Ways to load microcode updates at runtime on windows

I am looking for admins who know a way to update the cpu microcode at runtime to enable windows to use protective measures against spectre 2.

I am aware that apart from having microcode updates delivered by the mainboard or system manufacturers, and apart from waiting for Microsoft to release further versions of their own patches (https://support.microsoft.com/en-us/help/4093836/summary-of-intel-microcode-updates ), some people are using this fling https://labs.vmware.com/flings/vmware-cpu-microcode-update-driver but apparently, even on systems that indicate the microcode got updated successfully and even though the microcode used was the most recent one and intel confirmed its suitability, the powershell cmdlet get-speculationcontrolsettings says, Hardware support for branch target injection mitigation is not present.

So is there another way that you know of?
LVL 62
McKnifeAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
Windows can do some updates, but BIOS updates (what you are talking about) need to be done by the Manufacturer's update routine.

At least right now in 2018, BIOS and Chipset updates need to be done alongside Windows update to protect against the Meltdown threats.
0
JohnBusiness Consultant (Owner)Commented:
I should have added in my post above. BIOS updates are only for Host machines (the hardware). Virtual Machines use the host infrastructure and do not need BIOS upgrades on the VM.

Then, as I said above, BIOS updates for Host Machines (hardware) need to be done by the Manufacturer's update routine.
0
McKnifeAuthor Commented:
Hi.

That is nothing new to me. Maybe I should clue you in a little more: The discussion over at VMware which took place this year included posts from people who said that that VMware tool (the "fling") helped them to make their CPU usable by the windows patch. There is user akarkkai saying, after using the fling, the output of the powershell cmdlet get-speculationcontrolsettings is "BTIHardwarePresent : True".

That made me believe (at least if we can trust that akarkkai guy), that the fling can use the new intel microcode and make the CPUs ready to use microsoft's patch at runtime. I tried it and could verify that the microcode is indeed changed on test machines here (verified using Sisoft Sandra), but still, the patch is not usable, not even "BTIHardwarePresent : True" appears as it did for others. So the new and patched microcode is loaded, but somehow cannot be recognized by the get-speculationcontrolsettings cmdlet and presumably will not work together with microsoft's patch. This is discussed at length over at VMware. So the question was about that aspect and not about the basics which should be common knowledge for security-aware folks by now.
1
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

McKnifeAuthor Commented:
2 days ago, Microsoft updated their updates (refresh release) and now Haswell as well as Broadwell CPUs are protected against spectre2, which leaves me with some Intel Core gen2 and gen3 architecture oldies... but these will get some updates, too, at least Ivy bridge.
0
McKnifeAuthor Commented:
It seems no one but me really cares. Since micfrosoft themselves uses runtime microcode updating, it is surely possible and should have been a way for me to patch older CPUs before microsoft has issued their updates (which, although already tested by intel, seem to be thoroughly tested again by microsoft). Nevermind, I will have to wait.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
McKnifeAuthor Commented:
As outlined: no one here is experienced with it. Since googling reveals the same, the question should be archived for those who ask the same.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.