Microsoft published the Intel microcode update for Windows 10 1709 as a standalone update (KB4090007), so it is not showing up in WSUS. However, it can be deployed as an application:
wusa.exe “windows10.0-kb4090007-x64_7063a0b6a38e2a648aa1d77570503f7062360c9d.msu” /quiet /norestart
But, even if the current version 1.003 is already supporting more CPU models as version 1.001, it doesn’t cover all processor models in the environment. In addition, we already saw different updates popping-up allowing microcode updates on older Windows 10 releases. So, we want to have the application as dynamic as possible w/o the need to create many different collections.

Global Conditions

First, in case you did not already have one for the Windows 10 build, we get ‘Windows CurrentBuildNumber’ from registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
CurrentBuildNumber

Second, we need to capture ‘CPUID’ from WMI:
Win32_Processor – ProcessorID

Third, we need to filter ‘CPUIDs supported for microcode update’ using the ‘CPUID’ Global Condition created in step 2.

Application

Now we can create an application with a Deployment Type for KB4090007 that will run only on Windows 10 1709 x64 on supported processors.

Requirements

The Global Conditions in Requirements will filter the right set of machines for the Deployment Type

Detection

We use PowerShell as detection method

$exists = Get-Hotfix | where {$_.HotFixId -like "kb4090007"}
if ($exists)
{
Write-Host "Installed"
}

If Microsoft is publishing microcode updates for more CPUs, we will extend the Global Condition ‘CPUIDs supported for microcode update’. And if the microcode updates supporting older releases of Windows 10 are out, we add Deployment Types. So, we can deploy the same application to all clients and have them protected.
And, don’t forget to run a simulation first!