Ways to load microcode updates at runtime on windows
I am looking for admins who know a way to update the cpu microcode at runtime to enable windows to use protective measures against spectre 2.
I am aware that apart from having microcode updates delivered by the mainboard or system manufacturers, and apart from waiting for Microsoft to release further versions of their own patches (https://support.microsoft.com/en-us/help/4093836/summary-of-intel-microcode-updates ), some people are using this fling https://labs.vmware.com/flings/vmware-cpu-microcode-update-driver but apparently, even on systems that indicate the microcode got updated successfully and even though the microcode used was the most recent one and intel confirmed its suitability, the powershell cmdlet get-speculationcontrolsett
So is there another way that you know of?
I am aware that apart from having microcode updates delivered by the mainboard or system manufacturers, and apart from waiting for Microsoft to release further versions of their own patches (https://support.microsoft.com/en-us/help/4093836/summary-of-intel-microcode-updates ), some people are using this fling https://labs.vmware.com/flings/vmware-cpu-microcode-update-driver but apparently, even on systems that indicate the microcode got updated successfully and even though the microcode used was the most recent one and intel confirmed its suitability, the powershell cmdlet get-speculationcontrolsett
So is there another way that you know of?
I should have added in my post above. BIOS updates are only for Host machines (the hardware). Virtual Machines use the host infrastructure and do not need BIOS upgrades on the VM.
Then, as I said above, BIOS updates for Host Machines (hardware) need to be done by the Manufacturer's update routine.
Then, as I said above, BIOS updates for Host Machines (hardware) need to be done by the Manufacturer's update routine.
ASKER
Hi.
That is nothing new to me. Maybe I should clue you in a little more: The discussion over at VMware which took place this year included posts from people who said that that VMware tool (the "fling") helped them to make their CPU usable by the windows patch. There is user akarkkai saying, after using the fling, the output of the powershell cmdlet get-speculationcontrolsett
That made me believe (at least if we can trust that akarkkai guy), that the fling can use the new intel microcode and make the CPUs ready to use microsoft's patch at runtime. I tried it and could verify that the microcode is indeed changed on test machines here (verified using Sisoft Sandra), but still, the patch is not usable, not even "BTIHardwarePresent : True" appears as it did for others. So the new and patched microcode is loaded, but somehow cannot be recognized by the get-speculationcontrolsett
That is nothing new to me. Maybe I should clue you in a little more: The discussion over at VMware which took place this year included posts from people who said that that VMware tool (the "fling") helped them to make their CPU usable by the windows patch. There is user akarkkai saying, after using the fling, the output of the powershell cmdlet get-speculationcontrolsett
That made me believe (at least if we can trust that akarkkai guy), that the fling can use the new intel microcode and make the CPUs ready to use microsoft's patch at runtime. I tried it and could verify that the microcode is indeed changed on test machines here (verified using Sisoft Sandra), but still, the patch is not usable, not even "BTIHardwarePresent : True" appears as it did for others. So the new and patched microcode is loaded, but somehow cannot be recognized by the get-speculationcontrolsett
ASKER
2 days ago, Microsoft updated their updates (refresh release) and now Haswell as well as Broadwell CPUs are protected against spectre2, which leaves me with some Intel Core gen2 and gen3 architecture oldies... but these will get some updates, too, at least Ivy bridge.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
As outlined: no one here is experienced with it. Since googling reveals the same, the question should be archived for those who ask the same.
At least right now in 2018, BIOS and Chipset updates need to be done alongside Windows update to protect against the Meltdown threats.