none
Will Microsoft release CPU microcode updates via Windows Update as well? RRS feed

  • Question

  • Latest CPU vulnerabilities requires some Intel CPU microcode updates. It can be delivered by either hardware vendor BIOS updates or Windows OS updates.

    Because some hw vendors have already announced they will not provide microcode BIOS updates for older Intel CPU generations (while Intel does), the only option remains the update via Windows OS. Latest microcode update in Windows is from 2015.

    Thanks.

    Friday, January 5, 2018 8:26 PM

All replies

  • Hi i don't know if windows can perform motherboard bios updates , but i recommend patching your own bios with the patched intel CPU microcode (if they release one) if your Motherboard manufacturer doesn't provide one but keep in mind that its risky but it could fix the problem and make your system secure

    Here is the guide 

    https://www.delidded.com/lga-771-xeon-microcode/

    i can help you if you want once the updated microcodes are released  just ask.

    Saturday, January 6, 2018 2:44 AM
  • Hi,

    Please specify the latest CPU vulnerabilities you said.
    Are you talking about the same as Meltdown and Spectre CPU Vulnerabilities: What You Need to Know
    https://www.welivesecurity.com/2018/01/05/meltdown-spectre-cpu-vulnerabilities/

    Regards,

    Ashidacchi

    Saturday, January 6, 2018 8:06 AM
  • Hi i don't know if windows can perform motherboard bios updates

    Yes, BIOS update is one of options only. Windows can update CPU microcode on boot and it actually does, last time sometime around 2015.

    Because some hw vendors have already announced they will not bother with BIOS updates to deliver the fixed CPU microcode for older generations (while Intel will provide it), the CPU microcode update via Windows seems to be a good and safe option.

    Saturday, January 6, 2018 9:49 AM
  • Are you talking about the same as Meltdown and Spectre CPU Vulnerabilities
    Yes.
    Saturday, January 6, 2018 9:50 AM
  • The article is just compilation of mess. Again, wil Microsoft provide CPU microcode update via Windows OS because most of hardware vendors don't care about updating BIOS?
    Sunday, January 7, 2018 9:08 AM
  • Update CPU microcodes only with BIOS updates !!! CPU microcode update via Windows is not enough for full fix bugs.

    >>>The system BIOS and/or Operating System can then initiate the loading of a microcode update into the CPU. Such an update is not a complete microcode, but rather a small patch to address bugs<<<

    CVE-2017-5715 are known as "Specter" require updating BIOS / firmware with new CPU microcode.

    PRIME Z370-A BIOS Version 0606    2018/01/04 8.56 MBytes

    "1. Update CPU Microcode 

    2. Improve system compatibility and stability"

    Dell Precision Rack 7910 BIOS Version 2.7.0
    This release provides continued code optimization to improve stability & performance. This release contains BIOS firmware version 2.7.0 for Dell Precision Rack 7910, Last Updated 19 Dec 2017

    - Enhancement to address CVE-2017-5715 details to be published January 2018.
    - Updated the Intel Xeon Processor E5-2600 v4 Product Family Processor Microcode to version 0x0b000025.
    - Updated the Xeon Processor E5-2600 v3 Product Family Processor Microcode to version 0x3B.
    - Added a workaround to fix false Multibit memory errors after a CPU IERR.


    • Edited by unlimitedLT Monday, January 8, 2018 7:28 PM
    Monday, January 8, 2018 7:25 PM
  • Hi all, 

    Please check this thread about this question: 

    https://social.technet.microsoft.com/Forums/windows/en-US/b49437be-eb74-42d7-8ec8-5018c3280acb/mitigations-for-speculative-execution-sidechannel-vulnerabilities-in-cpu-microcode?forum=win10itprogeneral

    I will keep update on this. 


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, January 11, 2018 2:03 AM
    Owner
  • Intel has already released Microcode Updates, which are loaded to the processor while the system is booting. Unfortunately this only applies to Linux.
    See: https://goo.gl/cPn1Xc

    I hope/expect/urge Microsoft to do the same with an upcoming Update, so that also Windows loads the Microcode during boot. Too many mainboard manufacturers won't care to update the BIOS.


    • Edited by MS-Wing Thursday, January 11, 2018 2:30 PM addition
    Thursday, January 11, 2018 2:29 PM
  • there best be a opt-out for people on haswell and lower

    this whole thing has been blown way out of proportion 

    Friday, January 12, 2018 5:11 AM
  • Yeah, I'm in the same situation with my Haswell 4790K and ASUS just ignoring what they think is garbage hardware nowadays — which is not! OK, manufacturers think about money, so they push people buying new hardware, but in this very case they should help people since it's a planetary issue.

    Or MS finds a way to do as Linux does, loading the microcode during boot or we are defenceless for Spectre V2.

    I guess it's impossible to create a universal boot file to load from BIOS, starting from your own microcode version, just to update the microcode. Fling Windows driver procedure can't fix Spectre V2 neither.

    Is it possible to reverse engineer a BIOS file isolating the part dedicated to the microcode and overwriting that part only?

    Google managed to fix their Cloud infrastructure creating a team of engineers working full time on the vulnerabilities. They created an open source project called Retpoline and they also managed to mitigate the performance issues.

    Is it possible for MS to convert the Cloud/Server based fixes created by Google, for us Windows customers, to protect our Desktop/Laptop PCs?

    Monday, January 22, 2018 1:52 AM
  • Windows, starting from Windows 7 at least, can and do microcode update itself. It has an embedded mechanism ready and used to do that - look for the mcupdate_GenuineIntel.dll file, or see kb2493989 and kb3064209 as an live example. Updating microcode via the Windows on-demand hotfix, and, may be, even over the mass Windows Update, looks much simpler and safer then disassembling, patching and flashing BIOS. However, unfortunately, existing microcode updates in the mcupdate_GenuineIntel.dll are very old, was issued only as an emergency patch, and it seems doubtfully if they will be ever updated.

    Pro:

    • Easy way to update for the customers, especially with the old hardware;
    • The only real way to mass-update the CPU microcode in the real world.

    Contra:

    • Intel have recalled the microcode update, because it is known to cause glitches and reboots (but promices to create a new bug-free version, without pointing the release date). Major hardware and software vendors have recalled the microcode update too;
    • If something will go wrong with the update, Microsoft will be one to blame, even if not responsible for that;
    • Microsoft will need to do additional work and testing (lots of testing) for free and not in it's responsibility zone. May be, Intel may somehow push them - who knows?


    So, let's see, what happens, when Intel will release the stable CPU microcode patches. I bet, nothing, but let's hope for the best!


    Из ослиного гнезда ... :)





    • Edited by bazanovv Thursday, January 25, 2018 7:03 AM
    Wednesday, January 24, 2018 1:56 PM
  • Lots of good information here, but it seems like most posters assume microcode is a one-time thing, like a firmware update. That is not true, it is written to volatile memory, and must be re-written every time the processor is powered on. The UEFI writes the microcode once during POST, then the OS Kernel does it again as it starts (assuming that version or a newer version is not already running). Ideally having the latest version in the UEFI would be nice, but if your hardware vendor has not released a newer firmware containing it, then allowing the OS to handle it works just as well.
    Wednesday, April 4, 2018 7:06 PM
  • kb4091664 is released with microcode updates for lot's of the Intel CPUs, but yet not for all :) Only Windows 10 / Server 2016 yet.

    Respect and thanks to Intel and Microsoft!

    Remember that for server OS family you need to switch the protection ON manually, due to visible perfomance hit. For client OS family it is done by default then installing updates.


    Из ослиного гнезда ... :)

    • Proposed as answer by bazanovv Friday, August 24, 2018 1:57 PM
    Friday, August 24, 2018 1:55 PM