cdawallLast batch of dells I had run windows updates (those ones from Ms) restarted and literally said "updating firmware do not power off"

I mean I guess it could be doing something else and ms could just be full of it?

cdawallI also guess these surface firmware updates pushed through windows update are a lie.

www.windowscentral.com/microsoft-pushes-fresh-firmware-updates-surface-book-surface-pro-4

Static~ChargeWhat model Dells? I've never seen that with the OptiPlex 790's and 7010's that we still use at work. I downloaded the BIOS updates directly from Dell and applied them myself. There was no other source for those updates, at least not from this past summer. If that has changed now, then I'm glad to see that Microsoft is taking active measures to plug the security hole.


No, you're just conveniently overlooking the fact that Microsoft is the system vendor for Surface laptops. If they choose to push the firmware updates for their hardware via Windows Update, that's their business.

cdawallThat is the easiest item to site this happening with. I don't know what more you want, I linked the implementation of UEFI updates through Microsoft, linked them being used in practice and yet you still aren't happy. If you don't like my answer call Dell and ask? I mean holy hell you can lead a horse to water.

lexluthermiesterThis article should be of interest; www.eff.org/deeplinks/2017/05/intels-management-engine-security-hazard-and-users-need-way-disable-it

Having been following this problem since it was reported, the details are as follows;
If you have a system using Intel's AMT, to be vulnerable, it must be both enabled AND provisioned. Additionally, the source article seems to have missed the statement Intel made about the miniCPU in question not being on the CPU die, but rather elsewhere in the chipset. This is only a problem if enabled. If disabled, it has no access to the system.

Mirai2055This is correct. I am on the SCS team at Intel and I work directly with AMT technologies daily. There was a security hole that has since been patched, but regardless of any security issues you are safe if AMT is not enabled and provisioned.

Static~ChargeThis is a case of "the horse wants to see the water, not be told that 'it's just over the next rise'." You say that you've seen it. I can't find anyone else who has. I Googled " "windows update" amt firmware " and got zero confirmations. On the contrary, I saw several posts that said it wasn't available on Windows Update. Pardon my skepticism, but I've heard far too many promises of what might be possible versus what actually is happening....

Mirai2055"They all can be used commercially if source code is provided upon request. That's pretty much the GPL in a nutshell."

It is not under a GPL license and I doubt they would have used it if it did have a GPL.

www.cs.vu.nl/~ast/intel/

cdawallWhat do you mean you couldn't find any? Did you actually try searching?

cdawallI mean jesus christ dude.

R-T-BI was talking about Linux derivitaves in that context. Minix and others may vary.

Static~ChargeOkay, genius. First, you never said jack about using WSUS or Dell Lifecycle Controller to do the updates. You said "Last batch of dells I had run windows updates (those ones from Ms)". Second, I specifically searched for "windows update amt firmware" and "windows update intel management engine firmware", not any firmware in general.

Third, I did a proof-of-concept test today. I found a Dell OptiPlex 7010 that had been turned off for a few months. I checked the PC and found that it had BIOS A23, dated August 25, 2016. This predates the AMT vulnerability announcement. I checked in Windows (7 Pro) and saw that the last update occurred on July 27, 2017.

I downloaded and installed the INTEL-SA-00075 Detection and Mitigation Tool. It reported that the system was vulnerable.

Next, I ran Windows Update multiple times, installing all Important and Optional updates, until no more were available. None of them said jack about an update for AMT or Intel Management Engine. I ran the tool again, and the system was still vulnerable.

Next, I downloaded and installed BIOS A25, dated May 22, 2017. This release was specifically intended to fix the AMT problem. It updated the Intel Management Engine firmware from 8.1.65.1586 to 8.1.71.3608. After Windows booted up, I ran the tool one last time. The system was not vulnerable.

So, I don't know if magic fairy dust was sprinkled on your machines, but all I can say is that Windows Update has never offered firmware for any non-Microsoft computer that I've seen in all of the years that I've been doing system support.


I mean Jesus Christ, dude, if you're going to include Enterprise-grade update methods that aren't available to the average user, then you need to say so. :slap:

cdawallI have mentioned multiple times this was uefi windows....so what does windows 7 have to do with it?

And just since you missed it I can get the same updates he pushed with WSUS from windows update (not enterprise) and had you read that first thread you would have noticed that he was pulling those updates from the ms server which is the same as the one a normal user grabs.

Static~ChargeWindows 7 may be old, but it will run in UEFI mode, in case you didn't notice. And this is the first time you've mentioned which version of Windows doesn't apply to your statements..... As for "I have mentioned multiple times this was uefi windows" - you did not. Don't take my word for it; go back through this thread and look. You listed a Microsoft link to the "Windows UEFI firmware update platform" in post 20. In the previous post, you finally said that your statements only apply to Windows systems running in UEFI mode. It's not my fault if I can't read your mind. :shadedshu:

cdawallI assumed most people would put two and two together with the link to windows uefi firmware update platform being linked, followed by information on the surface pro (uefi). I apologize that there was confusion from something that obvious. Do you need anything else spoon fed?

cdawallBut carry on arguing. I'm just going to stand here with my documents from Microsoft stating what they can and do actually do. You keep trying to prove you are correct. I guess you win other than all of the firmware updates pushed across ms's update server they don't update firmware.

Static~ChargeNo, I just need you to state the parameters under which you're operating, instead of assuming that everyone's setup is like yours. :slap:


Saying "Microsoft pushes firmware updates to users" is not a blanket statement. If the PC is running in UEFI mode, then yes, they can push firmware updates. If the PC is not running in UEFI mode, then no, they don't push firmware updates.

You assumed that everyone is running Windows in UEFI mode; I assumed that they weren't. You know the old saying: When you assume, you make an "ass" out of "u" and "me".

I'm not wasting any more time on this topic.