New behavior of my win 11 laptop that I can't figure out.
When I start up the machine, at the instant when one can
hit F2 to enter BIOS Setup, a message appears at the
bottom of the screent:

PLEASE WAIT WHILE WE INSTALL A SYSTEM UPDATE

The message disappears within a second.

I poked around in BIOS Setup and don't see anything
odd. Does someone know what might be causing this?
It happens on every cold start now.

On 4/19/2024 2:26 PM, jason_warren@ieee.org wrote:
> New behavior of my win 11 laptop that I can't figure out.
> When I start up the machine, at the instant when one can
> hit F2 to enter BIOS Setup, a message appears at the
> bottom of the screent:
>
> PLEASE WAIT WHILE WE INSTALL A SYSTEM UPDATE
>
> The message disappears within a second.
>
> I poked around in BIOS Setup and don't see anything
> odd. Does someone know what might be causing this?
> It happens on every cold start now.
>

https://h30434.www3.hp.com/t5/Notebook-Boot-and-Lockup/Please-wait-while-we-install-a-system-update/td-p/8378845/page/2

"UPDATE 6/17/2022

I finally went to the HP Driver Page, Had HP detect my system and went to driver downloads.
I selected Windows 10 [instead of Windows 11] and downloaded BIOS version F.11 and
installed it without problem. I have Windows 11. This is the fix IMHO.
"

And more than one brand of computer is using this method, updating
the UEFI BIOS chip somehow. I guess an MSDOS floppy just isn't
good enough for these folks :-)

It appears to be a low-level attempt
to install firmware (4MB of BIOS chip flash content), there's not much
in the way of interfaces down there, and for some people, it loops
(or even... bricks!). The flasher is like an OS boot loader.

And of course, BIOS updates could always brick.

Two of my machines here, have push-button BIOS update. I put a
flash file on a "FAT" formatted USB stick, and presumably it's
the same sort of routine doing the flash, but it does not involve
quite the same convoluted calling method. If the machine were to
brick, at least one of the two machines, you can try again and again.

I push a push button switch on the back of the PC, and as long
as the USB stick is plugged into the USB with the white dotted-line
box around it, the BIOS can be updated.

The companies doing this "soft-UEFI method", think this method
is "convenient" for people. Maybe it would be... if it worked.

Paul

"jason_warren@ieee.org" <jason_warren@ieee.org> wrote:

> New behavior of my win 11 laptop that I can't figure out.
> When I start up the machine, at the instant when one can
> hit F2 to enter BIOS Setup, a message appears at the
> bottom of the screent:
>
> PLEASE WAIT WHILE WE INSTALL A SYSTEM UPDATE
>
> The message disappears within a second.
>
> I poked around in BIOS Setup and don't see anything
> odd. Does someone know what might be causing this?
> It happens on every cold start now.

In the BIOS settings, you can usually set how long to wait at the POST
screen before it continues to load the OS. That would give you more
than a second to hit F2. In my setup, I set 7 seconds, because it seems
2 seconds are lost just in painting the POST screen when the timer
starts counting down, so I get 5 seconds to hit F2 or Del.

Does your BIOS have an auto-update setting?

Without the brand and model of your motherboard, no one can check what
BIOS settings it has. Details please.

With UEFI, an executable can be loaded in the UEFI that tells the OS to
load that program (so the program has an OS under which it runs). First
up the timer in BIOS to give you more time to determine if an
auto-update option in the BIOS is attempting the update, or the OS-load
of the UEFI-specified boot program.

jason_warren@ieee.org wrote on 4/19/24 11:26 AM:
> New behavior of my win 11 laptop that I can't figure out.
> When I start up the machine, at the instant when one can
> hit F2 to enter BIOS Setup, a message appears at the
> bottom of the screent:
>
> PLEASE WAIT WHILE WE INSTALL A SYSTEM UPDATE
>
> The message disappears within a second.
>
> I poked around in BIOS Setup and don't see anything
> odd. Does someone know what might be causing this?
> It happens on every cold start now.
>
As Paul noted, this symptom has been seen in the past on a variety of
mobos(OEM, BYO for UEFI, not legacy BIOS systems.
In most cases this applies to OEM pre-built machines(SOC vendors and
OEM building Windows devices and has been supported in Windows since
Windows 8/8.1. Some of these devices have a setting in the UEFI
pre-configured to cause it to occur.
=> Note: The term(name) for the UEFI configured mobo setting varies on
different devices and their UEFI settings(i.e. the setting could have a
name completely different than expected/common sense nomenclature.
e.g. UEFI Update Capsule or UEFI Encapsulation

It's also been reported on Reddit for Windows 10/11 devices.

You can read more about the Windows requirements side of this type of
updating here:
<https://learn.microsoft.com/en-us/windows-hardware/drivers/bringup/windows-uefi-firmware-update-platform>
- Note: Windows supports the feature when the requirements are met. If
not met, then auto-updating the UEFI may still be an enabled feature in
OEM utilities pre-installed on the device.

Recent security vulnerabilities could also be in play for vulnerable
hardware causing OEM's to release UEFI updates. If the hardware meets
both UEFI 2.8 and Windows requirements, the UEFI auto-update can occur.
- i.e. Occur now rather than in the past when the UEFI was considered
up to date or not vulnerable or no longer supported for UEFI updates.

Your left some basic of choices.
- Update the UEFI per your OEM or if applicable your MBO manufacturer
recommendations
- Check your OEM or Mobo manufacturer site for UEFI updates
- Ignore the message

Note: A mobo manufacturer UEFI update available from the mobo website
may be blocked locally by the OEM's pre-built device if not supported
thus only supporting updates available on the OEM site for a specific model.

--
....w¡ñ§±¤ñ

Following is what I saved regarding the hidden rootkit provided by UEFI.
The trick can be use by corporations to load software to inventory the
software on their workstations, track the physical location of a
workstation or laptop in case stolen, and some anti-malware tools, plus
some vendors use it, like for updating their software.

Another "feature" of UEFI (with Microsoft's involvement) is a program
can be specified in the UEFI to run on Windows startup. Despite
regulating any startup programs, or scanning for malware, there could
sit a call to a program in the UEFI. It could, for example, be used for
starting execution of tracking software (how the computer is used), or
for software inventorying on workstations. I've only seen it used by
companies that wanted to add and start: usage tracking, location,
anti-theft, or inventorying to their workstations. However, it could
also be used by malware, and I don't know if any AVs check for a program
load specified in the UEFI. As I recall, some mobos (Lenovo, Gigabyte,
ASUS) use this trick to run services or diagnostics on Windows startup.
The AV should catch malware for whatever the UEFI program load
specifies; that is, the .exe in UEFI usually calls some other program
that runs under Windows.

It is a "feature" only with UEFI. When Windows loads, it has a program
(C:\Windows\system32\wpbbin.exe) that runs to determine if the UEFI
specified a start program. The UEFI start program is in one of the ACPI
tables in the BIOS (I forget the ACPI table name)One trick is to rename
the loader program in Windows. This is called the UEFI Bootkit dubbed
BlackLotus.

You can Nirsoft's Firmware Tables View to see the ACPI tables in UEFI.
Look for the "Windows Platform Binary Table" (WPBT). Nirsoft will show
the ACPI table, if it is defined, but won't let you delete it. When I
found out about this, Nirsoft didn't show a WPBT table, but then I have
many options disabled in the BIOS. I also don't have the wpbbin.exe
program (that checks the UEFI for an .exe file to load) in my Windows
installation.

Although pundits attempt to tout UEFI, Secure Boot, and other later
security measures as protecting users, there are UEFI Bootkits that
bypass all those measures, even Secure Boot, like BlackLotus.

https://arstechnica.com/information-technology/2023/03/unkillable-uefi-malware-bypassing-secure-boot-enabled-by-unpatchable-windows-flaw/

Those are different beasts than the UEFI program load specified in an
ACPI table that Windows checks if it is defined, and if found will run
the UEFI-specified program. I'm noting the UEFI program load on Windows
launch because refurbs often are company workstations that were leased,
and then disposed of. Companies may employ tracking, location, or
software inventorying that the UEFI-specified program will start. You
won't find that method listed in, say, SysInternals' Autoruns. Windows
loads, checks the UEFI for the start program, and runs that program
under Windows. Since Secure Boot okays the load of Windows, and since
it is a program under Windows that loads the .exe in the UEFI, Secure
Boot won't catch this tactic.

https://eclypsium.com/blog/everyone-gets-a-rootkit/

There are tools to nullify the .exe in the WPBT ACPI table in UEFI by
deleting it from memory before Windows reads the ACPI tables, like:

https://github.com/Jamesits/dropWPBT#from-windows

This removes the WPBT table from system memory, so you have it run as a
startup program (that loads with Windows, not until whenever you log
into your Windows account).

For your own computer, you don't want WPBT employed. WPBT started with
Windows 8. Probably the easiest way to disable WPBT is to rename,
delete, or move the wpbbin.exe if it exists on your system. An update
could replace it, so you might want to use Task Scheduler to run a
delete command on every Windows startup. The Github article talks about
different methods of disabling WPBT, but they're rather complicated
instructions.