Windows 10 V1809: Retpoline is automatically active now

[German]Microsoft has automatically activated mitigation against Spectre V2 through Retpoline compiler technology in the kernel for Windows 10 Version 1809 and Windows Server 2019 as of May 14, 2019..


Background information about Retpoline

At the beginning of the year, the attack methods Spectre and Meltdown, which work at the CPU level, became publicly known. As a result, Intel and Microsoft released a number of Meltdown and Spectre Microcode patches. An unwelcome side effect: Some patches caused massive performance losses in the systems.

On the other hand, Google software developers had the idea to mitigate speculative side channel attacks for Spectre (and Meltdown) using special code constructs. The technique is called Retpoline and was described in this Google document. Google used the Retpoline technique to patch its own servers for the cloud.

This technology has long been adopted in the Linux kernel. In March 2019, Microsoft’s customer Microsoft announced that Retpoline would also be adopted in Windows 10. The statement at that time: From Windows 10 19H1 Retpoline is used in the Windows kernel as protection against Spectre V2 attacks. In autumn 2018 I had reported about it in the article Windows 10 19H1 with Retpoline Spectre V2 Mitigation.

Within the blog post Windows 10 V1809: Enable Retpoline Spectre V2 protection I also mentioned Microsoft’s plans to do a Retpoline backport for older Windows 10 versions. In the blog post Mitigating Spectre variant 2 with Retpoline on Windows Microsoft had already published some information about Retpoline and Windows 10 at the beginning of December 2018.

With the update KB44828887 for Windows 10 Version 1809 published on March 1, 2019, Retpoline was introduced for this Windows version.


Enables “Retpoline” for Windows on certain devices, which may improve performance of Spectre variant 2 mitigations (CVE-2017-5715).

Retpoline protection wasn’t activated, though. You may have had to set registry entries to enable this protection in the kernel (see here).

Update KB4494441 activates Retpoline

As of May 14, 2019, Microsoft has updated its techcommunity article Mitigating Spectre variant 2 with Retpoline on Windows.

We’re happy to announce that today we’ve updated Retpoline cloud configuration to enable it for all supported devices!* In addition, with the May 14 Patch Tuesday update, we’ve removed the dependence on cloud configuration such that even those customers who may not be receiving cloud configuration updates can experience Retpoline performance gains.

Retpoline is enabled by default on devices running Windows 10, version 1809 and Windows Server 2019 or newer and which meet the following conditions:  

  • Spectre, Variant 2 (CVE-2017-5715) mitigation is enabled.
    • For Client SKUs, Spectre Variant 2 mitigation is enabled by default
    • For Server SKUs, Spectre Variant 2 mitigation is disabled by default. To realize the benefits of Retpoline, IT Admins can enable it on servers following this guidance.
  • Supported microcode/firmware updates are applied to the machine.

But this conditions may cause issues, as you can read within this tweet.

Similar articles
Windows 10 19H1 with Retpoline Spectre V2 Mitigation
Windows 10 V1809: Enable Retpoline Spectre V2 protection
New SplitSpectre-Attack; Windows Retpoline Spectre Mitigation
Patchday Windows 10 Updates (May 14, 2019)

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Windows and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *