Microsoft releases microcode updates for Windows 10 version 1809 and newer
Microsoft released microcode updates, designed to protect Windows 10 systems against Spectre-based attacks, for Windows 10 version 1809, Windows 10 version 1903 and 1909, Windows 10 version 2004, 20H2 and 21H1 this week.
The microcode updates for all other Windows 10 versions have not been updated and remain on the November 2020 state.
Microcode updates come in two forms: as firmware updates or as updates for the operating system. The updates address flaws or issues in processors, and are loaded when the system is started.
Windows updates come with patches for Intel, mcupdate_GenuineIntel.dll, and AMD processors, mcupdate_AuthenticAMD.dll.
Important: Microsoft recommends that users/administrators verify that a particular update is designed for system hardware, in this case the processor, before installing it. The company lists supported processors on the support pages.
Microsoft will release the updated microcode patches for the listed Windows 10 versions via Windows Updates eventually. It may take a while before these are made available; administrators may download updates from the Microsoft Update Catalog already to install them manually on systems.
Here are the links to the Knowledgebase articles:
- Windows 10 version 2004, 20H2 and 21H1: KB4589212
- Windows 10 version 1903 and 1909: KB4589211
- Windows 10 version 1809: KB4589208
Intel CPU products mentioned on the support page of the latest update:
- 10th Generation Intel® Core™ Processor Family
- Comet Lake S (6+2)
- Comet Lake S (10+2)
- Comet Lake U62
- Comet Lake U6+2
- Ice Lake Y42/U42 ES2 SUP
- Lakefield
The Microsoft Update Catalog links are listed below:
- Windows 10 version 2004, 20H2 and 21H1: KB4589212
- Windows 10 version 1903 and 1909: KB4589211
- Windows 10 version 1809: KB4589208
Identify the right Windows 10 version and edition on the Microsoft Update Catalog website, e.g. Windows 10 version 20H2 with a 64-bit architecture, and the download button next to it afterwards.
The site opens a popup window with the download link. The msu files have a size between 2 and 3 Megabytes. All that is left to do after the download completes is to execute the downloaded file to install the update on the system.
The system needs to be restarted to complete the process.
Now You: do you install the microcode updates directly or wait for them to become available via Windows Update? (via Deskmodder)
There is ZERO reference to AMD processors in the KB4589211 article. Yet, on an AMD Ryzen ThinPad, Windows Update has detected that I need this patch.
Where do you get the information that these updates apply to AMD processors?
my system is AMD based why the hell do i need this update showing up to install????
Hi, I have Windows 10 Enterprise LTSC Version 1809 Build 17763.1697 fully updated and I have been waiting in vain for the update to be installed via Windows Update, but this has not happened.
If I check the mcupdate_GenuineIntel.dll file I see that its digital signature is dated February 2019 !
Does anyone have an explanation ?
PS: my processor, Intel Core i7-3632QM is in the list of Cpu supported by the update.
For the “Doubting Thomas” types out there who believe insurance is a waste of money, when your house burns down, will you have saved enough money to cover ALL of your losses?
@Martin thanks! :]
If you not belongs to wide network enterprise cpu. Then you dont need install the microcodes. Im worry only for the adress fix of mitm, i thought that networking bug was fixed with the latest cumulative updates.
Also a good read regarding microcodes, just to illustrate the point I was trying to make earlier when replying to @Yuliya
https://arstechnica.com/gadgets/2020/10/in-a-first-researchers-extract-secret-key-used-to-encrypt-intel-cpu-code/
This exploit is REALLY difficult to attack:
https://www.intel.com/content/dam/www/public/us/en/security-advisory/documents/the-intel-csme-dam-vulnerability-cve-2018-3659-and-cve-2018-3643-whitepaper.pdf
It needs some sophisticated reconnaissance operation and research about the target
and unless that is a hight value target i cant imagine WHY any hacker will do that
over social engineering or something much easier and cheaper.
@Yuliya is right a lot of fear mongering here.
It is not surprising that microcode updates for all affected CPU’s are purposefully being left out, because Microsoft is a planned obsolesce monger.
They dont actually care about users security even though there is some evidence to the contrary, though its all smoke and mirrors.
People should be investing in coreboot/libreboot compatible machines and use QubeOS rather than Windows.
I dont need these updates, they already exist since they were made available, and Windows are only good for closing.
I’m hoping these updates won’t make their way to Windows 8 and Server 2012. I’ll be keeping an eye out.
I am officially bitching about how hard it is to use the tables provided in Microsoft’s microcode update pages to determine whether the update is applicable to a given system.
• Windows’ built-in GUI features (Settings>System>About and Device Manager>Processors) don’t seem to provide the requisite information.
• Once I had the CPU’s full name (easily found in Settings>System), Intel’s page at ark.intel.com provided a “Device ID” that didn’t match the format used in the table.
• CPU-Z doesn’t seem to provide much the info needed.
• HWInfo64 doesn’t provide all of it either, and you have to hunt down and identify the bits that *are* provided.
• GRC’s InSpectre utility returned a CPU ID in the same format used by Microsoft — HWInfo64 prepended leading zeroes to it — as well as the current microcode revision (which I didn’t spot anywhere else, though I may have been careless).
Unless I’m being really stupid and overlooking something obvious, there needs to be a single utility that pulls in all of the requisite CPU/Platform/Microcode information and presents it in the same format used by Microsoft in its tables. It should be provided by Microsoft, but if they don’t do it, someone else should. The current (*apparent*) need to assemble information from a variety of sources is too much work, even for people who know where to look.
As for whether and when I might apply the current update, I’m probably going to wait for an update to InSpectre and then double-check its take on how performance might be affected. And then I’m going to double-check what the real-world risk is to an individual user like me that no one (that I know of!) has any reason to target.
Anyway, I welcome any tips or corrections.
View CPU microcode revision from powershell:
https://www.xf.is/2018/06/28/view-cpu-microcode-revision-from-powershell/
@Carl Gustav
That post is great and all but it misses the execution policy.
Set-ExecutionPolicy Bypass -Scope Process
And no noob friendly instructions how to create a .ps1 file. ;)
Thanks for the link!
Disabled with InSpectre? Is disabling both options in that program enough to undo all current mitigations?
I have disabled these mitigations and strongly advice anyone to do so. Nothing but complete nonsense and fear mongering for a non-eksitent theoretical attack.
This is a surprising comment from someone I thought was more on the level than most. I fear that the pandemic must have gotten under your skin and jaded you. Please get better.
@Yuliya
If you are a hacker, then I can understand why you don’t want us to get security updates, otherwise if you are simply crazy, then I can’t understand that sort of thinking.
Either way, I’m sure you think you know what’s best for you.
In reality there are know exploits being used in the wild for most of these vulnerabilities. Some exploits are not know to be actively exploited but that doesn’t mean they aren’t and they are just unknown, until some future date where they will be found and made public..
Its true that if you really worry about technology security the only solution is not to own any technology at all, because its all full of holes that its possible to exfiltrate data by many techniques from even air gapped computers.
Telling others to disable mitigations, is unwise at any rate, so do get informed, read tech security news daily, or otherwise avoid making uninformed commentary.
The Hindenburg exploding, the Titanic sinking, World Wars, 9/11 and other events were also “theoretical” and “non-existent”, until they actually occurred. Just because something hasn’t happened yet doesn’t mean it won’t happen in the future.
Hoi Martin, Great articel again.
I have a qustion for you.
You wrought ” Microsoft will release the updated microcode patches for the listed Windows 10 versions via Windows Updates eventually.”
But please can you be any more specific than that please?
Do you think it will be the February 2021 updates of maybe with the 21H1 or maybe later?
I think it is February 2021, think I read it somewhere but cannot find the source anymore.
Downloaded immediately from the Microsoft website, thanks for the info.