How to fix problems with 'revoked UEFI module' patches KB 2920189 and 2962824

If you're trying to apply this month's Black Tuesday patches to UEFI systems or 'gen 2' VMs, watch out for glitches

If you admins are running "gen 2" Hyper-V VMs with Windows 8, you've probably seen an error 800F092 when trying to install KB 2920189. Don't worry. Microsoft had the same problem the last time it tried to revoke UEFI certificates -- back in December/January -- and it apparently didn't learn from the KB 2871690 mistakes.

You VM admins are lucky because the solution's easy. Windows 8 users with UEFI activated may brick their machines if they install KB 2962824.

To a first approximation, the problem arises when one of the two KBs revokes the certificate for specific UEFI modules. If your machine (or VM) boots with one of the UEFI modules and the cert has been revoked, your machine (or the VM) will cough and die -- as it's supposed to.

That being the case, you might ask which UEFI modules are on the revocation list -- which modules will cause UEFI boots to turn belly up. The short answer: Microsoft won't tell you. Apparently the KB installers aren't smart enough to warn you if you try to install one of the KBs on a system with a revoked cert. And Microsoft's batting its eyes and playing coy about naming the specific revoked modules.

If this sounds like deja vu all over again for you UEFI users, well, it is.

Back in December (updated in January), Microsoft released KB 2871690. It had exactly the same problems. Microsoft's solution for people with bricked Windows client machines:

If your system will not start after you install this security update, follow these steps:

Use Windows Defender Offline to make sure that no malware is present on the system.

Restart the computer by using recovery media (on USB, DVD, or network (PXE) boot), and then perform recovery operations.

To avoid this issue, we recommend that you apply this update after you remove noncompliant UEFI modules from your system to make sure that the system can successfully start, and consider upgrading to compliant UEFI modules if they are available.

The easiest solution for gen 2 VMs is to shut down the VM manually, disable Secure Boot, restart the VM, install the patch, shut down the VM again, enable Secure Boot, and start the VM again. Manually. If you have a hundred VMs, that should take you a week.

Or you can try the official solution, which is to shut down the VM and install BitLocker. Yes, in every VM.

What irks me most about this problem: Microsoft refused to tell us which UEFI modules were revoked in December, and it refuses to tell us now. All you get from the KB articles is a list of SHA256 hashes that supposedly match the hashes in the revoked UEFI modules. No product names. No manufacturers. No versions. Just this enlightening list of numbers:





Clear as mud, right?

This story, "How to fix problems with 'revoked UEFI module' patches KB 2920189 and 2962824," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.

Copyright © 2014 IDG Communications, Inc.