During my last updating round, I noticed that a number of VMs in my Windows Azure Pack lab, had problems with security update KB2920189. Reading the Microsoft Security Advisory, it states that Microsoft is revoking the digital signature for four private, third-party UEFI (Unified Extensible Firmware Interface) modules that could be loaded during UEFI Secure Boot.
These UEFI (Unified Extensible Firmware Interface) modules are partner modules distributed in backup and recovery software. When the update is applied, the affected UEFI modules will no longer be trusted and will no longer load on systems where UEFI Secure Boot is enabled. The affected UEFI modules consist of specific Microsoft-signed modules that are not in compliance with our certification program and are being revoked at the request of the author.
Microsoft is not aware of any misuse of the affected UEFI modules. Microsoft is proactively revoking these non-compliant modules in coordination with their author as part of ongoing efforts to protect customers. This action only affects systems running Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2 that are capable of UEFI Secure Boot where the system is configured to boot via UEFI and Secure Boot is enabled. There is no action on systems that do not support UEFI Secure Boot or where it is disabled.
I concluded that this update only targeted Hyper-V Generation 2 VMs with Secure Boot enabled, which was in fact the case for all VMs involved.
No matter how many times I tried, each update ended up failed.
The workaround was quite easy:
- Stop the Generation 2 VM and disable Secure Boot
- Start the VM and run Windows Update to complete KB2920189
- Stop the VM and re-enable Secure Boot
If you read the KB article, you will find a section on known issues referring to KB2962824 which explains that if you install this update on a system that uses a noncompliant Unified Extensible Firmware Interface (UEFI) module, you may be unable to start the computer.
We ran into a number of customers who have made a habit of updating their Windows image offline before bringing it online out of security reasons. The result was that Generation 2 VMs would not be able to start again because of the above issue.
If your system will not start after you install this security update, follow these steps:
- Use Windows Defender Offline to make sure that no malware is present on the system. For more information, go to the following Microsoft webpage:
- Restart the computer by using recovery media (on USB, DVD, or network [PXE] restart), and then perform recovery operations. For more information, go to the following Microsoft webpage:
To avoid this issue, we recommend that you apply this update after you remove noncompliant UEFI modules from your system to make sure that the system can successfully start. Also, consider upgrading to compliant UEFI modules if they are available. For more information about your UEFI module, contact the UEFI module supplier. This might include the system vendor, the plug-in card vendor, or other UEFI software vendors such as UEFI backup and restore solutions, UEFI anti-malware, and so on.
Reminder: Do not forget to enable Secure Boot after the update has succeeded
This blog by Kaniski also talks about this problem and offers some PowerShell cmdlets to automate this workaround.