Automating UEFI Firmware Updates by GCHQ (UK version of NSA)

I think I need to start following the GCHQ blog.

https://www.ncsc.gov.uk/blog-post/automating-uefi-firmware-updates

We were surprised that many of the devices were running out-of-date firmware

Wow.. the GCHQ were surprised by this?!

Unfortunately, DellHP and Lenovo don’t currently update UEFI firmware through Windows Update. Instead, they all offer their own enterprise management tools for UEFI firmware. HP and Dell also publish catalogues of UEFI firmware updates for their platforms.

I think they’re referring to older hardware here. The current (6th) generation Lenovo X1 Carbon receives UEFI updates via Windows update. I was surprised to find it running what appears to be a DOS (CLI) utility to do it, but the update itself was delivered (and therefore cryptographically signed by Lenovo and Microsoft!) via Windows update. I believe this is also the case with the current generation Dell XPS.

So, as a result of this work, we are updating our Windows 10 EUD guidance to explain how you can automate your own UEFI firmware updates. Look out for the guidance later this month and let us know if you find our approach useful.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s