Lenovo: If you value your server, block Microsoft's November security update

UEFI scramble for frozen boxes

Lenovo server admins should disable Windows Update and apply a UEFI fix to avoid Microsoft’s November security patches freezing their systems.

The world’s third-largest server-maker advised the step after revealing that 19 configurations of its x M5 and M6 rack, as well as its x6 systems are susceptible.

Lenovo’s machines are crashing upon installation of Microsoft's Security Update MS16-140 for Windows Server 2016, 2012 R2 and 2012, we're told. The server manufacturer warns here:

Do not install the Microsoft Windows Server 2016, 2012 R2 or 2012 November update before applying fixed UEFI firmware as specified in the 'Solution' section.

Replacing the system board will not fix the issue.

Lenovo has advised sysadmins to head off Microsoft's November update at the pass by turning off Windows Update. Then they should download and apply new UEFI firmware for their system on Lenovo’s list. Only then is it safe to apply Microsoft's security update, Lenovo said.

The root of the problem appears to be a clash with Microsoft's software and the systems' UEFI firmware, which is used for Secure Boot.

Lenovo's systems running Windows Server 2012 and 2012 R2 configured to run with secure boot are exposed to the boot-up problem. Its systems running Windows Server 2016 are exposed regardless of the secure boot configuration.

The Reg asked Lenovo to identify the cause of the bug or confirm if planned to update the UEFI on future systems. It did not respond at time of writing.

Microsoft would not detail the exact technical cause of the problem or say whether it planned changes to November's security update to prevent a re-occurrence of this problem.

In a statement, a Microsoft spokesperson told The Reg: "Lenovo released a firmware update to address this, and we recommend customers contact Lenovo for more information.” ®


Biting the hand that feeds IT © 1998–2017