Update rollup of revoked noncompliant UEFI modules known issues

Microsoft published this month a new security advisory and an Update rollup that will revoke noncompliant UEFI modules.

However there are some known issues that are detailed in KB2962824

You receive a 0x800f0922 error when you try to install this security update
when you have a Windows Server 2012-based server that uses UEFI firmware and has the Secure Boot option enabled. The Windows Server can be a Generation 2 guest virtual machine (which is my case).

Cause: This error occurs because the installer for this security update incorrectly expects BitLocker to be installed.

To check if you a UEFI based BIOS, you can either use the msinfo32.exe utility in GUI mode,…

… or call it from the commandline

c:\windows\system32\msinfo32.exe --% /report .\msinfo.txt
Get-Item .\msinfo.txt | 
Select-String -pattern "^BIOS\sMode" -Context 0,5

If you want to wait that the msinfo32 process has finished gathering the information, you can do:

Start-Process -FilePath C:\Windows\system32\msinfo32.exe -ArgumentList "/report",".\msinfo.txt"
While (-not (Get-Process -Name msinfo32).HasExited) {}

You can also use the built-in SecureBoot module. With the cmdlet Confirm-SecureBootUEFI you’ll know whether the secure boot is enabled or not. It will return true or false

To review the status of the bitlocker component, you can do:

Get-WindowsOptionalFeature -Online | ? FeatureName -match "Bitlocker"
# or
Get-WindowsFeature | ? Name -match "Bitlocker"

Now to fix this component requirement that caused the update to fail, you first review what will be done:

Install-WindowsFeature -Name BitLocker -IncludeManagementTools -Restart:$false -WhatIf

and then proceed by just removing the whatif parameter at the end of the line.

Install-WindowsFeature -Name BitLocker -IncludeManagementTools -Restart:$false

As you can see in the following screenshot, a reboot is required.
Note that you can specify an internal source if you don’t want that missing components are downloaded from Windows Update.

Just enabling the missing Bitlocker component fixed the security update install issue:


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.