Summary
On November 12, 2019, Intel published a technical advisory around Intel® Processor Machine Check Error vulnerability that is assigned CVE-2018-12207. Microsoft has released updates to help mitigate this vulnerability for guest Virtual Machines (VMs) but the protection is disabled by default. Enabling this protection requires an action on the Hyper-V hosts running untrusted VMs. Follow the guidance in the "Registry setting" section to enable this protection on the Hyper-V hosts running untrusted VMs.
Registry setting
-
To enable the protection around Intel® Processor Machine Check Error vulnerability (CVE-2018-12207), run the following command in an elevated Command Prompt on the Hyper-V host that run untrusted VMs to set the following registry key:
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v IfuErrataMitigations /t REG_DWORD /d 1 /f
Note After executing this command, please shutdown and then restart all Guest VMs running on the Hyper-V host.
-
To disable the protection around Intel® Processor Machine Check Error vulnerability (CVE-2018-12207), run the following command in an elevated Command Prompt on the Hyper-V host that run untrusted VMs to set the following registry key:
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v IfuErrataMitigations /t REG_DWORD /d 0 /f
Note After executing this command, please shutdown and then restart all Guest VMs running on the Hyper-V host.
