KB2962824 gen2 and secure boot

On May 27, 2014, in Security, by

When you install KB2962824 and you are hosting a gen2 virtual machine on a 2012 R2 host be aware there is a known issue where the kb will fail to install.

It is a known issue, they do not intend to fix this.

You can

a. skip the update on the parent/host machine

b. you can install the bitlocker role on the parent

c. You can perform the following workaround

  1. Shutdown the VM
  2. Disable Secure Boot for the VM
  3. Start the VM and install the update
  4. Shutdown the VM again
  5. Enable Secure Boot
  6. Start the VM

http://social.technet.microsoft.com/Forums/exchange/en-US/e58c8b30-b91a-4d90-a1b5-8859ffc3b92c/kb2920189-fails-to-install-on-generation-2-vms?forum=winserverhyperv

 

Bottom line, this patch will not be fixed and this behavior is expected

Known issues with this security update

  • You cannot start the computer after you install this security update 

    If you install this security update on a system that uses a noncompliant Unified Extensible Firmware Interface (UEFI) module, you may be unable to start the computer. 

    If your system will not start after you install this security update, follow these steps:

    1. Use Windows Defender Offline to make sure that no malware is present on the system. For more information, go to the following Microsoft webpage:
    2. Restart the computer by using recovery media (on USB, DVD, or network [PXE] restart), and then perform recovery operations. For more information, go to the following Microsoft webpage: 

    To avoid this issue, we recommend that you apply this update after you remove noncompliant UEFI modules from your system to make sure that the system can successfully start. Also, consider upgrading to compliant UEFI modules if they are available. 

    For more information about your UEFI module, contact the UEFI module supplier. This might include the system vendor, the plug-in card vendor, or other UEFI software vendors such as UEFI backup and restore solutions, UEFI anti-malware, and so on. 

    For information about how to contact the UEFI module supplier, go to the following Microsoft website:

  • You receive a 0x800f0922 error when you try to install this security update 

    Symptoms
    Consider the following two configurations:

    • Configuration 1
      You have a Windows Server 2012-based server that uses UEFI firmware and has the Secure Boot option enabled.
    • Configuration 2
      You have a Windows Server 2012 R2-based Hyper-V host running and are running a Generation 2 virtual machine guest that uses UEFI firmware support and has the Secure Boot option enabled. The guest virtual machine is running Windows 8 or Windows Server 2012.

    In these configurations, security update 2871690 may not install, and you receive a 0x800f0922 error message. 

    Cause 
    This error occurs because the installer for security update 2871690 incorrectly expects BitLocker to be installed. 

    Workaround 
    To work around this issue, use one of the following methods, based on your scenario:

    • Workaround for configuration 1
      Install the BitLocker optional component on the server that uses UEFI and that has the Secure Boot option enabled.
    • Workaround for configuration 2
      Generation 2 virtual machines are not affected by this issue, and you do not have to install the update in this case. 

    Note You do not have to configure BitLocker on any drive. It is necessary only for the BitLocker component to be present on Window Server 2012 when you install security update 2871690.

 

One Response to KB2962824 gen2 and secure boot

  1. Joe Raby says:

    Just FYI: I have a UEFI R2 server (an Intel board) and Essentials 2012 R2 running as a VM and KB2920189 does the same thing in the VM – and it’s a Gen 2 VM.

    Looks like I’m gonna hafta turn off Secure Boot in the VM to get this patched – TOMORROW.