4072698: Enable/disable mitigation relenvacy

I have a bunch of clients that report relevant for both the “4072698: Enable mitigations to help protect against speculative execution side-channel vulnerabilities - Windows Server 2008 / Windows Server 2008 R2 / Windows Server 2012 / Windows Server 2012 R2 / Windows 2016” fixlet as well as the “4072698: Disable mitigations to help protect against speculative execution side-channel vulnerabilities - Windows Server 2008 / Windows Server 2008 R2 / Windows Server 2012 / Windows Server 2012 R2 / Windows 2016” fixlet.

Since this server is not running hypervisor, even though the first check is FALSE, the -OR- between that and the hypervisor registry check causes the relevancy to return TRUE and that is why the enable and disable fixlets are both relevant (which is really confusing to people). Is that correct?

shows Enable fixlet relevant:

Q: (not exists keys "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" whose(exists values "FeatureSettingsOverride" whose(0 = it as string as integer) of it AND exists values "FeatureSettingsOverrideMask" whose(3 = it as string as  integer) of it) of it OR not exists keys "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" whose (exists values "MinVmVersionForCpuBasedMitigations" whose ("1.0" = it as string) of it) of it) of native registry
A: True

—removing the hypervisor relevancy shows the Enable fixlet as FALSE

Q: (not exists keys "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" whose(exists values "FeatureSettingsOverride" whose(0 = it as string as integer) of it AND exists values "FeatureSettingsOverrideMask" whose(3 = it as string as integer) of it) of it) of native registry
A: False

showing hypervisor not installed

Q: (not exists keys "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" whose (exists values "MinVmVersionForCpuBasedMitigations" whose ("1.0" = it as string) of it) of it) of native registry
A: True

MemoryManagementFeatureSettingsOverride

Q: if (exists value "FeatureSettingsOverride" of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" of registry) then (value "FeatureSettingsOverride" of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" of registry) else nothing
A: 0

MemoryManagementFeatureSettingsOverrideMask

Q: if (exists value "FeatureSettingsOverrideMask" of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" of registry) then (value "FeatureSettingsOverrideMask" of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" of registry) else nothing
A: 3

opened case TS000114562

1 Like

fixlets have been updated in the Patches for Windows site so that the Enable fixlet hyper visor relevancy check is only relevant on hypervisor servers.

1 Like