PSSecurityUtils

0.2.0

Public/Enable-SpectreMeltdownMitigation.ps1

                                function Enable-SpectreMeltdownMitigation {

    <#

    .SYNOPSIS

        Applies registry-based mitigations for the Spectre and Meltdown CPU vulnerabilities.

    .DESCRIPTION

        Sets the FeatureSettingsOverride (72) and FeatureSettingsOverrideMask (3) DWORD values

        in the Memory Management registry key, enabling Windows kernel mitigations for the

        Spectre (CVE-2017-5753, CVE-2017-5715) and Meltdown (CVE-2017-5754) vulnerabilities.

        A system restart is required for the mitigations to take effect.

    .INPUTS

        None. Parameters must be supplied directly.

    .OUTPUTS

        None.

    .PARAMETER ComputerName

        The target computer. Defaults to the local machine.

    .PARAMETER Force

        Restarts the computer immediately after applying the change.

    .EXAMPLE

        Enable-SpectreMeltdownMitigation

        Applies the Spectre/Meltdown mitigations on the local machine and warns that a restart is needed.

    .EXAMPLE

        Enable-SpectreMeltdownMitigation -ComputerName 'Server01' -Force

        Applies the mitigations on Server01 and restarts it immediately.

    .NOTES

        Requires Administrator privileges.

        Mitigates CVE-2017-5753, CVE-2017-5715 (Spectre), and CVE-2017-5754 (Meltdown).

        Remote operations require WinRM to be configured on the target machine.

    #>

    [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'High')]

    [OutputType([void])]

    param (

        [Parameter(Mandatory = $false)]

        [string]$ComputerName = $env:COMPUTERNAME,

        [Parameter(Mandatory = $false)]

        [switch]$Force

    )

    $isLocal = ($ComputerName -ieq $env:COMPUTERNAME) -or

               ($ComputerName -ieq 'localhost') -or

               ($ComputerName -eq '127.0.0.1')

    $registryPath = 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management'

    if ($PSCmdlet.ShouldProcess($ComputerName, 'Set FeatureSettingsOverride = 72 and FeatureSettingsOverrideMask = 3')) {

        $work = {

            param($registryPath)

            Set-ItemProperty -Path $registryPath -Name 'FeatureSettingsOverride'     -Value 72 -Type DWord -ErrorAction Stop

            Set-ItemProperty -Path $registryPath -Name 'FeatureSettingsOverrideMask' -Value 3  -Type DWord -ErrorAction Stop

        }

        if ($isLocal) {

            & $work $registryPath

        } else {

            Invoke-Command -ComputerName $ComputerName -ScriptBlock $work -ArgumentList $registryPath

        }

        Write-Verbose "Spectre/Meltdown mitigation registry values applied on '$ComputerName'."

        Write-Warning "A system restart is required for mitigations to take effect."

        if ($Force -and $PSCmdlet.ShouldProcess($ComputerName, 'Restart computer to apply changes')) {

            Restart-Computer -ComputerName $ComputerName -Force

        }

    }

}