How to fix problems with 'revoked UEFI module' patches KB 2920189 and 2962824

If you're trying to apply this month's Black Tuesday patches to UEFI systems or 'gen 2' VMs, watch out for glitches

If you admins are running "gen 2" Hyper-V VMs with Windows 8, you've probably seen an error 800F092 when trying to install KB 2920189. Don't worry. Microsoft had the same problem the last time it tried to revoke UEFI certificates -- back in December/January -- and it apparently didn't learn from the KB 2871690 mistakes.

You VM admins are lucky because the solution's easy. Windows 8 users with UEFI activated may brick their machines if they install KB 2962824.

To a first approximation, the problem arises when one of the two KBs revokes the certificate for specific UEFI modules. If your machine (or VM) boots with one of the UEFI modules and the cert has been revoked, your machine (or the VM) will cough and die -- as it's supposed to.

That being the case, you might ask which UEFI modules are on the revocation list -- which modules will cause UEFI boots to turn belly up. The short answer: Microsoft won't tell you. Apparently the KB installers aren't smart enough to warn you if you try to install one of the KBs on a system with a revoked cert. And Microsoft's batting its eyes and playing coy about naming the specific revoked modules.

If this sounds like deja vu all over again for you UEFI users, well, it is.

Back in December (updated in January), Microsoft released KB 2871690. It had exactly the same problems. Microsoft's solution for people with bricked Windows client machines:

If your system will not start after you install this security update, follow these steps:

Use Windows Defender Offline to make sure that no malware is present on the system.

Restart the computer by using recovery media (on USB, DVD, or network (PXE) boot), and then perform recovery operations.

To avoid this issue, we recommend that you apply this update after you remove noncompliant UEFI modules from your system to make sure that the system can successfully start, and consider upgrading to compliant UEFI modules if they are available.

The easiest solution for gen 2 VMs is to shut down the VM manually, disable Secure Boot, restart the VM, install the patch, shut down the VM again, enable Secure Boot, and start the VM again. Manually. If you have a hundred VMs, that should take you a week.

Or you can try the official solution, which is to shut down the VM and install BitLocker. Yes, in every VM.

What irks me most about this problem: Microsoft refused to tell us which UEFI modules were revoked in December, and it refuses to tell us now. All you get from the KB articles is a list of SHA256 hashes that supposedly match the hashes in the revoked UEFI modules. No product names. No manufacturers. No versions. Just this enlightening list of numbers:

D626157E1D6A718BC124AB8DA27CBB65072CA03A7B6B257DBDCBBD60F65EF3D1

D063EC28F67EBA53F1642DBF7DFF33C6A32ADD869F6013FE162E2C32F1CBE56D

29C6EB52B43C3AA18B2CD8ED6EA8607CEF3CFAE1BAFE1165755CF2E614844A44

90FBE70E69D633408D3E170C6832DBB2D209E0272527DFB63D49D29572A6F44C

Clear as mud, right?

This story, "How to fix problems with 'revoked UEFI module' patches KB 2920189 and 2962824," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.

Join the discussion
Be the first to comment on this article. Our Commenting Policies