Speculative Execution Side-Channel Vulnerabilities Configuration Baseline

This Configuration Manager configuration baseline is used to confirm whether a system has enabled the protections needed to protect against the speculative-execution side-channel vulnerabilities as described in Microsoft Security Advisory ADV180002, Microsoft Security Advisory ADV180012, Microsoft Security Advisory ADV180018 and Microsoft Security Advisory ADV190013. It is based on the functionality in the PowerShell module Get_SpeculationControlSettings. It requires at least PowerShell 3.0.

Supported Operating Systems

Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows 10

The compliance baseline requires:

• A supported verion of Configuration Manager.
• At least PowerShell 3.0.

1. To import this configuration baseline, download the .cab file and follow the instructions here: https://docs.microsoft.com/mem/configmgr/compliance/deploy-use/import-configuration-data.
2. To deploy the configuration baseline, follow the instructions here: https://docs.microsoft.com/mem/configmgr/compliance/deploy-use/deploy-configuration-baselines. Note: the embedded PowerShell scripts are signed. To deploy signed PowerShell scripts the code signing cert needs to be a trusted publisher. The first four CIs and the last CI are signed with two different certificates. Both certificates need to be trusted.
3. To view the compliance results, follow the instructions here: https://docs.microsoft.com/mem/configmgr/compliance/deploy-use/monitor-compliance-settings.

See the included user guide for further information.