    • CI: CVE-2018-12126, CVE-2018-12130, CVE-2018-12127 and CVE-2019-11091 - Microarchitectural Data Sampling
  3. To deploy the configuration baseline, follow the instructions here: https://docs.microsoft.com/en-us/sccm/compliance/deploy-use/deploy-configuration-baselines. Please note that the embedded PowerShell scripts are signed.  To deploy signed PowerShell scripts the code signing cert needs to be a trusted publisher.  Note the first two CIs and the last three CIs are signed with two different certificates. Both certificates need to be trusted.
  4. To view the compliance results, follow the instructions here: https://docs.microsoft.com/en-us/sccm/compliance/deploy-use/monitor-compliance-settings.

 More Information:

This topic describes the compliance states of the compliance items and maps them to the output from the Get-SpeculationControlSettings PowerShell module.

  1. CI: CVE-2017-5715 – Branch target injection

    a.      Windows OS support for branch target injection mitigation is enabled:

    compliant if both firmware update and Windows OS January 2018 update are installed and enabled, which equals to “Windows OS support for branch target injection mitigation is enabled: True” from Get-SpeculationControlSettings.

    non-compliant if the protection is not enabled, which equals to “Windows OS support for branch target injection mitigation is enabled: False” from Get-SpeculationControlSettings.

     

    b.     Hardware support for branch target injection mitigation is present:

    compliant if firmware update is present, which equals to “Hardware support for branch target injection mitigation is present: True” from Get-SpeculationControlSettings.

    non-compliant if firmware update is missing, which equals to “Hardware support for branch target injection mitigation is present: False” from Get-SpeculationControlSettings.

     

    c.      Windows OS support for branch target injection mitigation is present:

    compliant if Windows OS January 2018 update is installed, which equals to “Windows OS support for branch target injection mitigation is present: True” from Get-SpeculationControlSettings. 

    non-compliant if Windows OS January 2018 update is not installed, which equals to “Windows OS support for branch target injection mitigation is present: False” from Get-SpeculationControlSettings.

     

    d.     Windows OS support for branch target injection mitigation is disabled by absence of hardware support:

    It gives additional information in the case of Windows OS support for branch target injection mitigation is enabled is non-compliant.

    compliant if firmware update is present, which equals to “Windows OS support for branch target injection mitigation is disabled by absence of hardware support: False” from Get-SpeculationControlSettings.

    non-compliant if firmware update is not installed, which equals to “Windows OS support for branch target injection mitigation is disabled by absence of hardware support: True” from Get-SpeculationControlSettings.

     

    e.      Windows OS support for branch target injection mitigation is disabled by system policy:

    It gives additional information in the case of Windows OS support for branch target injection mitigation is enabled returns non-compliant.

    compliant if system policy enables the protection, which equals to “Windows OS support for branch target injection mitigation is disabled by system policy: False” from Get-SpeculationControlSettings.

    non-compliant if system policy disables the protection, which equals to “Windows OS support for branch target injection mitigation is disabled by system policy: True” from Get-SpeculationControlSettings.

     

  2. CI: CVE-2017-5754 – Rogue data cache load

    a.      Windows OS support for kernel VA shadow is present:

    compliant if either the processor is not subject to this vulnerability or the processor is subject to this vulnerability and the Windows OS January 2018 update is installed, which equals to “Hardware requires kernel VA shadowing: False” or “Windows OS support for kernel VA shadow is present: True” from Get-SpeculationControlSettings.

    non-compliant if the processor is subject to this vulnerability and the Windows OS January 2018 update is not installed, which equals to “Hardware requires kernel VA shadowing: True” and “Windows OS support for kernel VA shadow is present: False” from Get-SpeculationControlSettings.

     

    b.     Windows OS support for kernel VA shadow is enabled:

    compliant if either the processor is not subject to this vulnerability or the processor is subject to this vulnerability and the Windows OS January 2018 update is installed and enabled, which equals to “Hardware requires kernel VA shadowing: False“ or “Windows OS support for kernel VA shadow is enabled: True” from Get-SpeculationControlSettings.

    non-compliant if the processor is subject to this vulnerability and the windows patch is either not installed or installed but protection is disabled, which equals to “Hardware requires kernel VA shadowing: True“ and “Windows OS support for kernel VA shadow is enabled: False” from Get-SpeculationControlSettings.

     

  3. CI: CVE-2018-3639 – Speculative store bypass

    Note: This configuration item is unable to determine if the hardware is vulnerable to CVE-2018-3639.  It assumes True for Hardware requires Speculative Store Bypass Disable and evaluates the other conditions accordingly.

     

    a.      Hardware support for speculative store bypass mitigation is present:

    compliant if hardware features are present to support Speculative Store Bypass Disable. The device OEM is responsible for providing the updated BIOS/firmware that contains the microcode provided by Intel.

    non-compliant the required hardware features are not present, and therefore Speculative Store Bypass Disable cannot be turned on.

     

    b.     Windows OS support for speculative store bypass mitigation is present:

    compliant if the Windows OS June/July 2018 update is installed, which equals to “SSBDWindowsSupportPresent: True” from Get-SpeculationControlSettings.

    non-compliant if the Windows OS June/July 2018 update is not installed which equals to “SSBDWindowsSupportPresent: False” from Get-SpeculationControlSettings.

     

    c.     Windows OS support for speculative store bypass mitigation is enabled system-wide:

    compliant if hardware support is present and the Windows OS June/July 2018 update is installed and enabled, which equals to “SSBDWindowsSupportEnabledSystemWide: True“ from Get-SpeculationControlSettings.

    non-compliant if hardware support is not present, or the Windows OS June/July 2018 update is either not installed or installed but Speculative Store Bypass Disable has not been turned on via registry keys. Equals to “SSBDWindowsSupportEnabledSystemWide: False“ from Get-SpeculationControlSettings.

     

  4. CI: CVE-2018-3620 – L1 Terminal Fault

    a.     Windows OS support for L1 terminal fault mitigation is present:

    compliant if either the processor is not subject to this vulnerability or the processor is subject to this vulnerability and the Windows OS August 2018 update is installed, which equals to “L1TFWindowsSupportPresent: True” from Get-SpeculationControlSettings.

    non-compliant if the Windows OS August 2018 update is not installed which equals to “L1TFWindowsSupportPresent: False” from Get-SpeculationControlSettings.

     

    b.     Windows OS support for L1 terminal fault mitigation is enabled:

    compliant if either the processor is not subject to this vulnerability or the processor is subject to this vulnerability and the Windows OS August 2018 update is installed and enabled, which equals to “L1TFWindowsSupportEnabled: True” from Get-SpeculationControlSettings.

    non-compliant if the Windows OS August 2018 update is either not installed or installed but not enabled via registry keys. Equals to “L1TFWindowsSupportEnabled: False“ from Get-SpeculationControlSettings.

     

  5. CI: CVE-2018-12126, CVE-2018-12130, CVE-2018-12127 and CVE-2019-11091 - Microarchitectural Data Sampling

    a.     Windows OS support for MDS mitigation is present:

    compliant if the Windows OS May 2019 update is installed on the device, and the mitigation for MDS is present, which equals to “MDSWindowsSupportPresent: True” from Get-SpeculationControlSettings.

    non-compliant if the Windows OS May 2019 update is not installed, and the mitigation for MDS is not present, which equals to “MDSWindowsSupportPresent: False” from Get-SpeculationControlSettings.

     

    b.     Windows OS support for MDS mitigation is enabled:

    compliant if the hardware is believed to be affected by the MDS vulnerabilities, the windows operating support for the mitigation is present, and the mitigation has been enabled, which equals to “MDSWindowsSupportEnabled: True” from Get-SpeculationControlSettings.

    non-compliant if either the hardware is not vulnerable, Windows operating system support is not present, or the mitigation has not been enabled, which equals to “MDSWindowsSupportEnabled: False” from Get-SpeculationControlSettings.


For detailed information about the output from the Get-SpeculationControlSettings Powershell module please refer to https://go.microsoft.com/fwlink/?linkid=866271.  

For additional guidance for Configuration Manager environments see https://techcommunity.microsoft.com/t5/Configuration-Manager-Blog/Additional-guidance-to-mitigate-speculative-execution-side/ba-p/274974.

If you have feedback about the compliance baseline or run into issues using it, please leave a comment.  General feedback for the security updates can be submitted to the Windows Feedback Hub or your Microsoft Customer Support contact.