Switched from class to mof structured DSC resource as it is easier to test. Switched to two examples, one for enable and one for disabled

Author: kjacobsen

DSCResources/cSpeculationControlFix/cSpeculationControlFix.psm1

@@ -0,0 +1,120 @@
+$MemoryManagementPath = 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management'
+$VirtualizationPath   = 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization'
+
+Function Get-TargetResource
+{
+    [OutputType([System.Collections.Hashtable])]
+    [CMDLetBinding()]
+    param
+    (
+        # Parameter help description
+        [Parameter(Mandatory = $true)]
+        [ValidateSet('Enabled', 'Disabled')]
+        [String]
+        $Status
+    )
+
+    $getTargetResourceResult = $null
+
+    # Test if the fixes are enabled
+    $FeatureSettingsOverrideEnabled = Test-RegistryItem -Path $MemoryManagementPath -Name 'FeatureSettingsOverride' -ExpectedValue 0
+    Write-Verbose -Message ('FeatureSettingsOverride is {0}' -f $FeatureSettingsOverrideEnabled)
+
+    $FeatureSettingsOverrideMaskEnabled = Test-RegistryItem -Path $MemoryManagementPath -Name 'FeatureSettingsOverrideMask' -ExpectedValue 3
+    Write-Verbose -Message ('FeatureSettingsOverrideMask is {0}' -f $FeatureSettingsOverrideMaskEnabled)
+
+    $MinVmVersionForCpuBasedMitigationsEnabled = Test-RegistryItem -Path $VirtualizationPath -Name 'MinVmVersionForCpuBasedMitigations' -ExpectedValue '1.0'
+    Write-Verbose -Message ('MinVmVersionForCpuBasedMitigations is {0}' -f $MinVmVersionForCpuBasedMitigationsEnabled)
+
+    if ($FeatureSettingsOverrideEnabled -and $FeatureSettingsOverrideMaskEnabled -and $MinVmVersionForCpuBasedMitigationsEnabled)
+    {
+        $Status = 'Enabled'
+    }
+    else
+    {
+        $Status = 'Disabled'
+    }
+
+    $getTargetResourceResult = @{
+        Status = $Status
+    }
+
+    $getTargetResourceResult
+}
+
+Function Set-TargetResource
+{
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', '')]
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidGlobalVars', '')]
+    [CMDLetBinding(SupportsShouldProcess=$true)]
+    param
+    (
+        # Parameter help description
+        [Parameter(Mandatory = $true)]
+        [ValidateSet('Enabled', 'Disabled')]
+        [String]
+        $Status
+    )
+
+    if ($Status -eq 'Enabled')
+    {
+        Write-Verbose -Message 'Enabling Protections'
+        if ($PSCmdlet.ShouldProcess('Enable cSpeculationControlFix', 'Set-TargetResource')) {
+            Update-RegistryItem -Path $MemoryManagementPath -Name 'FeatureSettingsOverride' -Value 0 -PropertyType 'DWORD' -Confirm:$false
+            Update-RegistryItem -Path $MemoryManagementPath -Name 'FeatureSettingsOverrideMask' -Value 3 -PropertyType 'DWORD' -Confirm:$false
+            Update-RegistryItem -Path $VirtualizationPath -Name 'MinVmVersionForCpuBasedMitigations' -Value '1.0' -PropertyType 'STRING' -Confirm:$false
+        }
+    }
+    else
+    {
+        Write-Verbose -Message 'Disabling Protections'
+        if ($PSCmdlet.ShouldProcess('Disable cSpeculationControlFix', 'Set-TargetResource')) {
+            Update-RegistryItem -Path $MemoryManagementPath -Name 'FeatureSettingsOverride' -Value 3 -PropertyType 'DWORD' -Confirm:$false
+            Update-RegistryItem -Path $MemoryManagementPath -Name 'FeatureSettingsOverrideMask' -Value 3 -PropertyType 'DWORD' -Confirm:$false
+        }
+    }
+
+    # Setting the global:DSCMachineStatus = 1 tells DSC that a reboot is required
+    $global:DSCMachineStatus = 1
+}
+
+Function Test-TargetResource
+{
+    [CMDLetBinding()]
+    [OutputType([bool])]
+    param
+    (
+        # Parameter help description
+        [Parameter(Mandatory = $true)]
+        [ValidateSet('Enabled', 'Disabled')]
+        [String]
+        $Status
+    )
+
+    if ($Status -eq 'Enabled')
+    {
+        $FeatureSettingsOverrideEnabled = Test-RegistryItem -Path $MemoryManagementPath -Name 'FeatureSettingsOverride' -ExpectedValue 0
+        Write-Verbose -Message ('FeatureSettingsOverride is {0}' -f $FeatureSettingsOverrideEnabled)
+
+        $FeatureSettingsOverrideMaskEnabled = Test-RegistryItem -Path $MemoryManagementPath -Name 'FeatureSettingsOverrideMask' -ExpectedValue 3
+        Write-Verbose -Message ('FeatureSettingsOverrideMask is {0}' -f $FeatureSettingsOverrideMaskEnabled)
+
+        $MinVmVersionForCpuBasedMitigationsEnabled = Test-RegistryItem -Path $VirtualizationPath -Name 'MinVmVersionForCpuBasedMitigations' -ExpectedValue '1.0'
+        Write-Verbose -Message ('MinVmVersionForCpuBasedMitigations is {0}' -f $MinVmVersionForCpuBasedMitigationsEnabled)
+
+        $FixStatus = $FeatureSettingsOverrideEnabled -and $FeatureSettingsOverrideMaskEnabled -and $MinVmVersionForCpuBasedMitigationsEnabled
+    }
+    else
+    {
+        $FeatureSettingsOverrideEnabled = Test-RegistryItem -Path $MemoryManagementPath -Name 'FeatureSettingsOverride' -ExpectedValue 3
+        Write-Verbose -Message ('FeatureSettingsOverride is {0}' -f $FeatureSettingsOverrideEnabled)
+
+        $FeatureSettingsOverrideMaskEnabled = Test-RegistryItem -Path $MemoryManagementPath -Name 'FeatureSettingsOverrideMask' -ExpectedValue 3
+        Write-Verbose -Message ('FeatureSettingsOverrideMask is {0}' -f $FeatureSettingsOverrideMaskEnabled)
+
+        $FixStatus = $FeatureSettingsOverrideEnabled -and $FeatureSettingsOverrideMaskEnabled
+    }
+
+    Write-Verbose -Message ('cSpeculationControlFix should be {0} = {1}' -f $Status, $FixStatus)
+    $FixStatus
+}

DSCResources/cSpeculationControlFix/cSpeculationControlFix.schema.mof

@@ -0,0 +1,5 @@
+[ClassVersion("1.0.0"), FriendlyName("cSpeculationControlFix")]
+class cSpeculationControlFix : OMI_BaseResource
+{
+	[Key] string Status;
+};

Examples/cSpeculationControlFix_disable.Example.ps1

@@ -0,0 +1,10 @@
+Configuration EnableSpeculationControl
+{
+    Import-DscResource -Module cSpeculationControlFixes
+    cSpeculationControlFix enableSpeculationControlFix
+    {
+        Status = 'Disabled'
+    }
+}
+
+EnableSpeculationControl -OutputPath C:\DSCConfiguration

Examples/cSpeculationControlFix.Example.ps1 Examples/cSpeculationControlFix_enable.Example.ps1

@@ -6,5 +6,5 @@ Configuration EnableSpeculationControl
         Status = 'Enabled'
     }
 }
-EnableSpeculationControl -OutputPath C:\DSCConfiguration
-#Start-DSCConfiguration -Wait -Force -Verbose -Path C:\DSCConfiguration
+
+EnableSpeculationControl -OutputPath C:\DSCConfiguration

cSpeculationControlFixes.psd1

@@ -9,7 +9,7 @@
 @{
 
 # Script module or binary module file associated with this manifest.
-# RootModule = ''
+RootModule = 'cSpeculationControlFixes.psm1'
 
 # Version number of this module.
 ModuleVersion = '0.1'
@@ -33,7 +33,7 @@ Copyright = '(c) 2018 Kieran Jacobsen. All rights reserved.'
 Description = 'PowerShell DSC for enabling Speculation Control fixes on Windows Server'
 
 # Minimum version of the Windows PowerShell engine required by this module
-PowerShellVersion = '5.0'
+PowerShellVersion = '4.0'
 
 # Name of the Windows PowerShell host required by this module
 # PowerShellHostName = ''
@@ -66,10 +66,10 @@ PowerShellVersion = '5.0'
 # FormatsToProcess = @()
 
 # Modules to import as nested modules of the module specified in RootModule/ModuleToProcess
-NestedModules = @('dscresources\cSpeculationControlFix.psm1')
+# NestedModules = @()
 
 # Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export.
-FunctionsToExport = @()
+FunctionsToExport = @('Test-RegistryItem', 'Update-RegistryItem')
 
 # Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export.
 CmdletsToExport = @()
@@ -81,7 +81,7 @@ VariablesToExport = '*'
 AliasesToExport = @()
 
 # DSC resources to export from this module
-DscResourcesToExport = @('cSpeculationControlFix')
+# DscResourcesToExport = @()
 
 # List of all modules packaged with this module
 # ModuleList = @()
@@ -95,7 +95,7 @@ PrivateData = @{
     PSData = @{
 
         # Tags applied to this module. These help with module discovery in online galleries.
-        Tags = @('Speculation', 'SpeculationControl', 'Spectre', 'Meltdown')
+        Tags = @('DesiredStateConfiguration', 'DSC', 'DSCResource', 'Speculation', 'SpeculationControl', 'Spectre', 'Meltdown', 'CPU')
 
         # A URL to the license for this module.
         # LicenseUri = ''

cSpeculationControlFixes.psm1

@@ -0,0 +1,24 @@
+# Taken from http://overpoweredshell.com/Working-with-Plaster/
+
+$functionFolders = @('functions', 'internal', 'classes')
+ForEach ($folder in $functionFolders)
+{
+    $folderPath = Join-Path -Path $PSScriptRoot -ChildPath $folder
+    If (Test-Path -Path $folderPath)
+    {
+        Write-Verbose -Message "Importing from $folder"
+        $functions = Get-ChildItem -Path $folderPath -Filter '*.ps1'
+        ForEach ($function in $functions)
+        {
+            Write-Verbose -Message "  Importing $($function.BaseName)"
+            . $($function.FullName)
+        }
+    }
+}
+
+$PublicFunctionsPath = Join-Path -path $PSScriptRoot -ChildPath 'functions'
+if (Test-Path -Path $PublicFunctionsPath)
+{
+    $publicFunctions = (Get-ChildItem -Path $PublicFunctionsPath -Filter '*.ps1').BaseName
+    Export-ModuleMember -Function $publicFunctions
+}

dscresources/cSpeculationControlFix.psm1

@@ -45,6 +45,13 @@ function Update-RegistryItem
         [String]
         $PropertyType
     )
+    # Test if the path exists
+    if (-not (Test-Path -Path $Path)) {
+        Write-Verbose -Message 'Path does not exist, Calling New-Item'
+        if ($PSCmdlet.ShouldProcess($Name, 'New-Item')) {
+            $null = New-Item $Path -ItemType Directory
+        }
+    }
 
     $Item = Get-Item -Path $Path