Enable In this update the Windows OS support for PCID performance optimization is enabled Windows Server 2012 R2

Question

I've been following this article regarding the update of Google Compute VMs running Windows Server 2012 R2 and getting mixed results. In the Microsoft Article everything is flagged as True.

Below are two screen shots from two different VMs running the same version of Windows Server 2012 R2 in Google Compute

In this update the Windows OS support for PCID performance optimization is enabled: False (How do I set this to True) In this update Windows OS support for PCID performance optimization is enabled:True

How do I set Windows OS support for PCID performance optimization to True

Also looking at the screen shots, should I have any other concerns? Can they all be set to True like the Microsoft Article?

Thanks in advance

Answer 1

PCID (Process-Context Identifiers) is a feature present in some CPU's (mostly newer/higher end, generally think Haswell(4th-gen) onwards/or newer) that helps mitigate some of the performance impact introduced by the meltdown patch.

This is not something you can set - if Windows detects your CPU supports PCID, Windows will use it and confirm in the line you listed that it is on.

tldr: PCID does not influence your security, it mitigates some of the performance impact.

PS: You can check this on going discussion and update available on improvement (and fixes) for Windows Server 2012 R2 Standard as well.

Answer 2

Please download Sysinternals Coreinfo. And then run this program with elevated command prompt.

There is a long list of CPU-Features.

Find the PCID and INVPCID feature. Only the features marked with a star are activated, features with the minus-sign are not activated.

Please share the CPU-name (in the Systems screen) on both VM-images.

I think that the newest generation of Xeon-Core is able to pass-through INVPCID-feature to the guest.

I have a Windows Server2012 R2-VM running on a Xeon E5-2620 v3 ( Haswell-EP ). And it is not able activate INVPCID .

Win Server2012 R2 running directly on Haswell-EP (without virtualization) is able to use INVPCID (100% shure).

---

Second guess is:

Perhaps there are differences in the billing/contract of the VM.

Having a VM exclusivley running on one physical core is -> INVPCID enabled

More then one VM running on one physical core -> INVPCID disabled

Answer 3

What type of VM is that ? In VMware you have the following due EVC mode: https://kb.vmware.com/s/article/1003212 Intel "Haswell" Generation
Applies baseline feature set of Intel "Haswell" Generation processors to all hosts in the cluster. Compared to the Intel "Ivy Bridge" Generation EVC mode, this EVC mode exposes additional CPU features including ABMX2, MOVBE, FMA, PERMD, RORX/MULX, INVPCID, VMFUNC.

Answer 4

Windows will use PCID if the hardware supports INVPCID—that means Haswell or newer. If the hardware doesn't support INVPCID, then Windows won't fall back to using plain PCID; it just won't use the feature at all.

The Meltdown dual page tables require processors to perform more TLB flushing, sometimes a lot more. PCID is purpose-built to enable switching to a different set of page tables without having to wipe out the TLB. And since Meltdown needed patching, those Windows and Linux developers were finally given a good reason to use PCID and INVPCID.

To check, if your processor support PCID and INVPCID download from Microsoft "Coreinfo.exe" unzip it and run it with Command window. Check the mark in second column in front of PCID and INVPCID. "*" - means that function is supported from your CPU, "-" means that it is not supported from the CPU.

In my case PCID was supported, but INVPCID was not, therefore Windows had disabled PCID utilization after Meltdown & Specter security patch.

Most of the answers you have are from idiots who do not understand the matter of the question.