Security Update for Windows Server 2012 R2 (KB2920189) – Install Fails with Error Code 0x800F0922

A faulting security update was released on Patch Tuesday this month (May 13th). I wonder how this has been able to fly under the radar through testing? As the following support article states, you receive Error Code 0x800f0922 when you try to install this security update.

Microsoft security advisory: Update rollup of revoked noncompliant UEFI modules

KB2920189_fails

Configuration 1
You have a Windows Server 2012-based server that uses UEFI firmware and has the Secure Boot option enabled.

Configuration 2
You have a Windows Server 2012 R2-based Hyper-V host running and are running a Generation 2 virtual machine guest that uses UEFI firmware support and has the Secure Boot option enabled.

The article states that the latter (Configuration 2) is not affected by the issue and you don’t have to install the update. However, if you like your WSUS reports clean with no pending updates and compliance reports to show all green, you can do the following.

How to install the update without errors

This is just for the Configuration 2 above. In short, you have to disable Secure Boot of the Generation 2 VM, install the update and re-enable it again.

GUI

The setting can be found in Virtual Machine Settings under Firmware, see screen shot below. After successful installation, re-enable Secure Boot and you’re all set.

KB2920189_secure_boot_disable

PowerShell

You can disable Secure Boot of a turned off VM with the following cmdlet.

Set-VMFirmware -ComputerName <Hyper-V host name> -VMName <VM name> -EnableSecureBoot Off

And with the power of PowerShell, with a little scripting, you can do this with ease for all your VMs.

Security

Just a small security concern. As Secure Boot protects you from malware, rootkits etc, take that into consideration when you go messing with it and disabling it.

Summary

This kind of broken updates have been more of a rule than an exception for the past months. Let’s hope things will get better from now on…

Edit: More info on Secure Boot can be found for example in Wikipedia.

Leave a Reply

Your email address will not be published. Required fields are marked *

Please, do the math and help fight spam * Time limit is exhausted. Please reload the CAPTCHA.