Is it Dell or Windows that manages BIOS-updates?

_william · Mar 27, 2024

I made a post the other day about BIOS-updates on Dell computers. I have a follow-up question from this: by default, is it Windows or is it Dell that manages the automatic BIOS-updates? I actually spoke with Dell over the phone about this and they seemed to be trying to tell me that both companies work in unison to update the BIOS.

But when I asked them specifically about whether it is Windows' "Check for updates" Settings-update-tool or Dell's "Dell Command | Update" app that installs the BIOS-updates they told me that it is the "Dell Command | Update" app that does them. I asked them if I were to turn off Windows' "Check for updates" Settings-update-tool and only use the "Dell Command | Update" app would I still get BIOS-updates, and they said yes; and conversely, I asked them then if I were to not use the "Dell Command | Update" app and just let Windows' "Check for updates" Settings-update-tool perform system-updates on my PC would I still get BIOS-updates, and they said no. I.e., "Dell Command | Update" does the BIOS-updates, not 'Windows Updates'.

How could I confirm this? And what settings could I adjust to make sure it is indeed the "Dell Command | Update" app that manages the BIOS-updates and not Windows' "Check for updates" Settings-update-tool?

The first picture attached shows that I have the "UEFI Capsule Firmware Updates" option turned-on in the BIOS, which I think is responsible for allowing automatic BIOS-updates to be made in general. The second picture shows my "BIOS Event Log"

FreeBooter · Mar 27, 2024

I only update BIOS firmware when there is a new feature or fix as updating the BIOS can brick the computer for good Microsoft provides BIOS upgrade.

RJARRRPCGP · Mar 27, 2024

In my experience, a BIOS flash failure is rare. Was rare, even with legacy-BIOS. The problem now, is the CSM bull pucky, being the default on a system that I install Windows 11 on! Then I have to re-enable "Above 4G Decoding" (or similar) and "Resizable-BAR" with every BIOS update!

I got both of my ASRock B550 PG Velocitas updated to P3.40.

For the ASRock A320M a/c with a Pinnacle Ridge=No BIOS update, because it looks like the second-gen Ryzen CPU support gets removed!
This is not Microsoft's fault, as I can confirm that Pinnacle Ridge is not banned.

andrew129260 · Mar 27, 2024

Windows will update the firmware/bios through windows update on modern manufacturers machines such as Dell or HP etc when a critical security vulnerability is patched. I believe this was implemented even more heavily due to spectre and meltdown.

Otherwise, any other simple fixes will only be updated through the manufactures tool if you download/update yourself.

Obviously, the bios update that includes the security fix will include all other fixes since then.

Microsoft is also making even more moves to secure bios and other machines with secured core pc's.

For example, our work machines are both dell and hp, and both of them get bios updates through windows updates, usually addressing security vulnerabilities. They also have a great rollback bios feature should something go wrong. But I can get a bios update through windows update, and then check a month later and while no updates are found (even under optional), there is a new bios version available from the manufacturer, but it was just mild fixes.

Hope that helps.

RJARRRPCGP · Mar 27, 2024

andrew129260 said:
Windows will update the firmware through windows update on manufactures machines such as Dell or HP etc when a critical security vulnerability is patched. I believe this was implemented even more heavily due to spectre and meltdown.

Otherwise, any other simple fixes will only be updated through the manufactures tool if you download/update yourself.

Obviously, the bios update that includes the security fix will include all other fixes since then.

Microsoft is also making even more moves to secure bios and other machines with secured core pc's.

Hope that helps.

There are possibly bugs that are a lot worse than even "Meltdown". I usually watch for reports of remote-code-execution vulnerability bugs.
Those dwarf Spectre and Meltdown!

There was such a vulnerability with CSME already with 9th-gen and earlier Core i platforms!
It's at the highest severity level that I can recall! Coffee Lake and earlier affected! If there's the "critical-level", you bet it's at critical-level!

I had a Coffee Lake laptop and no BIOS update available, so, it got banned from my room!
Reason:
Even with the latest BIOS, Intel's CSME version checker came back with a fail!

andrew129260 · Mar 27, 2024

RJARRRPCGP said:
There are possibly bugs that are a lot worse than even "Meltdown". I usually watch for reports of remote-code-execution vulnerability bugs.
Those dwarf Spectre and Meltdown!

They are everywhere. Its kinda hard to avoid them. Not to stir up another discussion on this, (see this good thread) but networking equipment to me is far more scary and a lot more frequent. As many are never discovered. Firmware in routers are way less robust, barely secured and monitored compared to a pcs bios. PC's have bios that can auto update or at least the machine get windows updates which helps protect it. Routers don't auto update, at least 90% of them. Pc firmware attacks is still an issue, but its worse on something that always on -networking stuff. IMHO.

Apples latest m1-m3 chips just suffered a unfixable flaw which really sucks. RIP

RJARRRPCGP · Mar 27, 2024

andrew129260 said:
They are everywhere. Its kinda hard to avoid them. Not to stir up another discussion on this, (see this good thread) but networking equipment to me is far more scary and a lot more frequent.

Apples latest m1-m3 chips just suffered a unfixable flaw which really sucks. RIP

The Apple M CPUs, remind me of Pentiums from 1993, 1994 and possibly some in 1995 that had to get replaced, due to the "FDIV" bug!

Luckily, I have a better-designed router, where each router apparently gets a unique password! That was something I never saw with other routers that I had before the one I have now! (except maybe one that I had briefly in 2016, during April and May of that year)

I now feel bad for the bigger ISPs and the customers of them, who have routers where the default admin password, appears to be the same across the manufacturer!

For especially routers older than 2016, you can easily have your goose cooked! I wonder if a ton of them have no fixes whatsoever.

Ghot · Mar 27, 2024

@_william

Windows has nothing to do with BIOS updates.

"Some" DELL utilities apparently do... handle BIOS updates.
I don't know which they would be, but someone on here will.

Due to various types of ransomware, Intel and/or AMD will release "microcode" updates.
But these are usually delivered thru the "optional" motherboard manufacturers BIOS updates.

andrew129260 · Mar 27, 2024

RJARRRPCGP said:
The Apple M CPUs, remind me of Pentiums from 1993, 1994 and possibly some in 1995 that had to get replaced, due to the "FDIV" bug!

Luckily, I have a better-designed router, where each router apparently gets a unique password! That was something I never saw with other routers that I had before the one I have now! I now feel bad for the bigger ISPs and the customers of them, who have routers where the default admin password, appears to be the same across the manufacturer!

Router security has gotten better somewhat, but its still in a terrible place compared to anything else. I am honestly not sure what's worse, IOT devices or consumer routers.

Ghot said:
Windows has nothing to do with BIOS updates.

Thats not true. See post 4. I edited it to add some links.

_william · Mar 27, 2024

@andrew129260 Thanks for the insight.

_william · Mar 27, 2024

@Ghot Seems the jury's out for the time-being perhaps...

Ghot · Mar 27, 2024

_william said:
@Ghot Seems the jury's out for the time-being perhaps...

No, the jury is not out.

That only happens on prebuilt computers. And then mainly on laptops.

Otherwise, BIOS updates and microcode updates come from the motherboard manufacturer, and are optional.
You'd have to download them and install them yourself.

For example...

RJARRRPCGP · Mar 27, 2024

andrew129260 said:
Router security has gotten better somewhat, but its still in a terrible place compared to anything else. I am honestly not sure what's worse, IOT devices or consumer routers.

Thats not true. See post 4. I edited it to add some links.

I was with Comcast from June 12, 2016 to February 24, 2018. (that date in 2018, is not a typo!)

Is Comcast good with updating the router firmware?

IIRC, on August 2, 2016, got a fresh router from their office and just some months later, the indicator LEDs, faded! I wasn't impressed with the apparent build-quality. (XB3 for the model? Not 100 percent sure)

andrew129260 · Mar 27, 2024

_william said:
@andrew129260 Thanks for the insight.

_william said:
How could I confirm this? And what settings could I adjust to make sure it is indeed the "Dell Command | Update" app that manages the BIOS-updates and not Windows' "Check for updates" Settings-update-tool?

Welcome. If it was a windows update that updated the firmware/bios it would show under the update history. I wouldn't be surprised though if the dell command update or support assist started automatically updating it as well. They usually have their own update history.

Ghot said:
No, the jury is not out.

That only happens on prebuilt computers. And then mainly on laptops.

We were talking about a Dell in the original post.....?

Which you then said this:

Ghot said:
Windows has nothing to do with BIOS updates.

Which is again, not true. Yes it's mainly on prebuilt machines, but it does happen to custom motherboard's as well if a critical vulnerability is detected/needs patched. (If the manufacturers cares.) A lot of custom built machines motherboards manufacturers don't bother updating. Not exactly a good thing. It all depends if they submitted it to microsoft or not and if they allowed that update path.

RJARRRPCGP said:
Is Comcast good with updating the router firmware?

Sadly No. Anything from your ISP is pretty terrible and is barely updated. They are also the first thing people focus on attacking as its the same model/brand give or take across a ton of customers. You find one vulnerability, you got everyone on comcast except for the few who have the smarts to get their own router/modem. But even then, they are not great.

Ghot · Mar 27, 2024

andrew129260 said:
We were talking about a Dell in the original post.....?

I saw that. That's why I quoted @_william.

RJARRRPCGP · Mar 27, 2024

andrew129260 said:
Sadly No. Anything from your ISP is pretty terrible and is barely updated. They are also the first thing people focus on attacking as its the same model/brand give or take across a ton of customers. You find one vulnerability, you got everyone on comcast except for the few who have the smarts to get their own router/modem. But even then, they are not great.

Sounds like we would have had our goose cooked, if we still had the ones from before we moved! We moved in 2018.

The routers that we had before 2018, were really making me nervous!

andrew129260 · Mar 27, 2024

RJARRRPCGP said:
Sounds like we would have had our goose cooked, if we still had the ones from before we moved! We moved in 2018.

The routers that we had before 2018, were really making me nervous!

I checked my moms she recently got from comcast for example, about a month ago, UPNP was enabled, multiple ports were open, and remote admin was enabled, with the username and password "admin"& password. The wifi password? Something like two words and some numbers cant remember. It was about 8 characters long. Could probably be cracked in 30 minutes with a dictionary attack. And because its a comcast router, the settings to change are pretty much non existent. So couldn't really secure it even if I wanted to.

The benefit is they have the app that notifies you when a new device joins your network, but that same app also has the remote vulnerability because the app works from anywhere. And if you do a deauth it wouldn't be detected anyway.

Router vulnerabilities are swiss cheese, you can see right through them, where as pc firmware is like a good firewall with drywall slapped on to cover the bullet holes and painted over.

IMHO

_william · Mar 27, 2024

@Ghot Thanks for clarifying that. I probably should've been clearer that I'm using a Dell Latitude 7430.

Ghot · Mar 27, 2024

Comcast is the biggest ISP in the US, and they rate the worst customer service of any of them.

Good website (old name), for ISP info...

ISP discussion forums | DSLReports, ISP Information

ISP discussion forums, broadband news, information and community

www.dslreports.com

_william · Mar 27, 2024

@andrew129260 It sounds like it's probably out of my control then, beyond turning-off the "Windows Update" tool in Settings. There isn't any setting inside the "Windows Update" Settings tool to opt-out of BIOS-updates is there? if there were, then I could ensure that only the "Dell Command | Update" app managed BIOS-updates...