1. Home
  2. Windows

How to enable Retpoline protection on Windows 10

Security concerns, at one point, centered around installing malicious apps, clicking on the wrong link, or being phished. That’s not true any more. Your CPU has vulnerabilities that, if exploited, can be used to steal data from your system. These vulnerabilities aren’t new. They’ve been there for quite some time, waiting to be discovered. Spectre is one such vulnerability which Microsoft and Intel have both patched however, these patches don’t fix everything and they tend to slow down systems with older CPUs.

Microsoft has since been working to improve how it mitigates Spectre. It’s come up with a new method called Retpoline which, if you’re up to do date on your monthly Windows 10 updates, you already have. Reptoline comes with the KB4482887 but it needs to be manually enabled.

Check KB4482887 update

You need to first check if the KB4482887 update has been installed on your system. Open the Settings app, select the Update & Security group of settings, and select the Windows update tab.

On the Windows update tab click View update history. The KB4482887 update should be listed under Quality Updates. If it’s not there, return to the Windows Update tab and check for updates.

Enable Retpoline protection

In order to enable Retpoline protection, you need to modify the Windows registry which requires admin rights. You will need to make two changes to the registry. if you don’t have the KB4482887 update, make sure it’s installed before you make these changes.

Open the Windows registry and go to the following location;

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management

Right-click the Memory Management key and select New>DWORD (32-bit) value. Name it FeatureSettingsOverride. Double-click it and in the value data box, enter 400.

Right-click the Memory Management key again, and again select New>DWORD (32-bit) value. Name this one FeatureSettingsOverrideMask. Double-click it and again, enter 400 in the value data box.

Once you’re done, restart your PC. Do not just restart File Explorer.

Verify

To check if you’ve correctly enabled Retpoline, you can use the Get-SpeculationControlSettings cmdlet in PowerShell.

Download it from the Technet gallery and extract the folder. Open PowerShell with admin rights and run the following two commands, one at a time.

$SaveExecutionPolicy = Get-ExecutionPolicy
Set-ExecutionPolicy RemoteSigned -Scope Currentuser

Next, run this command to import the cmdlet. You will need to enter the full path to the extracted folder and the PSD1 file in it.

Import-Module.\SpeculationControl.psd1

Example

Import-Module C:\SpeculationControl\SpeculationControl.psd1

Once the cmdlet has been installed, run this command to check if Retpoline has been enabled or not.

Get-SpeculationControlSettings

Match it with the results here.

Leave a comment