First, make it actually apply on current /etc/default/intel-microcode.

Second, keep using IUCODE_TOOL_SCANCPUS=no, as we still want to include all
microcodes, not only the one(s) for the build machine's CPU.

Third, use forced early mode for IUCODE_TOOL_INITRAMFS:

  * We can't use non-early initramfs mode anymore, since support for it has
    been removed.
  * We could not use "early" mode with the previous version of the
    intel-microcode packaging, since it only supported building on Intel CPU.
  * Quoting debian/changelog: "early" mode now allows a "non-Intel box to
    generate an early initramfs with microcode for an Intel box", and "on auto
    mode, do nothing in a non-intel box. In forced "early" mode, attempt to run
    iucode-tool".

So, this introduces a change in behaviour, but that's the best supported one,
the most robust one, and the one we wanted to use previously but could not.