Windows Speculative Execution Check

Posted on | By drewni

Detect and remediate Windows Speculative Execution on Windows 10 machines using PowerShell and Proactive Remediation in Intune.

Within Intune there is the option to create remediation task, this is basically a PowerShell script that will run against the machine and exit with a 1 or a 0 if the condition is found.

With the Speculative Execution Check the remediation is to set registry setting to protect the machine.

Extra information can be found at the following Microsoft web page.

Windows Server guidance to protect against speculative execution side-channel vulnerabilities (microsoft.com)

Detection Script

This is a Powershell script that exits with a 1 if the value is not as required. This will trigger the remediation script to be run.

<#=======================================================================================
Script Name:     Detect_spectar_meltdown_Vulnerabilities.ps1 

Description:     Detect if the setting for the Itel processors have been applied to the registry 

Notes:           v1.0 – Remediate if exit is 1 is found, change as appropriate                 

v1.1 – Extra registry location added for Virtulization (Hyper-v enabled)
=======================================================================================#>

try {

$RegResult = Get-ItemProperty -Path “Registry::HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management”   

If (-Not $RegResult.FeatureSettingsOverride -eq “72”) {

      Write-Host “Match”       

Exit 1           

}   

ElseIf (-Not $RegResult.FeatureSettingsOverrideMask -eq “3”) {

        Write-Host “Match”        Exit 1           

}   

else {       

Write-Host “No_Match”         

  }   

}

catch {   

$errMsg = $_.Exception.Message   

return $errMsg

    Write-Host “Match”

    exit 1}
try { 

  $RegResult = Get-ItemProperty -Path “Registry::HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization”

    If (-Not $RegResult.MinVmVersionForCpuBasedMitigations -eq “1.0”) { 

      Write-Host “Match”

        Exit 1

            }

    else {

        Write-Host “No_Match”

            }

    }

catch {

    $errMsg = $_.Exception.Message

    return $errMsg

    Write-Host “Match”

    exit 1

}
Exit 0

Remediation Script

Remediation script is a simple registry change script. If the values do not exist they will just be created.

<#=======================================================================================
 Script Name:     Remediate_spectar_meltdown_Vulnerabilities.ps1

 Description:     This script updates the registry to protect from Spectar and Meltdown Vulnerabilities

 Notes:           v1.0 – No variable substitution needed

                  v1.1 – Extra registry location added for Hyper-V enabled machines
=======================================================================================#>
try {

    Set-ItemProperty -Path “Registry::HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” -Name FeatureSettingsOverride -Value 72

    Set-ItemProperty -Path “Registry::HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” -Name FeatureSettingsOverrideMask -Value 3

    Set-ItemProperty -Path “Registry::HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization” -Name MinVmVersionForCpuBasedMitigations -Value 1.0

    Exit 0

}

catch{

    $errMsg = $_.Exception.Message

    return $errMsg

    exit 1

}

Create the Intune remediation

From within Intune go to Reports-Endpoint Analytics-Proactive Remediations.

Select +Create script Package

Click Next. On the next screen select the detection and remediation script.

“Run this script using the logged-on credentials” – No

“Enforce script signature check” – No (Unless you have this enable, I do not)

“Runscript in 64-bit PowerShell” – No

Select Next

Assign a scope if required

Assign the script to a group of users or machines. This can be added later if the group is not set up.
Review and create
Category: Windows 10