A faulting security update was released on Patch Tuesday this month (May 13th). I wonder how this has been able to fly under the radar through testing? As the following support article states, you receive Error Code 0x800f0922 when you try to install this security update.
You have a Windows Server 2012-based server that uses UEFI firmware and has the Secure Boot option enabled.
You have a Windows Server 2012 R2-based Hyper-V host running and are running a Generation 2 virtual machine guest that uses UEFI firmware support and has the Secure Boot option enabled.
The article states that the latter (Configuration 2) is not affected by the issue and you don’t have to install the update. However, if you like your WSUS reports clean with no pending updates and compliance reports to show all green, you can do the following.
How to install the update without errors
This is just for the Configuration 2 above. In short, you have to disable Secure Boot of the Generation 2 VM, install the update and re-enable it again.
The setting can be found in Virtual Machine Settings under Firmware, see screen shot below. After successful installation, re-enable Secure Boot and you’re all set.
You can disable Secure Boot of a turned off VM with the following cmdlet.
Set-VMFirmware -ComputerName <Hyper-V host name> -VMName <VM name> -EnableSecureBoot Off
And with the power of PowerShell, with a little scripting, you can do this with ease for all your VMs.
Just a small security concern. As Secure Boot protects you from malware, rootkits etc, take that into consideration when you go messing with it and disabling it.
This kind of broken updates have been more of a rule than an exception for the past months. Let’s hope things will get better from now on…
Edit: More info on Secure Boot can be found for example in Wikipedia.