Posted On October 1, 2020

PowerShell: Check Speculation Controls for Spectre Mitigation Support on Windows

kimconnect 0 comments
blog.KimConnect.com >> Windows >> PowerShell: Check Speculation Controls for Spectre Mitigation Support on Windows
October 1, 2020October 1, 2020 kimconnectkimconnect 0 Comments

Run the below function to view an output similar to this:

BTIHardwarePresent : True -> apply OEM BIOS/firmware update
BTIWindowsSupportPresent : True -> install January 2018 update
BTIWindowsSupportEnabled : True -> On server, follow guidance https://support.microsoft.com/en-us/topic/kb4072698-windows-server-and-azure-stack-hci-guidance-to-protect-against-silicon-based-microarchitectural-and-speculative-execution-side-channel-vulnerabilities-2f965763-00e2-8f98-b632-0d96f30c8c8e
BTIDisabledBySystemPolicy : False -> ensure not disabled by policy. False is expected
BTIDisabledByNoHardwareSupport : False -> ensure OEM BIOS/firmware update is applied.
BTIKernelRetpolineEnabled : True
BTIKernelImportOptimizationEnabled : True
KVAShadowRequired : True -> no action, this is a function of the CPU the computer uses
KVAShadowWindowsSupportPresent : True -> install January 2018 update
KVAShadowWindowsSupportEnabled : True -> On server, follow guidance https://support.microsoft.com/en-us/topic/kb4072698-windows-server-and-azure-stack-hci-guidance-to-protect-against-silicon-based-microarchitectural-and-speculative-execution-side-channel-vulnerabilities-2f965763-00e2-8f98-b632-0d96f30c8c8e
KVAShadowPcidEnabled : True -> no action , this is a function of the CPU the computer uses
SSBDWindowsSupportPresent : True -> install Windows updates as documented in adv180012
SSBDHardwareVulnerable : True
SSBDHardwarePresent : True -> install BIOS/firmware update with support for SSBD from your device OEM
SSBDWindowsSupportEnabledSystemWide : False -> follow recommended actions to turn on SSBD

Source: https://support.microsoft.com/en-us/topic/kb4073119-windows-client-guidance-for-it-pros-to-protect-against-silicon-based-microarchitectural-and-speculative-execution-side-channel-vulnerabilities-35820a8a-ae13-1299-88cc-357f104f5b11

function checkSpeculationControls($computer=$env:computername){
    $command={
        # Interpretations of output: https://support.microsoft.com/en-us/topic/kb4074629-understanding-speculationcontrol-powershell-script-output-fd70a80a-a63f-e539-cda5-5be4c9e67c04
        #$originalExecutionPolicy = Get-ExecutionPolicy
        #Set-ExecutionPolicy RemoteSigned -Scope Currentuser
        if(!(Get-command Get-SpeculationControlSettings -ea SilentlyContinue)){
            [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
            if(!(Get-Module nuget)){
                Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force
            }
            Install-Module SpeculationControl -force
        }
        #Set-ExecutionPolicy $originalExecutionPolicy -Scope Currentuser
        return Get-SpeculationControlSettings
    }
    invoke-command -ComputerName $computer -ScriptBlock $command
}
Categories:

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Post

Post Image

Read More

Weird RDP Error

[Window Title]Remote Desktop Connection[Content]The remote computer that you are trying to connect to requires Network…
Post Image

Read More

Some Useful Windows Commands

Grand Permission: icacls "D:\" /grant kimconnect:(OI)(CI)F F= Full Control CI= Container Inherit - This flag…
Post Image

Read More

Server PDC Time Clock Synchronization 

Configuring the Windows Time service to use an external time source To configure an internal…