Will UEFI capsule firmware updates and driver updates ever be distributed through Windows Update? One of the major barriers for company adoption of the Framework Laptop is the ability to remotely manage the device without user interaction. Most manufacturers publish driver and firmware updates both on their own website and roll them out through Windows Update in waves. While I’ve seen some driver updates (probably pushed by component manufacturer) published through Windows Update, does Framework have any plans to publish all drivers in Windows Update, as well as publish capsule firmware updates through Windows Update? That would greatly improve the business user experience with firmware updates and remote management, as well as keep non-technical users up to date with the latest firmware.
Not recommended. Automatic BIOS update through windows update is a recipe for disaster
https://h30434.www3.hp.com/t5/Gaming-Desktops/Forced-BIOS-update/td-p/8198864
Not only it has the potential of bricking your laptop. It may also permanently degrade its performance
Framework is one of the few laptop brands that doesn’t force BIOS. If framework forced BIOS updates, I can no longer recommend this brand. Unless the BIOS and drivers updates are strictly listed in the “optional” category so it’s won’t install without user’s explicit permission.
Firmware and driver updates distributed through Windows Update can be marked as optional such that it does not automatically install, but that’s up to the OEM to label such an update as optional in the Partner Center.
Publish a driver to Windows Update - Windows drivers | Microsoft Learn
Additionally, even with thousands of Surfaces with good firmware update practices, firmware update failures are extremely rare. Devices with good firmware update procedures typically store more than one copy of the firmware or have self-healing firmware to finish an update if it was unsuccessful. How the OEM decides to go about their firmware update process is entirely up to the OEM or firmware vendor. Windows simply loads it into RAM and calls a standard function. More information about good practices in the event of a firmware update failure is also documented below.
Seamless Crisis Prevention and Recovery - Windows drivers | Microsoft Learn
Providing firmware and driver updates through Windows Update would greatly improve business manageability, and much of the issues that people have with these updates are largely down to the individual OEM’s implementation. Many OEMs expose an option to allow rolling back firmware updates as well in the event of a regression. It would improve security and performance for laypeople who don’t know how to install the firmware packages on the Framework website, provide better notifications when a firmware update is released, and provide a permanent archive with Microsoft if Framework goes under.
Too much corpo speak
It should be up to the user, not up to OEM. What happened with right to own?
It’s ok to do that with drivers, because drivers are part of the operating system. If something wrong with the operating system, the worst can happen is to reinstall it, no permanent damage. However if something wrong with BIOS your mainboard can be bricked, which already happened with multiple brands/models. It’s unnecessary to update BIOS as frequently as drivers.
“OEM allows?” It’s the user’s rights to rollback their firmware as many times as they want. Disallowing firmware downgrade is taking power away from the user. Especially since many computer brands starts to deliberately lower performance by BIOS update (as shown in a link I posted above) as a form of planned obsolescence. A successful BIOS update doesn’t means it’s good. Automatic forced UEFI encapsulation BIOS update paved the way of OEMs doing that. If BIOS updates are purely manual, OEMs will never degrade performance of the computer because if that happens no one will update the BIOS.
There are many reasons why firmware updates should not be rolled back. For example, many firmware updates provide fixes for critical security issues (see Spectre, Meltdown) that could possibly lead to complete compromise of the device. In such a case, it would be a security vulnerability to roll back to a vulnerable version. That is why Framework should expose the option to allow firmware updates to be rolled back if there is no critical security fix in the update. Framework does actually prevent firmware rollbacks in some cases. Windows has full support for firmware rollbacks, as well as setting points at which firmware should not be rolled back (like security issues) provided that the firmware supports the rollback. A controversial opinion that I also have is that some firmware updates should be forced if it’s a critical security fix and there are no other changes from the installed version. An overwhelming majority of users don’t even understand what firmware is and the need to keep it regularly updated, reducing their security posture. Again, many of your issues that you’re describing is down to the OEM reducing your abilities. Framework does not need to be like everyone else while offering firmware updates through Windows Update.
Always the same excuse
This is an exaggeration those so called firmware level vulnerability requires physical access to the computer to exploit. Fixing these “vulnerabilities” is protecting the computer from the user, so who’s effectively the owner of the computer, the user or still the OEM?
That’s precisely why I stayed at 3.05
That’s why it shouldn’t be regularly updated, informed consent.
“The need to” sounds like artificial demand, decrease the consumer’s tolerance through marketing so any annoyance can be considered “security issues”, to psychologically manipulate the customer to accept the ownership-violating behavior
“Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety.” — Benjamin Franklin
If you know about Spectre and Meltdown, the two specific examples I pointed to earlier, you should know that those vulnerabilities require zero interaction from the user. Even JavaScript running on a page preloaded in the background could exploit those vulnerabilities. (Chrome preloads JavaScript on pages predicted to be opened to optimize load times.) I’ve personally used exploit code from those vulnerabilities as a proof of concept within my lab on a computer I own before. There are other things I could point to, like older firmware having code signature validation issues, some hardware components simply not supporting firmware flashbacks (like if eFuses are burnt), and more. How bad would it be to publish them as optional updates?
Please stop attacking me by implying that I in any way simp for corporations, am against the right to own, or that I support taking away consumer freedoms, and stop bringing political figures into this.
Really interested in this too, or, some kind of scriptable driver update option that we could role through RMM or whatever…I’m 95% sure that when Framework was originally announced they said it would be updateable through Windows/Microsoft Update…I’m guessing that proved more complex than expected…?
I agree it’s a point of friction for corporate adoption, but judging by the Framework news announcements and the general sense of community discussions, their target market is more tech enthusiasts, gamers etc…I’ll be honest and say that price is also a (bigger?) point of friction for corporates!
Again, the implementation of Windows Update’s UEFI capsule update system is simply load the image into RAM and call the UEFI UpdateCapsule function. Absolutely everything else, including disaster recovery, is handled by the platform firmware. That means you should blame the OEM if anything goes wrong after the Windows bootloader calls the function. Please stop blindly subscribing to the anti-update dog whistle without fully exploring the topic. It’s the same rabbit hole as refusing to vaccinate. I refuse to continue to discuss this because of your clear prejudice against Windows Update. Let’s lead a discussion with facts, not feelings. There’s absolutely no reason to bring a man who has been dead for hundreds of years into this.
Processing Updates - Windows drivers | Microsoft Learn
And it should also be noted that a chained exploit of the Spectre + Meltdown vulnerabilities results in having full Ring 0 access. That means you can do absolutely anything to the device, including brick it. (Multiple attacks need to be chained to get ring 0 access, but since you can read all memory, it becomes much easier to do so.)
You are discussing with bad faith, please don’t label opinions you don’t like as something “anti-vax”
Same as kernel level anticheat, a ring 0 rootkit. It’s allowed because those sketchy game companies made agreements with M$, conflict of interest. These games also can’t be played on Linux because of that