Do your firmware updates before installing KB5012170

Lakados

[H]F Junkie
Joined
Feb 3, 2014
Messages
10,276
Many OEM machines come with Bitlocker enabled, or many users have chosen to enable BitLocker during their windows configuration.
Microsoft patches some known security exploits in KB2012170, and if your UEFI firmware is out of date it breaks some things causing you to have to track down and enter your Bitlocker Recovery Key (not terribly hard but annoying)
It also may change your HDD configuration from Raid to ACHI (not hard to change but annoying if you aren't expecting it to change on you)
It's totally an OEM issue but an annoying one to say the least.
This has been a public service announcement brought to you by one tired IT guy who didn't need this crap on a Thursday morning!
 
Can't say I've ever used Bitlocker (I actually had to Google what it was) but thanks for the heads up.

This sounds like it could be a real pain in the ass if you have to deal with it.
 
got a link or something to read, is it a known issues, ms talking about it or did it just happen once to you?
I had it happen to a building because an employee who "knows what they are doing" decided to help out the overworked IT department by doing various updates and such and made a crapload of extra work for me instead...
 
I had it happen to a building because an employee who "knows what they are doing" decided to help out the overworked IT department by doing various updates and such and made a crapload of extra work for me instead...
lol im helping!
so it might just have been that guy messing things up. wondering if its a wide spread, known issue.
 
got a link or something to read, is it a known issues, ms talking about it or did it just happen once to you?

lol im helping!
so it might just have been that guy messing things up. wondering if its a wide spread, known issue.

https://support.microsoft.com/en-us...t-9-2022-72ff5eed-25b4-47c7-be28-c42bd211bb15


Known issues:

  • If BitLocker Group Policy Configure TPM platform validation profile for native UEFI firmware configurations is enabled and PCR7 is selected by policy, it may result in the update failing to install. To view the PCR7 binding status, run the Microsoft System Information (Msinfo32.exe) tool with administrative permissions.
  • When attempting to install this update, it might fail to install, and you might receive Error 0x800f0922. Note This issue only affects this security update for Secure Boot DBX (KB5012170) and does not affect the latest cumulative security updates, monthly rollups, or security-only updates released on August 9, 2022.
 
Microsoft updates now change UEFI settings?
yup. windows update will even update the bios for you on a bunch of stuff now....

https://support.microsoft.com/en-us...t-9-2022-72ff5eed-25b4-47c7-be28-c42bd211bb15


Known issues:

  • If BitLocker Group Policy Configure TPM platform validation profile for native UEFI firmware configurations is enabled and PCR7 is selected by policy, it may result in the update failing to install. To view the PCR7 binding status, run the Microsoft System Information (Msinfo32.exe) tool with administrative permissions.
  • When attempting to install this update, it might fail to install, and you might receive Error 0x800f0922. Note This issue only affects this security update for Secure Boot DBX (KB5012170) and does not affect the latest cumulative security updates, monthly rollups, or security-only updates released on August 9, 2022.
thanks! should be in the op....

all our admin/head office staff are on new dells that this could affect....
 
FFS! Just when I thought Windows couldn't have fallen lower.
It’s actually kind of handy, Dell published their Bios and UEFI updates and if you have the “include optional updates” section checked it will include them in with your windows update and it prevents this sort of stuff.
 
It’s actually kind of handy, Dell published their Bios and UEFI updates and if you have the “include optional updates” section checked it will include them in with your windows update and it prevents this sort of stuff.

Except for those instances where you're on a very specific BIOS/UEFI version because of hardware configuration.

"oops sorry, we updated ur board bios and now it's bricked because you have a CPU that only the older BIOS/UEFI supports"

Or

"oops sorry, we updated ur board bios and we didn't checksum the new image and there was one block that didn't flash correctly, but we didn't tell you that. You rebooted and now the machine is a brick, it's not our fault."

Or

"oops sorry, you had a power outage during the firmware update we didn't tell you about and now your machine is a brick"

Or any one of billions of other reasons Microsoft has no business doing firmware updates.

Bullshit like this continually reminds me why I ditched Windows years ago, and to never go back to Microsoft for anything, ever again. I can just sit back on a lawn chair with a huge bowl of popcorn and watch as Windows machines perpetually kill themselves in perpetuity.
 
Except for those instances where you're on a very specific BIOS/UEFI version because of hardware configuration.

"oops sorry, we updated ur board bios and now it's bricked because you have a CPU that only the older BIOS/UEFI supports"

Or

"oops sorry, we updated ur board bios and we didn't checksum the new image and there was one block that didn't flash correctly, but we didn't tell you that. You rebooted and now the machine is a brick, it's not our fault."

Or

"oops sorry, you had a power outage during the firmware update we didn't tell you about and now your machine is a brick"

Or any one of billions of other reasons Microsoft has no business doing firmware updates.

Bullshit like this continually reminds me why I ditched Windows years ago, and to never go back to Microsoft for anything, ever again. I can just sit back on a lawn chair with a huge bowl of popcorn and watch as Windows machines perpetually kill themselves in perpetuity.
"optional"
it wont do a bios update without you telling it to.
 
Except for those instances where you're on a very specific BIOS/UEFI version because of hardware configuration.

"oops sorry, we updated ur board bios and now it's bricked because you have a CPU that only the older BIOS/UEFI supports"

Or

"oops sorry, we updated ur board bios and we didn't checksum the new image and there was one block that didn't flash correctly, but we didn't tell you that. You rebooted and now the machine is a brick, it's not our fault."

Or

"oops sorry, you had a power outage during the firmware update we didn't tell you about and now your machine is a brick"

Or any one of billions of other reasons Microsoft has no business doing firmware updates.

Bullshit like this continually reminds me why I ditched Windows years ago, and to never go back to Microsoft for anything, ever again. I can just sit back on a lawn chair with a huge bowl of popcorn and watch as Windows machines perpetually kill themselves in perpetuity.
Yes, your computer is doing what you told it to do by enabling optional updates. Good job! You talk a good game but your knowledge just doesn't back it up.
 
Checking a little box that says "optional updates" and full on doing a BIOS update never really crossed my mind as being the same thing.
it says "firmware" and you have to select it. its the same thing.
the firmware also shows up in device manager now. our work dells show more info than my asus board.
1660878982309.png
 
"an employee who "knows what they are doing" decides to help out the overworked IT department."

Would they know the gravity of doing a BIOS update? I came from the school of "don't update the BIOS unless something is broken and you have a specific reason to believe a BIOS update could help."
 
bad example as this situation wouldnt have happened if he knew enough to go into optional updates and select it.
thats not entirely the case anymore, hasnt been for a long time. sure there are exceptions and odd ball case...
 
"an employee who "knows what they are doing" decides to help out the overworked IT department."

Would they know the gravity of doing a BIOS update? I came from the school of "don't update the BIOS unless something is broken and you have a specific reason to believe a BIOS update could help."
Regardless, "helpful" employee has lost their privileges, and they won't be getting them back for a LONG time. They weren't supposed to even be in the building let alone grabbing stacks of laptops from storage and randomly doing windows updates to them. They wanted to make the Sept roll out smoother or they were trying to buy brownie points with somebody who knows, but for the next year they are gonna have to quite literally ask and schedule tickets to do just about anything now because they have been busted back down to User, which barely has better permissions than Student.
 
"optional"
it wont do a bios update without you telling it to.

You're making the erroneous assumption that all PC users knows what a BIOS/UEFI is, and the further assumption that they know it can be updated. You're also making the erroneous assumption that Microsoft at some point in the future won't roll it into general driver updates that are done automatically without user input. And we all know how badly that goes basically all the time. Usually installing some 5-10 year old outdated driver with performance issues or bugs, or even using the generic Microsoft driver *shudders*. Since Microsoft first introduced Windows Update based driver installation back in Windows 9x, they've never been able to make that system work right.

I just tested this on an Inspiron 3252 to see what happened, and there are absolutely no user prompts after you hit the one tickbox to tell you what is going to happen.

Yes, your computer is doing what you told it to do by enabling optional updates. Good job! You talk a good game but your knowledge just doesn't back it up.

You've clearly never done deskside support. You have no idea what you're talking about.
 
You're making the erroneous assumption that all PC users knows what a BIOS/UEFI is, and the further assumption that they know it can be updated. You're also making the erroneous assumption that Microsoft at some point in the future won't roll it into general driver updates that are done automatically without user input. And we all know how badly that goes basically all the time. Usually installing some 5-10 year old outdated driver with performance issues or bugs, or even using the generic Microsoft driver *shudders*. Since Microsoft first introduced Windows Update based driver installation back in Windows 9x, they've never been able to make that system work right.

I just tested this on an Inspiron 3252 to see what happened, and there are absolutely no user prompts after you hit the one tickbox to tell you what is going to happen.



You've clearly never done deskside support. You have no idea what you're talking about.
you clearly havent done any support in the last 10+ years, raging out based on "windows 9x" "issues", shudder...
rage on.
 
How do OSs like windows 10 home handle BIOS updates? According to wikipedia, 10 Home does not allow users to select which updates to install or not. Are optional updates just not done at all?
 
That's kind of infuriating.

There should be a way to lock it so it can't be changed...
why? its optional, you have to tell it to.

How do OSs like windows 10 home handle BIOS updates? According to wikipedia, 10 Home does not allow users to select which updates to install or not. Are optional updates just not done at all?
not sure, i dont use home unless i have to help a school kid with their laptop and honestly never looked.
 
You're making the erroneous assumption that all PC users knows what a BIOS/UEFI is, and the further assumption that they know it can be updated. You're also making the erroneous assumption that Microsoft at some point in the future won't roll it into general driver updates that are done automatically without user input. And we all know how badly that goes basically all the time. Usually installing some 5-10 year old outdated driver with performance issues or bugs, or even using the generic Microsoft driver *shudders*. Since Microsoft first introduced Windows Update based driver installation back in Windows 9x, they've never been able to make that system work right.

I just tested this on an Inspiron 3252 to see what happened, and there are absolutely no user prompts after you hit the one tickbox to tell you what is going to happen.



You've clearly never done deskside support. You have no idea what you're talking about.

Windows has been using Windows update to roll out driver updates (or to find drivers for hardware lacking in drivers) for years, but they only offer them if the drivers installed are older than the version in Windows Update.

Not quite sure when it started, but I am going to guess Windows 8?

It works pretty smoothly actually. I've never had a problem.

Well, only problem I had was when I used DDU to fully remove Nvidia drivers to resolve an issue. Once I rebooted, windows tried to install its Nvidia display drivers from Windows Update before I got a chance to install the ones I downloaded from Nvidia. I had to resolve this by DDU:Ing again, and rebooting without network to install the Nvidia drivers.

I ahvent donw this in a while, so I don't know if tey ahve done anything to make this easier here, but it's a pretty minor problem you can work around if you know what you are doing.
 
you clearly havent done any support in the last 10+ years, raging out based on "windows 9x" "issues", shudder...
rage on.

Your lack of reading comprehension skills is hilarious, do go on with your hilarious straw man fallacy though. Just to show you have no idea what you're talking about.

Windows has been using Windows update to roll out driver updates (or to find drivers for hardware lacking in drivers) for years, but they only offer them if the drivers installed are older than the version in Windows Update.

Not quite sure when it started, but I am going to guess Windows 8?

Microsoft has had drivers available in WU since Windows 9x, but the automatic installation of drivers started somewhere between Vista and 8.

It works pretty smoothly actually. I've never had a problem.

I have, all the time. Out of date drivers, or generic "Microsoft" drivers are pushed to the machine once you get Windows installed. VERY IMPORTANT drivers, like AHCI/RAID, chipset, IME and audio are missed, either leaving them not installed properly, using crippled generic "Microsoft" drivers, or some ancient driver. Then you have to go hunting on the internet for those drivers and hope you find the latest version.

It's always fun when Windows 10 installs "Microsoft Standard SATA AHCI Controller 1.0" instead of Intel, AMD, Promise, etc. drivers and you have abysmal disk performance. Or when they install "Standard HD Audio Codec" and you're missing half of your audio ports and all of the additional features of the audio chip. Missing chipset drivers is especially fun because if some devices aren't specified where they are via a driver, Windows doesn't know anything about them and won't even show them in the device manager. This can lead to weird system performance issues, and missing features on the host system.

I don't expect Windows Update to have every driver for every obscure piece of hardware, that's unreasonable. What is reasonable is having the damn chipset, audio and AHCI/RAID drivers for current and even just a few year old hardware. That's something that Microsoft has never been able to do on any version of Windows going back to when they first started pushing driver updates over Windows Update.

Well, only problem I had was when I used DDU to fully remove Nvidia drivers to resolve an issue. Once I rebooted, windows tried to install its Nvidia display drivers from Windows Update before I got a chance to install the ones I downloaded from Nvidia. I had to resolve this by DDU:Ing again, and rebooting without network to install the Nvidia drivers.

Or when Windows decides to install Nvidia/AMD GPU drivers from WU over the top of existing drivers, because it thinks they're better for whatever reason. This has been happening since at least Windows 8. Lots of people all over the net according to a Google search still having this problem, even on Windows 11.
 
Last edited:
For all the dunking on the auto updates and bios updates being in there and blah blah blah, after looking over what they did they specifically unchecked the Firmware updates on each other devices, if they had left it checked (which it was by default) then this wouldn't have been an issue...
 
So far I've had a 100% success rate updating Dell firmware via Windows Update. But the first time I tried to do the same on an Acer laptop, it ended up bricking the laptop. It still seems confusing to me that they would offer a bad bios update via Windows Update, because that just makes it a bit too easy for people to screw things up. Even I had become complacent about BIOS updates and was not being nearly as cautious compared to years ago. Thankfully I have an external BIOS programmer that I got to fix a WiFi router that I accidentally bricked by putting the wrong version of DD-WRT on it, and I was able to use it to re-flash the correct Acer BIOS.
 
So far I've had a 100% success rate updating Dell firmware via Windows Update. But the first time I tried to do the same on an Acer laptop, it ended up bricking the laptop. It still seems confusing to me that they would offer a bad bios update via Windows Update, because that just makes it a bit too easy for people to screw things up. Even I had become complacent about BIOS updates and was not being nearly as cautious compared to years ago. Thankfully I have an external BIOS programmer that I got to fix a WiFi router that I accidentally bricked by putting the wrong version of DD-WRT on it, and I was able to use it to re-flash the correct Acer BIOS.
That’s not even on Microsoft for that, Acer is the one who submits the Bios update to Microsoft as well as the qualified hardware that supports it.
 
WOW, it amazes me how many trust microsoft, they know you are never going to leave using windows.
 
Regardless, "helpful" employee has lost their privileges, and they won't be getting them back for a LONG time. They weren't supposed to even be in the building let alone grabbing stacks of laptops from storage and randomly doing windows updates to them. They wanted to make the Sept roll out smoother or they were trying to buy brownie points with somebody who knows, but for the next year they are gonna have to quite literally ask and schedule tickets to do just about anything now because they have been busted back down to User, which barely has better permissions than Student.
I take it you guys don't have updates pointing to an internal SCCM server and blocking Windows updates at the firewall and through GP.
 
I take it you guys don't have updates pointing to an internal SCCM server and blocking Windows updates at the firewall and through GP.
It’s never been an issue because I’ve never had a teacher pull a set of laptops out of storage and try to set them up and update them before. Not even sure yet who gave them a key to said closet.

We don’t anymore we used too, but honestly we have so few windows devices now that when it came time to replace it I was like “what’s the point” over the past 10 years we’ve gone from like 1500 windows machines down to maybe 60. ChromeOS and iOS have taken over completely with MacOS and Windows fighting over the scraps. Everything is hosted now so OS is completely irrelevant to us 99% of the time.
 
why? its optional, you have to tell it to.
i think basically what people are saying is for as long as windows has beem a thing until now, checking the "optional updates" box has never included bios updates so even someone familiar with the windows OS wouldn't expect it to. that's all..

i mean this is the first i've heard of it. and even though i always uncheck it, i think it's checked by default? so it just seems scary to me being they've had so many problems with win10 updates, even on their first party surface laptops, that they wouldn't dare start messing with the bios. I can see why they would want to tho, so they can enable secure boot and all that other crap to make it easier for them to identify the user and keep people from running bootlegged copies of windows.

i wonder if setting a bios password could keep them from being able to update it?
 
Last edited:
Back
Top