Microsoft published this month a new security advisory and an Update rollup that will revoke noncompliant UEFI modules.
However there are some known issues that are detailed in KB2962824
You receive a 0x800f0922 error when you try to install this security update
when you have a Windows Server 2012-based server that uses UEFI firmware and has the Secure Boot option enabled. The Windows Server can be a Generation 2 guest virtual machine (which is my case).
Cause: This error occurs because the installer for this security update incorrectly expects BitLocker to be installed.
To check if you a UEFI based BIOS, you can either use the msinfo32.exe utility in GUI mode,…
… or call it from the commandline
c:\windows\system32\msinfo32.exe --% /report .\msinfo.txt Get-Item .\msinfo.txt | Select-String -pattern "^BIOS\sMode" -Context 0,5
If you want to wait that the msinfo32 process has finished gathering the information, you can do:
Start-Process -FilePath C:\Windows\system32\msinfo32.exe -ArgumentList "/report",".\msinfo.txt" While (-not (Get-Process -Name msinfo32).HasExited) {}
You can also use the built-in SecureBoot module. With the cmdlet Confirm-SecureBootUEFI you’ll know whether the secure boot is enabled or not. It will return true or false
To review the status of the bitlocker component, you can do:
Get-WindowsOptionalFeature -Online | ? FeatureName -match "Bitlocker" # or Get-WindowsFeature | ? Name -match "Bitlocker"
Now to fix this component requirement that caused the update to fail, you first review what will be done:
Install-WindowsFeature -Name BitLocker -IncludeManagementTools -Restart:$false -WhatIf
and then proceed by just removing the whatif parameter at the end of the line.
Install-WindowsFeature -Name BitLocker -IncludeManagementTools -Restart:$false
As you can see in the following screenshot, a reboot is required.
Note that you can specify an internal source if you don’t want that missing components are downloaded from Windows Update.
Just enabling the missing Bitlocker component fixed the security update install issue: