Home
%3CLINGO-SUB%20id%3D%22lingo-sub-1000845%22%20slang%3D%22en-US%22%3EDemystifying%20Microcode%20Updates%20for%20Intel%20and%20AMD%20Processors%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1000845%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%20my%20name%20is%20Steve%20Mathias%2C%20Microsoft%20Premier%20Field%20Engineer%20(PFE)%20and%20I%20wanted%20to%20spend%20a%20moment%20to%20discuss%20the%20%E2%80%9Cmechanics%E2%80%9D%20of%20the%20Intel%20Microcode%20Updates%20that%20you%20may%20see%20coming%20down%20from%20Microsoft%20Update%20or%20the%20Windows%20Catalog.%26nbsp%3B%20The%20security%20implications%20of%20why%20you%20should%20update%20the%20microcode%20on%20your%20processors%20are%20already%20covered%20in%20the%20below%20documentation%20from%20us%20and%20our%20partners%20(Spectre%2FSBB%2Fetc.)%3A%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2030px%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fsupport.microsoft.com%252Fen-us%252Fhelp%252F4093836%252Fsummary-of-intel-microcode-updates%26amp%3Bdata%3D02%257C01%257Cstevemat%2540microsoft.com%257Cc8c33661ac8544b427b508d75bc929e9%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C637078791864793690%26amp%3Bsdata%3Dj%252BII8BHK0gN%252B6W7UYb5L%252F%252BW6rU2AXjGsV%252Bki%252FmWcy5o%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F4093836%2Fsummary-of-intel-microcode-updates%3C%2FA%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2030px%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fwww.intel.com%252Fcontent%252Fwww%252Fus%252Fen%252Fsecurity-center%252Fadvisory%252Fintel-sa-00233.html%26amp%3Bdata%3D02%257C01%257Cstevemat%2540microsoft.com%257Cc8c33661ac8544b427b508d75bc929e9%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C637078791864793690%26amp%3Bsdata%3DGyVi75aWit75mrOIJQhhekJ7%252B%252Fkn5VhMlsJuk3qqBUo%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.intel.com%2Fcontent%2Fwww%2Fus%2Fen%2Fsecurity-center%2Fadvisory%2Fintel-sa-00233.html%3C%2FA%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2030px%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fwww.amd.com%252Fen%252Fcorporate%252Fproduct-security%26amp%3Bdata%3D02%257C01%257Cstevemat%2540microsoft.com%257Cc8c33661ac8544b427b508d75bc929e9%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C637078791864803690%26amp%3Bsdata%3D9Q9uSN2DIBUnlaEkXTC%252FAGnz3t8iu%252FYqDa6P5eXbUQ4%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.amd.com%2Fen%2Fcorporate%2Fproduct-security%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20purpose%20of%20this%20blog%20is%20to%20help%20answer%20why%20Microsoft%20is%20collaborating%20with%20our%20partners%20Intel%20and%20AMD%20on%20these%20microcode%20updates%20and%20a%20little%20background%20on%20how%20these%20updates%20work.%26nbsp%3B%20To%20start%20the%20discussion%2C%20we%20need%20to%20lay%20down%20a%20key%20fact%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EWhen%20processors%20are%20manufactured%2C%20they%20have%20a%20baseline%20microcode%20baked%20into%20their%20ROM.%26nbsp%3B%20This%20microcode%20is%20%3CSTRONG%3E%3CEM%3Eimmutable%3C%2FEM%3E%3C%2FSTRONG%3E%20and%20cannot%20be%20changed%20after%20the%20processor%20is%20built.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EModern%20processors%20do%20have%20the%20ability%20at%20initialization%20to%20apply%20volatile%20updates%20to%20move%20the%20processor%20to%20a%20newer%20microcode%20level.%26nbsp%3B%20However%2C%20as%20soon%20as%20the%20processor%20is%20rebooted%2C%20it%20reverts%20back%20to%20the%20microcode%20baked%20into%20their%20ROM.%26nbsp%3B%20These%20volatile%20updates%20can%20be%20applied%20to%20the%20processor%20one%20of%20two%20ways%20%E2%80%93%20System%20Firmware%2FBIOS%20via%20OEM%20and%20by%20the%20Operating%20System%20(OS).%26nbsp%3B%20However%2C%20as%20stated%20earlier%2C%20neither%20is%20updating%20the%20microcode%20in%20the%20processors%20ROM.%26nbsp%3B%20If%20you%20were%20to%20remove%20the%20processor%20from%20one%20computer%20and%20install%20in%20a%20computer%20with%20an%20older%20System%20Firmware%2FBIOS%20and%20an%20un-updated%20OS%2C%20you%20will%20be%20back%20to%20being%20vulnerable.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ECouple%20common%20questions%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EWhy%20is%20Microsoft%20collaborating%20with%20Intel%20and%20AMD%20and%20publishing%20Microcode%20Updates%20via%20Microsoft%20Update%3F%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20style%3D%22padding-left%3A%2090px%3B%22%3EThe%20answer%20is%20simply%20that%20Windows%20offers%20the%20broadest%20coverage%20and%20quickest%20turnaround%20time%20to%20address%20these%20vulnerabilities.%26nbsp%3B%20Microcode%20updates%20delivered%20via%20the%20Windows%20OS%20are%20not%20new%3B%20as%20far%20back%20as%202007%20some%20updates%20were%20made%20available%20to%20address%20performance%20and%20reliability%20concerns.%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ECan%20I%20skip%20taking%20updates%20delivered%20via%20Windows%20and%20only%20take%20updates%20from%20my%20OEM%20via%20System%20Firmware%2FBIOS%20Update%3F%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20style%3D%22padding-left%3A%2090px%3B%22%3ETechnically%20speaking%20you%20could%20but%20as%20mentioned%20earlier%2C%20often%20Microsoft%20Update%20may%20have%20the%20microcode%20updates%20to%20address%20issues%20much%20sooner.%26nbsp%3B%20Work%20with%20your%20OEM%20to%20help%20make%20this%20decision%20or%20simply%20take%20the%20updates%20from%20Microsoft%20Update.%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EIs%20there%20a%20problem%20if%20I%20update%20my%20System%20Firmware%2FBIOS%20with%20one%20version%20of%20a%20microcode%20update%20and%20allow%20Windows%20to%20install%20a%20different%20version%20of%20a%20microcode%20update%3F%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20style%3D%22padding-left%3A%2090px%3B%22%3EWhen%20the%20processor%20boots%2C%20it%20has%20versioning%20to%20make%20sure%20it%20is%20utilizing%20the%20latest%20microcode%20updates%20regardless%20of%20where%20it%20may%20be%20coming%20from.%26nbsp%3B%20So%2C%20installing%20System%20Firmware%2FBIOS%20updates%20and%20microcode%20updates%20from%20Microsoft%20Update%20is%20perfectly%20acceptable.%26nbsp%3B%20It%20is%20possible%20that%20the%20OEM%20updates%20the%20microcode%20to%20one%20level%20and%20the%20OS%20updates%20the%20microcode%20to%20an%20even%20higher%20level%20during%20the%20same%20boot.%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EIn%20Windows%2C%20how%20are%20microcode%20updates%20delivered%20to%20the%20processor%3F%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20style%3D%22padding-left%3A%2090px%3B%22%3EMicrocode%20updates%20install%20like%20any%20other%20update.%26nbsp%3B%20They%20can%20be%20installed%20from%20Microsoft%20Update%2C%20WSUS%2C%20SCCM%20or%20manually%20installed%20if%20downloaded%20from%20the%20%3CA%20href%3D%22https%3A%2F%2Fwww.catalog.update.microsoft.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ECatalog%3C%2FA%3E.%26nbsp%3B%20The%20key%20difference%20is%20that%20the%20payload%20of%20the%20hotfix%20is%20primarily%20one%20of%20two%20files%3A%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%20150px%3B%22%3Emcupdate_GenuineIntel.dll%20%E2%80%93%20Intel%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%20150px%3B%22%3Emcupdate_AuthenticAMD.dll%20-%20AMD%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2090px%3B%22%3EThese%20files%20contain%20the%20updated%20microcode%20and%20Windows%20automatically%20loads%20these%20via%20OS%20Loader%20to%20patch%20the%20microcode%20on%20the%20boot%20strap%20processor.%26nbsp%3B%20This%20payload%20is%20then%20passed%20to%20additional%20processors%20as%20they%20startup%20as%20well%20the%20Hyper-V%20hypervisor%20if%20enabled.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHopefully%20this%20information%20will%20help%20demystify%20what%20these%20microcode%20updates%20are%20and%20allow%20you%20to%20confidently%20install%20these%20updates%20proactively.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1000845%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%20my%20name%20is%20Steve%20Mathias%2C%20Microsoft%20Premier%20Field%20Engineer%20(PFE)%20and%20I%20wanted%20to%20spend%20a%20moment%20to%20discuss%20the%20%E2%80%9Cmechanics%E2%80%9D%20of%20the%20Intel%20Microcode%20Updates%20that%20you%20may%20see%20coming%20down%20from%20Microsoft%20Update%20or%20the%20Windows%20Catalog.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1000845%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESteveMathias%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1006236%22%20slang%3D%22en-US%22%3ERe%3A%20Demystifying%20Microcode%20Updates%20for%20Intel%20and%20AMD%20Processors%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1006236%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3ESteve%2C%20should%20virtual%20machines%20be%20seeing%20these%20updates%20as%20available%20if%20their%20hyper-visor%26nbsp%3Bis%20patched%3F%20Also%2C%20what%20%22category%22%20would%20these%20show%20up%20under%20in%20WSUS%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1008270%22%20slang%3D%22en-US%22%3ERe%3A%20Demystifying%20Microcode%20Updates%20for%20Intel%20and%20AMD%20Processors%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1008270%22%20slang%3D%22en-US%22%3E%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EHyper-V%20virtual%20machines%20will%20be%20offered%20the%20microcode%20updates%20from%20Microsoft%20Update%20(assuming%20the%20CPUID%20matches)%20however%20the%20host%20is%20what%20really%20needs%20to%20be%20updated%20as%20it's%20payload%20is%20passed%20through%20to%20the%20virtual%20machines.%26nbsp%3B%20From%20a%20Windows%20Server%202016%20Virtual%20Machine%3A%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20dir%3D%22ltr%22%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20792px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F157184i6FEA4C13C6DEC4DB%2Fimage-dimensions%2F792x213%3Fv%3D1.0%22%20width%3D%22792%22%20height%3D%22213%22%20alt%3D%22FromWS16VM.jpg%22%20title%3D%22FromWS16VM.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EThey%20are%20classified%20as%20%22Updates%22%20in%20WSUS%20and%20on%20Microsoft%20Update%3A%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20dir%3D%22ltr%22%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20777px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F157182i34382448F975F2A3%2Fimage-dimensions%2F777x301%3Fv%3D1.0%22%20width%3D%22777%22%20height%3D%22301%22%20alt%3D%22FromWSUS.jpg%22%20title%3D%22FromWSUS.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%20dir%3D%22ltr%22%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20865px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F157183i258DD75A209FF1F8%2Fimage-dimensions%2F865x225%3Fv%3D1.0%22%20width%3D%22865%22%20height%3D%22225%22%20alt%3D%22MU.jpg%22%20title%3D%22MU.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1074770%22%20slang%3D%22en-US%22%3ERe%3A%20Demystifying%20Microcode%20Updates%20for%20Intel%20and%20AMD%20Processors%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1074770%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F434984%22%20target%3D%22_blank%22%3E%40SteveMat%3C%2FA%3E%26nbsp%3B%2C%20is%20there%20a%20specific%20update%20order%20when%20it%20comes%20to%20updating%20Hyper-V%20servers%20and%20virtual%20machines%20running%20on%20those%20servers%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20other%20words%2C%20do%20we%20have%20to%20update%20the%20hypervisors%20first%20and%20then%20the%20virtual%20machines%3F%20Or%20virtual%20machines%20first%20and%20then%20the%20hypervisors%3F%20Or%20does%20the%20order%20not%20matter%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1075351%22%20slang%3D%22en-US%22%3ERe%3A%20Demystifying%20Microcode%20Updates%20for%20Intel%20and%20AMD%20Processors%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1075351%22%20slang%3D%22en-US%22%3E%3CP%3EUpdating%20the%20Hyper-V%20Host%20is%20what%20is%20important%20as%20the%20microcode%20is%20passed%20to%20the%20virtual%20machines.%26nbsp%3B%20So%20with%20that%20said%2C%20it%20would%20be%20prudent%20to%20update%20the%20Hyper-V%20Host%20first%20as%20that%20is%20the%20priority.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1086096%22%20slang%3D%22en-US%22%3ERe%3A%20Demystifying%20Microcode%20Updates%20for%20Intel%20and%20AMD%20Processors%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1086096%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F434984%22%20target%3D%22_blank%22%3E%40SteveMat%3C%2FA%3E.%20In%20that%20case%2C%20does%20updating%20the%20virtual%20machines%20achieve%20anything%3F%20Is%20it%20even%20needed%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1086163%22%20slang%3D%22en-US%22%3ERe%3A%20Demystifying%20Microcode%20Updates%20for%20Intel%20and%20AMD%20Processors%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1086163%22%20slang%3D%22en-US%22%3E%3CP%3EWhen%20the%20Hyper-V%20Host%20has%20the%20microcode%20updated%2C%20it%20presents%20the%20updated%20microcode%20to%20the%20guest%20virtual%20machines%20so%20they%20are%20already%20updated%20when%20they%20start.%26nbsp%3B%20Installing%20the%20microcode%20updates%20to%20the%20virtual%20machines%20should%20be%20done%20for%20consistency.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1086208%22%20slang%3D%22en-US%22%3ERe%3A%20Demystifying%20Microcode%20Updates%20for%20Intel%20and%20AMD%20Processors%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1086208%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20the%20reply%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F434984%22%20target%3D%22_blank%22%3E%40SteveMat%3C%2FA%3E.%20What%20happens%20then%20in%20the%20case%20when%20the%20virtual%20machines%20are%20updated%20with%20the%20microcode%20updates%20and%20they%20move%20between%20hyper-v%20hosts%20that%20are%20running%20different%20CPUs%2C%20some%20of%20which%20have%20no%20applicable%20microcode%20updates%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20example%2C%20take%20a%20two%20node%202019%20Hyper-V%20cluster%3A%20one%20with%20a%20E5-2680%20CPU%20which%20has%20a%20microcode%20update%20available%20and%20it's%20installed%2C%20and%20the%20other%20node%20with%20a%20Gold%206248%20CPU%20which%20has%20no%20applicable%20microcode%20updates%20available.%20What%20happens%20if%20a%20VM%20with%20updated%20microcode%20that%20was%20on%20the%202680%20is%20moved%20to%20the%206248%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAssuming%20the%20CPU%20compatibility%20option%20is%20set.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

Hello, my name is Steve Mathias, Microsoft Premier Field Engineer (PFE) and I wanted to spend a moment to discuss the “mechanics” of the Intel Microcode Updates that you may see coming down from Microsoft Update or the Windows Catalog.  The security implications of why you should update the microcode on your processors are already covered in the below documentation from us and our partners (Spectre/SBB/etc.):

https://support.microsoft.com/en-us/help/4093836/summary-of-intel-microcode-updates

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00233.html

https://www.amd.com/en/corporate/product-security

 

The purpose of this blog is to help answer why Microsoft is collaborating with our partners Intel and AMD on these microcode updates and a little background on how these updates work.  To start the discussion, we need to lay down a key fact:

  • When processors are manufactured, they have a baseline microcode baked into their ROM.  This microcode is immutable and cannot be changed after the processor is built.

 

Modern processors do have the ability at initialization to apply volatile updates to move the processor to a newer microcode level.  However, as soon as the processor is rebooted, it reverts back to the microcode baked into their ROM.  These volatile updates can be applied to the processor one of two ways – System Firmware/BIOS via OEM and by the Operating System (OS).  However, as stated earlier, neither is updating the microcode in the processors ROM.  If you were to remove the processor from one computer and install in a computer with an older System Firmware/BIOS and an un-updated OS, you will be back to being vulnerable.

 

Couple common questions:

  • Why is Microsoft collaborating with Intel and AMD and publishing Microcode Updates via Microsoft Update?

The answer is simply that Windows offers the broadest coverage and quickest turnaround time to address these vulnerabilities.  Microcode updates delivered via the Windows OS are not new; as far back as 2007 some updates were made available to address performance and reliability concerns.

  • Can I skip taking updates delivered via Windows and only take updates from my OEM via System Firmware/BIOS Update?

Technically speaking you could but as mentioned earlier, often Microsoft Update may have the microcode updates to address issues much sooner.  Work with your OEM to help make this decision or simply take the updates from Microsoft Update.

  • Is there a problem if I update my System Firmware/BIOS with one version of a microcode update and allow Windows to install a different version of a microcode update?

When the processor boots, it has versioning to make sure it is utilizing the latest microcode updates regardless of where it may be coming from.  So, installing System Firmware/BIOS updates and microcode updates from Microsoft Update is perfectly acceptable.  It is possible that the OEM updates the microcode to one level and the OS updates the microcode to an even higher level during the same boot.

  • In Windows, how are microcode updates delivered to the processor?

Microcode updates install like any other update.  They can be installed from Microsoft Update, WSUS, SCCM or manually installed if downloaded from the Catalog.  The key difference is that the payload of the hotfix is primarily one of two files:

mcupdate_GenuineIntel.dll – Intel

mcupdate_AuthenticAMD.dll - AMD

These files contain the updated microcode and Windows automatically loads these via OS Loader to patch the microcode on the boot strap processor.  This payload is then passed to additional processors as they startup as well the Hyper-V hypervisor if enabled.

 

Hopefully this information will help demystify what these microcode updates are and allow you to confidently install these updates proactively.

7 Comments
Senior Member

Steve, should virtual machines be seeing these updates as available if their hyper-visor is patched? Also, what "category" would these show up under in WSUS?

Microsoft

Hyper-V virtual machines will be offered the microcode updates from Microsoft Update (assuming the CPUID matches) however the host is what really needs to be updated as it's payload is passed through to the virtual machines.  From a Windows Server 2016 Virtual Machine:

 

FromWS16VM.jpg

 

They are classified as "Updates" in WSUS and on Microsoft Update:

 

FromWSUS.jpg

MU.jpg

Visitor

@SteveMat , is there a specific update order when it comes to updating Hyper-V servers and virtual machines running on those servers?

 

In other words, do we have to update the hypervisors first and then the virtual machines? Or virtual machines first and then the hypervisors? Or does the order not matter?

Microsoft

Updating the Hyper-V Host is what is important as the microcode is passed to the virtual machines.  So with that said, it would be prudent to update the Hyper-V Host first as that is the priority.

Visitor

Thanks @SteveMat. In that case, does updating the virtual machines achieve anything? Is it even needed?

Microsoft

When the Hyper-V Host has the microcode updated, it presents the updated microcode to the guest virtual machines so they are already updated when they start.  Installing the microcode updates to the virtual machines should be done for consistency.

Visitor

Thanks for the reply @SteveMat. What happens then in the case when the virtual machines are updated with the microcode updates and they move between hyper-v hosts that are running different CPUs, some of which have no applicable microcode updates?

 

For example, take a two node 2019 Hyper-V cluster: one with a E5-2680 CPU which has a microcode update available and it's installed, and the other node with a Gold 6248 CPU which has no applicable microcode updates available. What happens if a VM with updated microcode that was on the 2680 is moved to the 6248?

 

Assuming the CPU compatibility option is set.