Deploy Intel microcode updates published by Microsoft via Configuration Manager

Microsoft published the Intel microcode update for Windows 10 1709 as a standalone update (KB4090007), so it is not showing up in WSUS. However, it can be deployed as an application:
wusa.exe “windows10.0-kb4090007-x64_7063a0b6a38e2a648aa1d77570503f7062360c9d.msu” /quiet /norestart
But, even if the current version 1.003 is already supporting more CPU models as version 1.001, it doesn’t cover all processor models in the environment. In addition, we already saw different updates popping-up allowing microcode updates on older Windows 10 releases. So, we want to have the application as dynamic as possible w/o the need to create many different collections.

Global Conditions

First, in case you did not already have one for the Windows 10 build, we get ‘Windows CurrentBuildNumber’ from registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion


Second, we need to capture ‘CPUID’ from WMI:
Win32_Processor – ProcessorID


Third, we need to filter ‘CPUIDs supported for microcode update’ using the ‘CPUID’ Global Condition created in step 2.



Now we can create an application with a Deployment Type for KB4090007 that will run only on Windows 10 1709 x64 on supported processors.


The Global Conditions in Requirements will filter the right set of machines for the Deployment Type



We use PowerShell as detection method

$exists = Get-Hotfix | where {$_.HotFixId -like "kb4090007"}
if ($exists)
Write-Host "Installed"

If Microsoft is publishing microcode updates for more CPUs, we will extend the Global Condition ‘CPUIDs supported for microcode update’. And if the microcode updates supporting older releases of Windows 10 are out, we add Deployment Types. So, we can deploy the same application to all clients and have them protected.
And, don’t forget to run a simulation first!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s