Home
%3CLINGO-SUB%20id%3D%22lingo-sub-1000845%22%20slang%3D%22en-US%22%3EDemystifying%20Microcode%20Updates%20for%20Intel%20and%20AMD%20Processors%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1000845%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%20my%20name%20is%20Steve%20Mathias%2C%20Microsoft%20Premier%20Field%20Engineer%20(PFE)%20and%20I%20wanted%20to%20spend%20a%20moment%20to%20discuss%20the%20%E2%80%9Cmechanics%E2%80%9D%20of%20the%20Intel%20Microcode%20Updates%20that%20you%20may%20see%20coming%20down%20from%20Microsoft%20Update%20or%20the%20Windows%20Catalog.%26nbsp%3B%20The%20security%20implications%20of%20why%20you%20should%20update%20the%20microcode%20on%20your%20processors%20are%20already%20covered%20in%20the%20below%20documentation%20from%20us%20and%20our%20partners%20(Spectre%2FSBB%2Fetc.)%3A%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2030px%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fsupport.microsoft.com%252Fen-us%252Fhelp%252F4093836%252Fsummary-of-intel-microcode-updates%26amp%3Bdata%3D02%257C01%257Cstevemat%2540microsoft.com%257Cc8c33661ac8544b427b508d75bc929e9%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C637078791864793690%26amp%3Bsdata%3Dj%252BII8BHK0gN%252B6W7UYb5L%252F%252BW6rU2AXjGsV%252Bki%252FmWcy5o%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F4093836%2Fsummary-of-intel-microcode-updates%3C%2FA%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2030px%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fwww.intel.com%252Fcontent%252Fwww%252Fus%252Fen%252Fsecurity-center%252Fadvisory%252Fintel-sa-00233.html%26amp%3Bdata%3D02%257C01%257Cstevemat%2540microsoft.com%257Cc8c33661ac8544b427b508d75bc929e9%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C637078791864793690%26amp%3Bsdata%3DGyVi75aWit75mrOIJQhhekJ7%252B%252Fkn5VhMlsJuk3qqBUo%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.intel.com%2Fcontent%2Fwww%2Fus%2Fen%2Fsecurity-center%2Fadvisory%2Fintel-sa-00233.html%3C%2FA%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2030px%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fwww.amd.com%252Fen%252Fcorporate%252Fproduct-security%26amp%3Bdata%3D02%257C01%257Cstevemat%2540microsoft.com%257Cc8c33661ac8544b427b508d75bc929e9%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C637078791864803690%26amp%3Bsdata%3D9Q9uSN2DIBUnlaEkXTC%252FAGnz3t8iu%252FYqDa6P5eXbUQ4%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.amd.com%2Fen%2Fcorporate%2Fproduct-security%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20purpose%20of%20this%20blog%20is%20to%20help%20answer%20why%20Microsoft%20is%20collaborating%20with%20our%20partners%20Intel%20and%20AMD%20on%20these%20microcode%20updates%20and%20a%20little%20background%20on%20how%20these%20updates%20work.%26nbsp%3B%20To%20start%20the%20discussion%2C%20we%20need%20to%20lay%20down%20a%20key%20fact%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EWhen%20processors%20are%20manufactured%2C%20they%20have%20a%20baseline%20microcode%20baked%20into%20their%20ROM.%26nbsp%3B%20This%20microcode%20is%20%3CSTRONG%3E%3CEM%3Eimmutable%3C%2FEM%3E%3C%2FSTRONG%3E%20and%20cannot%20be%20changed%20after%20the%20processor%20is%20built.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EModern%20processors%20do%20have%20the%20ability%20at%20initialization%20to%20apply%20volatile%20updates%20to%20move%20the%20processor%20to%20a%20newer%20microcode%20level.%26nbsp%3B%20However%2C%20as%20soon%20as%20the%20processor%20is%20rebooted%2C%20it%20reverts%20back%20to%20the%20microcode%20baked%20into%20their%20ROM.%26nbsp%3B%20These%20volatile%20updates%20can%20be%20applied%20to%20the%20processor%20one%20of%20two%20ways%20%E2%80%93%20System%20Firmware%2FBIOS%20via%20OEM%20and%20by%20the%20Operating%20System%20(OS).%26nbsp%3B%20However%2C%20as%20stated%20earlier%2C%20neither%20is%20updating%20the%20microcode%20in%20the%20processors%20ROM.%26nbsp%3B%20If%20you%20were%20to%20remove%20the%20processor%20from%20one%20computer%20and%20install%20in%20a%20computer%20with%20an%20older%20System%20Firmware%2FBIOS%20and%20an%20un-updated%20OS%2C%20you%20will%20be%20back%20to%20being%20vulnerable.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ECouple%20common%20questions%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EWhy%20is%20Microsoft%20collaborating%20with%20Intel%20and%20AMD%20and%20publishing%20Microcode%20Updates%20via%20Microsoft%20Update%3F%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20style%3D%22padding-left%3A%2090px%3B%22%3EThe%20answer%20is%20simply%20that%20Windows%20offers%20the%20broadest%20coverage%20and%20quickest%20turnaround%20time%20to%20address%20these%20vulnerabilities.%26nbsp%3B%20Microcode%20updates%20delivered%20via%20the%20Windows%20OS%20are%20not%20new%3B%20as%20far%20back%20as%202007%20some%20updates%20were%20made%20available%20to%20address%20performance%20and%20reliability%20concerns.%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ECan%20I%20skip%20taking%20updates%20delivered%20via%20Windows%20and%20only%20take%20updates%20from%20my%20OEM%20via%20System%20Firmware%2FBIOS%20Update%3F%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20style%3D%22padding-left%3A%2090px%3B%22%3ETechnically%20speaking%20you%20could%20but%20as%20mentioned%20earlier%2C%20often%20Microsoft%20Update%20may%20have%20the%20microcode%20updates%20to%20address%20issues%20much%20sooner.%26nbsp%3B%20Work%20with%20your%20OEM%20to%20help%20make%20this%20decision%20or%20simply%20take%20the%20updates%20from%20Microsoft%20Update.%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EIs%20there%20a%20problem%20if%20I%20update%20my%20System%20Firmware%2FBIOS%20with%20one%20version%20of%20a%20microcode%20update%20and%20allow%20Windows%20to%20install%20a%20different%20version%20of%20a%20microcode%20update%3F%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20style%3D%22padding-left%3A%2090px%3B%22%3EWhen%20the%20processor%20boots%2C%20it%20has%20versioning%20to%20make%20sure%20it%20is%20utilizing%20the%20latest%20microcode%20updates%20regardless%20of%20where%20it%20may%20be%20coming%20from.%26nbsp%3B%20So%2C%20installing%20System%20Firmware%2FBIOS%20updates%20and%20microcode%20updates%20from%20Microsoft%20Update%20is%20perfectly%20acceptable.%26nbsp%3B%20It%20is%20possible%20that%20the%20OEM%20updates%20the%20microcode%20to%20one%20level%20and%20the%20OS%20updates%20the%20microcode%20to%20an%20even%20higher%20level%20during%20the%20same%20boot.%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EIn%20Windows%2C%20how%20are%20microcode%20updates%20delivered%20to%20the%20processor%3F%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20style%3D%22padding-left%3A%2090px%3B%22%3EMicrocode%20updates%20install%20like%20any%20other%20update.%26nbsp%3B%20They%20can%20be%20installed%20from%20Microsoft%20Update%2C%20WSUS%2C%20SCCM%20or%20manually%20installed%20if%20downloaded%20from%20the%20%3CA%20href%3D%22https%3A%2F%2Fwww.catalog.update.microsoft.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ECatalog%3C%2FA%3E.%26nbsp%3B%20The%20key%20difference%20is%20that%20the%20payload%20of%20the%20hotfix%20is%20primarily%20one%20of%20two%20files%3A%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%20150px%3B%22%3Emcupdate_GenuineIntel.dll%20%E2%80%93%20Intel%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%20150px%3B%22%3Emcupdate_AuthenticAMD.dll%20-%20AMD%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2090px%3B%22%3EThese%20files%20contain%20the%20updated%20microcode%20and%20Windows%20automatically%20loads%20these%20via%20OS%20Loader%20to%20patch%20the%20microcode%20on%20the%20boot%20strap%20processor.%26nbsp%3B%20This%20payload%20is%20then%20passed%20to%20additional%20processors%20as%20they%20startup%20as%20well%20the%20Hyper-V%20hypervisor%20if%20enabled.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHopefully%20this%20information%20will%20help%20demystify%20what%20these%20microcode%20updates%20are%20and%20allow%20you%20to%20confidently%20install%20these%20updates%20proactively.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1000845%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%20my%20name%20is%20Steve%20Mathias%2C%20Microsoft%20Premier%20Field%20Engineer%20(PFE)%20and%20I%20wanted%20to%20spend%20a%20moment%20to%20discuss%20the%20%E2%80%9Cmechanics%E2%80%9D%20of%20the%20Intel%20Microcode%20Updates%20that%20you%20may%20see%20coming%20down%20from%20Microsoft%20Update%20or%20the%20Windows%20Catalog.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1000845%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESteveMathias%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1006236%22%20slang%3D%22en-US%22%3ERe%3A%20Demystifying%20Microcode%20Updates%20for%20Intel%20and%20AMD%20Processors%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1006236%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3ESteve%2C%20should%20virtual%20machines%20be%20seeing%20these%20updates%20as%20available%20if%20their%20hyper-visor%26nbsp%3Bis%20patched%3F%20Also%2C%20what%20%22category%22%20would%20these%20show%20up%20under%20in%20WSUS%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1008270%22%20slang%3D%22en-US%22%3ERe%3A%20Demystifying%20Microcode%20Updates%20for%20Intel%20and%20AMD%20Processors%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1008270%22%20slang%3D%22en-US%22%3E%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EHyper-V%20virtual%20machines%20will%20be%20offered%20the%20microcode%20updates%20from%20Microsoft%20Update%20(assuming%20the%20CPUID%20matches)%20however%20the%20host%20is%20what%20really%20needs%20to%20be%20updated%20as%20it's%20payload%20is%20passed%20through%20to%20the%20virtual%20machines.%26nbsp%3B%20From%20a%20Windows%20Server%202016%20Virtual%20Machine%3A%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20dir%3D%22ltr%22%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20792px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F157184i6FEA4C13C6DEC4DB%2Fimage-dimensions%2F792x213%3Fv%3D1.0%22%20width%3D%22792%22%20height%3D%22213%22%20alt%3D%22FromWS16VM.jpg%22%20title%3D%22FromWS16VM.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EThey%20are%20classified%20as%20%22Updates%22%20in%20WSUS%20and%20on%20Microsoft%20Update%3A%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20dir%3D%22ltr%22%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20777px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F157182i34382448F975F2A3%2Fimage-dimensions%2F777x301%3Fv%3D1.0%22%20width%3D%22777%22%20height%3D%22301%22%20alt%3D%22FromWSUS.jpg%22%20title%3D%22FromWSUS.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%20dir%3D%22ltr%22%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20865px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F157183i258DD75A209FF1F8%2Fimage-dimensions%2F865x225%3Fv%3D1.0%22%20width%3D%22865%22%20height%3D%22225%22%20alt%3D%22MU.jpg%22%20title%3D%22MU.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

Hello, my name is Steve Mathias, Microsoft Premier Field Engineer (PFE) and I wanted to spend a moment to discuss the “mechanics” of the Intel Microcode Updates that you may see coming down from Microsoft Update or the Windows Catalog.  The security implications of why you should update the microcode on your processors are already covered in the below documentation from us and our partners (Spectre/SBB/etc.):

https://support.microsoft.com/en-us/help/4093836/summary-of-intel-microcode-updates

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00233.html

https://www.amd.com/en/corporate/product-security

 

The purpose of this blog is to help answer why Microsoft is collaborating with our partners Intel and AMD on these microcode updates and a little background on how these updates work.  To start the discussion, we need to lay down a key fact:

  • When processors are manufactured, they have a baseline microcode baked into their ROM.  This microcode is immutable and cannot be changed after the processor is built.

 

Modern processors do have the ability at initialization to apply volatile updates to move the processor to a newer microcode level.  However, as soon as the processor is rebooted, it reverts back to the microcode baked into their ROM.  These volatile updates can be applied to the processor one of two ways – System Firmware/BIOS via OEM and by the Operating System (OS).  However, as stated earlier, neither is updating the microcode in the processors ROM.  If you were to remove the processor from one computer and install in a computer with an older System Firmware/BIOS and an un-updated OS, you will be back to being vulnerable.

 

Couple common questions:

  • Why is Microsoft collaborating with Intel and AMD and publishing Microcode Updates via Microsoft Update?

The answer is simply that Windows offers the broadest coverage and quickest turnaround time to address these vulnerabilities.  Microcode updates delivered via the Windows OS are not new; as far back as 2007 some updates were made available to address performance and reliability concerns.

  • Can I skip taking updates delivered via Windows and only take updates from my OEM via System Firmware/BIOS Update?

Technically speaking you could but as mentioned earlier, often Microsoft Update may have the microcode updates to address issues much sooner.  Work with your OEM to help make this decision or simply take the updates from Microsoft Update.

  • Is there a problem if I update my System Firmware/BIOS with one version of a microcode update and allow Windows to install a different version of a microcode update?

When the processor boots, it has versioning to make sure it is utilizing the latest microcode updates regardless of where it may be coming from.  So, installing System Firmware/BIOS updates and microcode updates from Microsoft Update is perfectly acceptable.  It is possible that the OEM updates the microcode to one level and the OS updates the microcode to an even higher level during the same boot.

  • In Windows, how are microcode updates delivered to the processor?

Microcode updates install like any other update.  They can be installed from Microsoft Update, WSUS, SCCM or manually installed if downloaded from the Catalog.  The key difference is that the payload of the hotfix is primarily one of two files:

mcupdate_GenuineIntel.dll – Intel

mcupdate_AuthenticAMD.dll - AMD

These files contain the updated microcode and Windows automatically loads these via OS Loader to patch the microcode on the boot strap processor.  This payload is then passed to additional processors as they startup as well the Hyper-V hypervisor if enabled.

 

Hopefully this information will help demystify what these microcode updates are and allow you to confidently install these updates proactively.

2 Comments
Senior Member

Steve, should virtual machines be seeing these updates as available if their hyper-visor is patched? Also, what "category" would these show up under in WSUS?

Microsoft

Hyper-V virtual machines will be offered the microcode updates from Microsoft Update (assuming the CPUID matches) however the host is what really needs to be updated as it's payload is passed through to the virtual machines.  From a Windows Server 2016 Virtual Machine:

 

FromWS16VM.jpg

 

They are classified as "Updates" in WSUS and on Microsoft Update:

 

FromWSUS.jpg

MU.jpg