Windows PowerShell Is Showing This After Trying To Fix Meltdown And Spectre Security Flaws

I agree with you on everything. The Spectre flaw will remain not patched in many systems. Many people are still not worried of the severity of the flaws(due to lack of computer knowledge). This is real bad.

The following section is about Spectre security flaw:

Speculation control settings for CVE-2017-5715 [branch target injection]

Hardware support for branch target injection mitigation is present: True

Windows OS support for branch target injection mitigation is present: True

Windows OS support for branch target injection mitigation is enabled: False

Windows OS support for branch target injection mitigation is disabled by system policy: False

Windows OS support for branch target injection mitigation is disabled by absence of hardware support: False

This part is about the Meltdown:

Speculation control settings for CVE-2017-5754 [rogue data cache load]

Hardware requires kernel VA shadowing: True

Windows OS support for kernel VA shadow is present: True

Windows OS support for kernel VA shadow is enabled: True

Windows OS support for PCID performance optimization is enabled: False [not required for security]

Looks like you have managed to fix Meltdown flaw. As you have got True at the aforementioned parts.

The Spectre flaw can be fixed only by downloading updates from the website of your OEM manufacturer. The Spectre flaw is not also easy to exploit and also somewhat harder to patch.

(Source-www.bleepingcomputer.com/news/microsoft/how-to-check-and-update-windows-systems-for-the-meltdown-and-spectre-cpu-flaws/)

Nik, it is so hard when you don't have good explanations to see if the patches took and are properly installed.  I have an additional problem as I have reached out to ASUS and that assumes that ASUS comes up with a patch for my motherboard, an Sabertooth Z97 Mark 2.  I did push them for patches, and it seems that Intel has released the microcode, but Intel has left it to the BIOS coders to make the correct patches.  This leaves some of us wondering if we will ever be patched appropriately.  Linux which I cannot use does provide an alternate source for loading the microcode before the kernel fully loads during boot.  I also  managed to find a solution released by vmware which is a temporary solution at best to use the latest microcode under Windows 7 for my processor a 4790K Haswell chip.  The need to rely on multiple sources for the updates is problematic and I have already heard of some manufacturers are not willing to support or patch anything other than their latest stuff.  Forcing an upgrade due to lack of support under these conditions endangers tens of millions of PC's currently out there.  Also, knowing what is required to get a full pass under the Microsoft test script is less than easy to find (and I still don't myself fully understand).  Also, in addition, the test script is difficult to implement especially for many that are not familiar with a command line argument environment.  From what you are telling me, if I read what you said correctly is the Microsoft patches are correct, but the BIOS patches are not.  Many PC owners of machines from Dell, HP, Toshiba, etc., are just now finding out what is required.  And I suspect in many cases a BIOS patch which needs to be implemented manually is just not going to get done.

What scares me further is that there are major bugs in 3rd party software which used the same paths that the kernels did.  This also makes the code fast, but this cutting of corners means that in many cases 3rd party software may also need to be updated manually.  Most will ignore this.  I have brought my system current, but it still was not easy and took a few days.   I have installed multiple operating systems and built computers giving me the needed skills, but most people with computers have no idea how exposed they are.  This is a very scary situation.

The following section is about Spectre security flaw:

Speculation control settings for CVE-2017-5715 [branch target injection]

Hardware support for branch target injection mitigation is present: True

Windows OS support for branch target injection mitigation is present: True

Windows OS support for branch target injection mitigation is enabled: False

Windows OS support for branch target injection mitigation is disabled by system policy: False

Windows OS support for branch target injection mitigation is disabled by absence of hardware support: False

This part is about the Meltdown:

Speculation control settings for CVE-2017-5754 [rogue data cache load]

Hardware requires kernel VA shadowing: True

Windows OS support for kernel VA shadow is present: True

Windows OS support for kernel VA shadow is enabled: True

Windows OS support for PCID performance optimization is enabled: False [not required for security]

Looks like you have managed to fix Meltdown flaw. As you have got True at the aforementioned parts.

The Spectre flaw can be fixed only by downloading updates from the website of your OEM manufacturer. The Spectre flaw is not also easy to exploit and also somewhat harder to patch.

(Source-www.bleepingcomputer.com/news/microsoft/how-to-check-and-update-windows-systems-for-the-meltdown-and-spectre-cpu-flaws/)

I ran into the same issues.  I would like to know how to turn on correctly the following

Windows OS support for branch target injection mitigation is enabled: False

Windows OS support for branch target injection mitigation is disabled by system policy: False

Windows OS support for branch target injection mitigation is disabled by absence of hardware support: False

I have already installed the Microsoft updates, and have followed the instructions here.

https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution

and here

https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in

One can only RTFM only so much before trying to figure out what is still missing.  Can anyone help?

Given this when I ran the powershell script I got the following.

Speculation control settings for CVE-2017-5715 [branch target injection]

Hardware support for branch target injection mitigation is present: True

Windows OS support for branch target injection mitigation is present: True

Windows OS support for branch target injection mitigation is enabled: False

Windows OS support for branch target injection mitigation is disabled by system policy: False

Windows OS support for branch target injection mitigation is disabled by absence of hardware support: False

Speculation control settings for CVE-2017-5754 [rogue data cache load]

Hardware requires kernel VA shadowing: True

Windows OS support for kernel VA shadow is present: True

Windows OS support for kernel VA shadow is enabled: True

Windows OS support for PCID performance optimization is enabled: False [not required for security]

Suggested actions

 * Follow the guidance for enabling Windows Client support for speculation control mitigations described in https://supp

ort.microsoft.com/help/4073119

BTIHardwarePresent             : True

BTIWindowsSupportPresent       : True

BTIWindowsSupportEnabled       : False

BTIDisabledBySystemPolicy      : False

BTIDisabledByNoHardwareSupport : False

KVAShadowRequired              : True

KVAShadowWindowsSupportPresent : True

KVAShadowWindowsSupportEnabled : True

KVAShadowPcidEnabled           : False