Today I was deploying some new VMs to my lab as part of the deployment work I was updating the Windows 2012 R2 template with latest OS updates, the download and installation update worked correctly but when I rebooted the server I noticed updates installation was failing with the not so specific error message We couldn’t complete the updates Undoing changes below a screenshot of the issue:
I let the VM run for some time, around 30 minutes, and unfortunately, nothing happened the server seemed completely stuck, as this was just a test system I just deleted the VM and recreated from scratch but again after updates I was welcomed by the WE couldn’t complete the updates message.
In the machine log files I could not find anything relevant or that could help me solve the issue and what I found weird was that I was experiencing this issue only with Generation 2 Hyper-V machines this ringed a bell as in the past I already experienced some “weird” interactions between Hyper-V secure boot, a feature enabled by default in Generation 2 VMs, and the guest Operating System, I have tried to disable secure boot et voila the update process went through correctly and I was able to install updates in my Windows 2012 R2 machine.
Secure boot can be disabled accessing the VM settings and under the Firmware section untick the Enable Secure Boot checkbook:
Once secure boot has been disabled updates will be installed without issues, once updates have been deployed Secure Boot can be safely enabled once again, unfortunately, to do so you need to shut down the VM so think about it in advance.
Unfortunately, I was unable to isolate which update (or set of ) is causing the issue which can be consistently reproduced with any Generation 2 VM running in Hyper-V I will update this post once I have proper time to analyze the issue and find a better workaround.
Having faced this issue again, I decided to perform further research. Apparently, the update causing the error message is 2920189 which revokes some non-compliant UEFI Modules here’s the relevant statement from the full advisory
With this advisory, Microsoft is revoking the digital signature for four private, third-party UEFI (Unified Extensible Firmware Interface) modules that could be loaded during UEFI Secure Boot.
These UEFI (Unified Extensible Firmware Interface) modules are partner modules distributed in backup and recovery software. When the update is applied, the affected UEFI modules will no longer be trusted and will no longer load on systems where UEFI Secure Boot is enabled. The affected UEFI modules consist of specific Microsoft-signed modules that are not in compliance with our certification program and are being revoked at the request of the author.
Microsoft is not aware of any misuse of the affected UEFI modules. Microsoft is proactively revoking these non-compliant modules in coordination with their author as part of ongoing efforts to protect customers. This action only affects systems running Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2 that are capable of UEFI Secure Boot where the system is configured to boot via UEFI and Secure Boot is enabled. There is no action on systems that do not support UEFI Secure Boot or where it is disabled.
I could not yet find a better workaround than the one already described in the article but, at least, I could isolate a root cause for the issue.