I have a bunch of clients that report relevant for both the “4072698: Enable mitigations to help protect against speculative execution side-channel vulnerabilities - Windows Server 2008 / Windows Server 2008 R2 / Windows Server 2012 / Windows Server 2012 R2 / Windows 2016” fixlet as well as the “4072698: Disable mitigations to help protect against speculative execution side-channel vulnerabilities - Windows Server 2008 / Windows Server 2008 R2 / Windows Server 2012 / Windows Server 2012 R2 / Windows 2016” fixlet.
Since this server is not running hypervisor, even though the first check is FALSE, the -OR- between that and the hypervisor registry check causes the relevancy to return TRUE and that is why the enable and disable fixlets are both relevant (which is really confusing to people). Is that correct?
shows Enable fixlet relevant:
Q: (not exists keys "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" whose(exists values "FeatureSettingsOverride" whose(0 = it as string as integer) of it AND exists values "FeatureSettingsOverrideMask" whose(3 = it as string as integer) of it) of it OR not exists keys "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" whose (exists values "MinVmVersionForCpuBasedMitigations" whose ("1.0" = it as string) of it) of it) of native registry
A: True
—removing the hypervisor relevancy shows the Enable fixlet as FALSE
Q: (not exists keys "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" whose(exists values "FeatureSettingsOverride" whose(0 = it as string as integer) of it AND exists values "FeatureSettingsOverrideMask" whose(3 = it as string as integer) of it) of it) of native registry
A: False
showing hypervisor not installed
Q: (not exists keys "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" whose (exists values "MinVmVersionForCpuBasedMitigations" whose ("1.0" = it as string) of it) of it) of native registry
A: True
MemoryManagementFeatureSettingsOverride
Q: if (exists value "FeatureSettingsOverride" of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" of registry) then (value "FeatureSettingsOverride" of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" of registry) else nothing
A: 0
MemoryManagementFeatureSettingsOverrideMask
Q: if (exists value "FeatureSettingsOverrideMask" of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" of registry) then (value "FeatureSettingsOverrideMask" of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" of registry) else nothing
A: 3