Lenovo users have recently encountered issues updating their BIOS on Windows 11 and Windows 10 systems. This problem arises from Microsoft's security update that inadvertently blocks Lenovo's BIOS flashing utility, WinFlash64.exe.

Background

Microsoft's security update introduced changes to the Vulnerable Driver Blocklist (DriverSiPolicy.p7b) to enhance system security. Unfortunately, this update mistakenly flagged WinFlash64.exe, a critical component of Lenovo's BIOS Update Utility, as a vulnerable driver. Consequently, users attempting to update their BIOS via Lenovo's utility or the Lenovo Vantage app have faced errors such as:

  • "Action blocked: Your administrator caused Windows Security to block this action. Contact your help desk."
  • "A driver cannot load on this device. A security setting is detecting this as a vulnerable driver and blocking it from loading."
  • "Some updates were not installed correctly."

Affected Systems

The issue primarily affects Lenovo ThinkPad models running:

  • Windows 10 version 22H2
  • Windows 11 versions 22H2, 23H2, and 24H2

Users on these systems have reported difficulties in updating their BIOS, leading to potential system instability and security concerns.

Lenovo's Response

Lenovo has acknowledged the problem and is actively working on a solution. The company has released BIOS version 1.61 for UEFI BIOS and version 1.44 for ECP, which are designed to circumvent the security block imposed by Microsoft's update. Users are encouraged to manually download and install these updates from Lenovo's official support page. Additionally, Lenovo recommends updating the BIOS via Windows Update, as this method may bypass the security block.

Implications and Impact

This incident underscores the delicate balance between enhancing system security and maintaining compatibility with essential system utilities. While Microsoft's intention was to bolster security by blocking potentially vulnerable drivers, the unintended consequence has been the disruption of critical BIOS update processes for Lenovo users. This situation highlights the need for thorough testing and coordination between hardware manufacturers and software developers when implementing security measures.

Technical Details

The security update in question modified the Vulnerable Driver Blocklist to include additional drivers deemed insecure. WinFlash64.exe, integral to Lenovo's BIOS Update Utility, was among those flagged due to its association with firmware updates. This classification prevented the utility from executing, thereby halting BIOS updates and potentially leaving systems vulnerable to known issues that such updates aim to resolve.

Conclusion

Lenovo users experiencing BIOS update failures due to Microsoft's security enhancements should:

  1. Verify their current BIOS version using Lenovo Vantage or system diagnostics.
  2. Manually download and install BIOS version 1.61 (UEFI) or 1.44 (ECP) from Lenovo's official support page.
  3. Consider updating the BIOS via Windows Update, as this method may bypass the security block.

Staying informed and proactive is crucial to ensure system stability and security amidst evolving software and hardware interactions.