Deploy Intel microcode updates published by Microsoft via Configuration Manager

Microsoft published the Intel microcode update for Windows 10 1709 as a standalone update (KB4090007), so it is not showing up in WSUS. However, it can be deployed as an application:
wusa.exe “windows10.0-kb4090007-x64_7063a0b6a38e2a648aa1d77570503f7062360c9d.msu” /quiet /norestart
But, even if the current version 1.003 is already supporting more CPU models as version 1.001, it doesn’t cover all processor models in the environment. In addition, we already saw different updates popping-up allowing microcode updates on older Windows 10 releases. So, we want to have the application as dynamic as possible w/o the need to create many different collections.

Global Conditions

First, in case you did not already have one for the Windows 10 build, we get ‘Windows CurrentBuildNumber’ from registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
CurrentBuildNumber

MC_1709_002

Second, we need to capture ‘CPUID’ from WMI:
Win32_Processor – ProcessorID

MC_1709_003

Third, we need to filter ‘CPUIDs supported for microcode update’ using the ‘CPUID’ Global Condition created in step 2.

MC_1709_004

Application

Now we can create an application with a Deployment Type for KB4090007 that will run only on Windows 10 1709 x64 on supported processors.

Requirements

The Global Conditions in Requirements will filter the right set of machines for the Deployment Type

MC_1709_001

Detection

We use PowerShell as detection method


$exists = Get-Hotfix | where {$_.HotFixId -like "kb4090007"}
if ($exists)
{
Write-Host "Installed"
}

If Microsoft is publishing microcode updates for more CPUs, we will extend the Global Condition ‘CPUIDs supported for microcode update’. And if the microcode updates supporting older releases of Windows 10 are out, we add Deployment Types. So, we can deploy the same application to all clients and have them protected.
And, don’t forget to run a simulation first!

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s