Woody Leonhard's no-bull news, tips and help for Windows, Office and more… Please disable your ad blocker – our (polite!) ads help keep AskWoody going!
Home icon Home icon Home icon Email icon RSS icon
  • Patch Lady – Microcode updates

    Posted on March 4th, 2018 at 00:30 Susan Bradley Comment on the AskWoody Lounge

    Patch Lady here — Did you happen to catch this gem in this blog about the Microsoft microcode updates?

    There is also a small but subtle difference between firmware updates for the UEFI and a microcode update. A firmware update for the UEFI must be approved by the manufacturer of the motherboard. This update may also include microcode updates. These are loaded from the UEFI firmware into the CPU when the system is started. Pure microcode updates can be rolled out by Microsoft. These microcodes are loaded into the CPU when the operating system is started. The above update is therefore a microcode update, which is reloaded every time Windows starts.

    Interesting. Remember that these updates  are only on the Catalog download site and not on Windows update. The Microsoft blog hints that more of these Microcode updates are on their way.

    The reason for this? Doing firmware updates from afar is fraught with risk and many IT admins don’t have processes in place to remotely patch firmware. There are ways with PDQdeploy and psexec scripts but if you haven’t built up a process, you’d much rather script out the install of a patch rather than the install of a firmware update.  On my home and office machines I’ve become much more comfortable with installing the firmware updates from the manufacturers but I still cross my fingers and hold my breath a bit waiting for the process to complete.

    For those that plan to import these microcode updates into your Server 2016 WSUS, there’s a known issue whereby one can’t import updates into WSUS based on Server 2016 like one is used to in other platforms. As noted on the WSUS blog, you’ll need to edit a bit before you can import the patch.

    So what should you do if you are not a network administrator?  I would still wait for two reasons:

    1. It’s never wise with firmware to be the first one to install. There is no easy way to uninstall a firmware update.
    2. I would watch for side effects and impact.

    For anyone concerned about the impact of Spectre/Meltdown, I’m still not aware of widespread attacks. If you want to add a bit more security to your browsing remember you can put in Browser isolation in Chrome by following their instructions.  Test the impact as it may impact certain web sites, but if you suffer no major issues, I’d probably leave that setting in place.  As is noted on the Chrome blog

    the extra security will help stop the site from stealing your data from another website.

    And that’s a good thing!