Speculation Control Validation PowerShell Script

This is described in the blog topic: "Windows Server guidance to protect against the speculative execution side-channel vulnerabilities."

 
 
 
 
 
4.4 Star
(20)
70,007 times
Add to favorites
Security
9/5/2018
E-mail Twitter del.icio.us Digg Facebook
  • EXE version of this script
    2 Posts | Last post January 14, 2018
    • Some folks have had problems with the module. Below is a link to EXE versions of version 1.4 of the script. Created with PS2EXE with versions requiring .NET 2.0, 3.0 and 4.0 included as well as the original ps1 script converted from the module. Hopefully helpful to some as it's a little more portable. License: MIT
      
      https://1drv.ms/u/s!AvUMCaElfVkvmyfWNzSrNEchXT8R
    • Thanks, Andy. Couldn't make the script work.
  • SCCM report query
    1 Posts | Last post January 14, 2018
    • The following query can be used to track BIOS versions on SCCM managed systems. Tested with 2012 R2:
      
      SELECT
        v_GS_Computer_System.Name0
        ,v_GS_Computer_System.Model0
        ,v_GS_PC_BIOS.Manufacturer0
        ,v_GS_PC_BIOS.SerialNumber0
        ,v_GS_PC_BIOS.SMBIOSBIOSVersion0
        ,v_GS_PC_BIOS.ReleaseDate0
      FROM 
      v_GS_PC_BIOS inner join v_GS_Computer_System on v_GS_PC_BIOS.ResourceId = v_GS_Computer_System.ResourceId 
      ORDER BY 
      v_GS_Computer_System.Name0
  • Zip file empty
    1 Posts | Last post January 13, 2018
  • Azure Windows 2012R2 VM reporting missing hardware support for mitigation
    1 Posts | Last post January 12, 2018
    • We just (on 12 January 2018) spun up a 2012R2 VM in Azure (West Europe) – it had the QualityCompat registry key, despite there being no AV installed. It also had the KB 4056898 installed. However, the registry keys to enable the protection were missing. We added those. After stopping then starting the VM, it is showing:
      
      Hardware support for branch target injection mitigation is present: False
      Windows OS support for branch target injection mitigation is present: True
      Windows OS support for branch target injection mitigation is enabled: False
      Windows OS support for branch target injection mitigation is disabled by system policy: False
      Windows OS support for branch target injection mitigation is disabled by absence of hardware support: True
      
      Has Microsoft not updated all their Azure host hardware, or configured their Hyper-V hosts correctly?
      
      What would be useful if someone could confirm if an Azure VM like ours should be "all green" for the Get-SpeculationControlSettings output, or if it looks like ours...
      
      Could someone also confirm that an in-house, fully patched VM on patched hardware/Hyper-V should be "all green"?
  • CVE-2017-5753?
    2 Posts | Last post January 12, 2018
    • The script/cmdlet output has two sections with headers that display security complience verificasions for CVE-2017-5715 and CVE-2017-5754. Is it asumed, if both sections are fully complient and all recommendations are applied from the third section, that you are protected against CVE-2017-5753 as well?
    • Anyone Please?
  • Doesn't see Windows 7 CVE-2017-5754 patch
    4 Posts | Last post January 12, 2018
    • Hi there,
      Running the script on Windows 7 (x86 32-bit) devices, with both BIOS updates and update KB4056894 installed, shows correct results for CVE-2017-5715.  
      
      However CVE-2017-5754 is reported as failed/false...
      
      Hardware requires kernel VA shadowing: True
      Windows OS support for kernel VA shadow is present: False
      Windows OS support for kernel VA shadow is enabled: False
      
      Any reason why Windows 7 devices would not see the update for CVE-2017-5754?
    • I have the the same poblem mostly on some HP devices for instance HP elitebook 840
    • Hi.
      We have the same problem when we run the script on Win8.1 x86. However if we install Win8.1 x64 in the same box everything works fine: it seems there is some kind of problem with the script when it checks CVE-2017-5754 when run on x86 operating systems (the processor is an Intel i3 64 bits architecture).
      Regards.
    • Hi. 
      From FAQs in:
      https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002
      
      7. I have an x86 architecture and the PowerShell Verification output indicates that I am not fully protected from these speculative execution side-channel vulnerabilities. Will Microsoft provide complete protections in the future?
      Addressing a hardware vulnerability with a software update presents significant challenges and mitigations for older operating systems that require extensive architectural changes. The existing 32 bit update packages listed in this advisory fully address CVE-2017-5753 and CVE-2017-5715, but do not provide protections for CVE-2017-5754 at this time. Microsoft is continuing to work with affected chip manufacturers and investigate the best way to provide mitigations for x86 customers, which may be provided in a future update.
      
      So the powershell scripts works fine, the problem is that there is no mitigation for Meltdown if you have a 32-bit operating system.
      
      
  • Code
    6 Posts | Last post January 11, 2018
    • Is it possible that someone please post the code as a "question"?
    • It's working again now :)
    • No...
    • Nope, still empty
    • https://www.powershellgallery.com/packages/SpeculationControl/1.0.3  <- Take this
    • Cheers Kingmoff, that worked a treat
  • 0KB download - Please get this fixed
    1 Posts | Last post January 11, 2018
    • I have the same issue:
      
      Have tried downloading the file multiple times from multiple machines and browsers, always getting the same empty folder... Is there an alternative download location for this?
      
      Please provide a different Location with the latest Version or fix this one.
  • Three different browser and four different computer = 0 bytes :-(
    1 Posts | Last post January 11, 2018
    • Three different browser and four different computer = 0 bytes :-(
  • ZIP Folder Empty..
    1 Posts | Last post January 11, 2018
    • Have tried downloading the file multiple times from multiple machines and browsers, always getting the same empty folder... Is there an alternative download location for this?
31 - 40 of 63 Items