The issue is recognized by Microsoft, though TechNet doesn’t do a very good job of clearly stating that in all the appropriate places. If you check out the description of the KB2920189 update itself, you’ll see that it is designed to act on the Security Advisory (2962824) released by Microsoft. This security advisory is informing the IT community that four digitally signed third-party UEFI modules are having their signatures revoked because they don’t actually comply with Microsoft’s certification program.
There are two recognized kinds of installation failures for update KB2920189 documented in KB2962824. In my environment, we are experiencing the second kind of installation failure in which we receive error 0x800f0922 when we attempt to install the security update. According to Microsoft, this should be expected to occur only under two kinds of configurations:
- Configuration 1: You have a Windows Server 2012-based server that uses UEFI firmware and has the Secure Boot option enabled.
- Configuration 2: You have a Windows Server 2012 R2-based Hyper-V host running and are running a Generation 2 virtual machine guest that uses UEFI firmware support and has the Secure Boot option enabled. The guest virtual machine is running Windows 8 or Windows Server 2012.
Configuration 2 is our situation, and the workaround is simple:
- Workaround for configuration 2: Generation 2 virtual machines are not affected by this issue, and you do not have to install the update in this case.
Because generation 2 virtual machines cannot load these UEFI modules anyway, the update is irrelevant to those systems. The resolution is to hide the update from all the Generation 2 VMs in the environment, either individually or using WSUS if your management infrastructure permits it. If you really want to install the update anyway, you can follow Configuration 1’s workaround, which is to simply install the BitLocker Drive Encryption optional component on the system and then repeat the installation attempt.
I’m for the former, myself, since we have Microsoft’s direct assertion that generation 2 VMs running the Windows 8 or Windows Server 2012 operating systems as guests within Windows Server 2012 R2-based Hyper-V hosts do not need the update. However, if your environment is really neurotic or something, I did verify that the installation of the BitLocker Drive Encryption feature allows for a successful installation of the update. You don’t have to encrypt a drive or anything, just add the feature and its dependencies and you are then able to install the update successfully.