Driverstore file needs to be updated dptf_cpu.inf_amd64_4a on MS Surface devices due to reported vulnerability - No MS update

Hello,

Thank you for posting in Microsoft Community.

I am aware of your concern regarding the vulnerability reported on the dptf_cpu.inf_amd64_4a file on your Surface device. I would like to ask some questions to know more about your concern in details.

• Would you mind sharing as to where did you get this file from? 

• What specific issue you're experiencing on the Surface?

• Can you confirm which Surface device do you have? 

I may need the details first so I can give you an accurate answer.

You may find this article useful Protecting your device against chip-related security vulnerabilities - Microsoft Support.

Kind regards,

Lavenia

Hi

Thanks for responding. We have numerous Surface Pro models. But the vulnerability seems related to an older Win 10 image as we don't see the issue on new Win 10 and Win 11 machines. However, we have a considerable amount of machines with this vulnerability being reported by Tenable. We cannot reimage 1000s of valid OS builds to fix one driver.

Synopsis

• Description

  Improper access control in the Intel DTT Software before version 8.7.10400.15482 may allow an authenticated user to potentially enable escalation of privilege via local access.

  Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

• Steps to Remediate

  Update the Intel DTT Software to the latest version provided by the system manufacturer that addresses these issues.
  
  Path : C:\Windows\System32\DriverStore\FileRepository\dptf_cpu.inf_amd64_4a3ae74cfa6c37d6\
  Installed version : 8.6.10401.9906
  Fixed version : See vendor advisory
  
  The only way to fix is to actually install the Tuning Tech intel app on all machines, which we do not want to do and manage. As the driver is in the Win 10 OS store then we ask MS should be able to apply a patched driver for this.
  
  Thanks.
  
  

In our environment, this appears to be related to Intel i5 processors. We have the vulnerable drivers on Surface Laptops with i5 processors and Windows 10. We recently performed clean system recoveries on a Surface Laptop (i5), Surface Hub (i5) and a Surface Book 3 (i7) with the appropriate Windows 11 Surface Recovery images from the MS website. The Surface Laptop and Surface Hub have the vulnerability, but the Book 3 does not. This doesn't appear to be related to OS version.

This is a screenshot from device manager. The highlighted devices use the same driver that has the vulnerability:

We also do not want to deploy the Intel app to manage drivers. The only other way to get the newest driver is to download the Intel NUC M15 Laptop Kit from Intel and extract the driver from it.

I would really like to help you with this, however after reading the description of your issue, it seems that the device you have is for business use, which is beyond the scope of my expertise. It would be better to bring up this concern with our commercial team as they are the device experts. You can submit a support request through Support for business (microsoft.com) to have your device checked out, troubleshooted, and receive assistance from professionals who work with commercial devices.

Or you may reach them through Contact Surface Support for Business and Education customers - Surface | Microsoft Learn.

You can get the driver from Microsoft Update Catalog, version 8.7.10700.22502. Not sure why Windows Update only pulls the 8.6 version.

My solution was to write a PowerShell script to remove the old and install the new. Then created an Intune Win32 package with the script and driver.

Thanks for your help and info here I will see if we can try this to solve the issue.

We did tick MS through our support contract on this but they did not offer any fix.

Hi. Can you share your PS script?

We do have control over driver updates using Windows Update for Business so was hoping we could find the same driver as on the catalog within the Intune catalog and deploy it that way but doesn't seem to be being detected on our environment strangely.

Thanks.