PowerShell: Check Speculation Controls for Spectre Mitigation Support on Windows

Run the below function to view an output similar to this:

BTIHardwarePresent : True -> apply OEM BIOS/firmware update
BTIWindowsSupportPresent : True -> install January 2018 update
BTIWindowsSupportEnabled : True -> On server, follow guidance https://support.microsoft.com/help/4072698
BTIDisabledBySystemPolicy : False -> ensure not disabled by policy. False is expected
BTIDisabledByNoHardwareSupport : False -> ensure OEM BIOS/firmware update is applied.
BTIKernelRetpolineEnabled : True
BTIKernelImportOptimizationEnabled : True
KVAShadowRequired : True -> no action, this is a function of the CPU the computer uses
KVAShadowWindowsSupportPresent : True -> install January 2018 update
KVAShadowWindowsSupportEnabled : True -> On server, follow guidance https://support.microsoft.com/help/4072698
KVAShadowPcidEnabled : True -> no action , this is a function of the CPU the computer uses
SSBDWindowsSupportPresent : True -> install Windows updates as documented in adv180012 https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180012
SSBDHardwareVulnerable : True
SSBDHardwarePresent : True -> install BIOS/firmware update with support for SSBD from your device OEM
SSBDWindowsSupportEnabledSystemWide : False -> follow recommended actions to turn on SSBD https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180012

Source: https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in

function checkSpeculationControls($computer=$env:computername){
    $command={
        # Interpretations of output: https://support.microsoft.com/en-us/help/4074629/understanding-the-output-of-get-speculationcontrolsettings-powershell
        #$originalExecutionPolicy = Get-ExecutionPolicy
        #Set-ExecutionPolicy RemoteSigned -Scope Currentuser
        if(!(Get-command Get-SpeculationControlSettings -ea SilentlyContinue)){
            [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
            if(!(Get-Module nuget)){
                Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force
            }
            Install-Module SpeculationControl -force
        }
        #Set-ExecutionPolicy $originalExecutionPolicy -Scope Currentuser
        return Get-SpeculationControlSettings
    }
    invoke-command -ComputerName $computer -ScriptBlock $command
}

Leave a Reply

Your email address will not be published. Required fields are marked *