Hi! Sorry for my bad English...
Intel NUC7PJYH2 BIOS Upgrade to 0058 causes boot failure Linux and Unix-like operating systems
Intel BOXNUC7PJYH2 Version #: J67992-404, Date of Manufacture: 22 May 2020.
With previous BIOS 0057 all OK with Linux, Unix-like OSes and Windows. After upgrading the BIOS by F7 to version 0058 and F9 - Load defaults and configure Bios (with Linux or Windows boot profile and disable Secure Boot), Windows 10 installer is loading successfully from USB stick, but Linux and Unix-like (FreeBSD and NetBSD) are not loaded.
1. Please remove Intel NUC7PJYH Bios 0058 from Download Center to avoid problems with Linux and Unix-like users.
2. Please fix this Bios bug for Linux users
Probably this is a problem with ACPI BIOS settings for Linux and Unix-like OSes.
i've been offered the same solution -- send mine in and wait till they send me a replacement. or pay $25 for them to ship me one overnight and w/ a return label. frankly, since this was their mess up, it seems that $25 should be waived. spending $25 to get back up and running is what happens when you install ransomware, not official bios updates.
Just beware that Intel MAY send you a refurbished replacement unit. I had to exchange a brand new defective NUC about 2 years ago and luckily they sent me (I'm in the US) a brand new one. But at no point were they able to guarantee me that I would receive a brand new unit. I was quite annoyed because it was literally only a month or so old. I guess I got lucky. I did however pay the $25 because I needed a replacement asap, and it really was a very, very quick process. They did place a temporary charge for the full retail price on my credit card that was dropped once they received the defective unit.
I have the exact same problem, after going through this thread, looks like it's a BUG with the 0058 version. Whats the solution, we wait for them until they release a patch? My unit is only a month old. Lesson learned, never upgrade the bios if the system if running fine.
That's how security is achieved. Security that you don't end up with a paper weight. Never touch a working system, especially if the manufacturer doesn't allow to roll back updates when they create problems.
Luckily I missed the 58 update, usually I jump on them right away. But 57 was the last update I will ever install on my NUC, it's just not worth the risk going forward.
They're not sure when the BIOS fix will be out, so I think they're replacing them?
open a live chat with support, and message them?
Mine is being picked up by courier tomorrow.
To be honest, I don't understand why it would be against security policies to "downgrade" the BIOS for affected users, but it's acceptable to send users a new unit with a lower BIOS version. Makes little sense to me and the environmental impact is not good at all.
Now my unit will be picked up soon, which is another bummer: I have to be available over a six hour timeframe, in case the parcel service rings my bell. I wasn't allowed to just bring the package to the post office myself. And I'll only get a replacement once my unit was received by Intel. Guess they handle it different here in Europe than in the US.
While I'm happy that some of the Intel staff have answered here, I feel the whole process is really everything but customer friendly. No time frame for a fix, a tedious process of shipping that requires time and effort (put documents in, write a number on the package, print package label) and not knowing when or even whether my "new" NUC will get the security update.
A unit with an older BIOS can always be upgraded if the included mitigations are considered a requirement. A unit that can be downgraded can be abused by bad actors; if they downgrade the BIOS, they can then use the vulnerabilities that had been mitigated to do the nefarious. Frankly, I don't get why you folks don't understand this.
Intel first shipped a (chipset-based) Management Engine (ME) in the 965 chipset. That was 14 chipset generations ago. Every single one of those Management Engines has enforced this rule; once an update is installed, it cannot be uninstalled (downgraded). The NUC team cannot do anything about this; the ME team sets the rules.
Not customer friendly? Obvious you don't deal with many companies' support services (I use that term loosely). I consider Intel Customer Support one of the best around. Unfortunately, that's not saying much.
Fact is, Intel Customer Support (and volunteers like me who are under NDA) simply cannot provide any information regarding features, schedule or availability. It simply isn't allowed. Intel had to inject this rule because people treated guesstimates as hard and fast commitments and sued Intel if they were late. If you want someone to blame, blame the trolls taking advantage of this.
As for the returns, you don't have to do it. You can always just wait for the fix...
That's such a lame excuse.
If Intel was serious about security they wouldn't implement the backdoor security nightmare called Management Engine in the first place. Who knows what unauthorized stuff may be running in the ME already that Intel knows nothing about. As long as ME is there, a "bad actor" rolling back my bios is the least of my worries.
Put a simple physical jumper on the board to allow downgrades then. If you have physical address to the box a bad actor can do anything anyway. Like swap the board, memory chip, whatever, add bad stuff...
I get it, they have their silly rules. Whatever. I just know that I will no longer upgrade the firmware unless I really don't have another choice. The risk is simply not worth it.
@n_scott_pearson I should have explained why I put the "downgrade" in quotes. I was referring to the idea posted by another user, that Intel could simply release a higher version of the previous bios as a hotfix, until a solution is available. This way no malicious downgrade could take place, since the version got incremented (although the code would be that of a previous version).
I'd love to not return my NUC, but since no one puts any kind of estimate here (I somewhat understand your explanation here) and I don't know if this will take days, weeks or even months, I can't. I need my NUC to work properly.
And not to mention the risk of having to ship back a unit for an exchange. That assumes that the new unit isn't intercepted and manipulated in transit. Rolling back yourself may be the more secure option. Maybe it's a little far fetched, but who knows. All depends on who you are. Maybe ME saves my encryption keys? Maybe it even sends them out to interested parties if it's connected to the internet. Would you send back a harddrive with sensitive data for warranty? I wouldn't. I'd destroy it. There's no 100% security. To me, being able to roll back software if it causes issue is one of those basic things that I just take for granted. IT admins do it every day. And sometime that means re-introducing known security issues. Booo
I was a bit lucky when I discovered this topic about 2 weeks ago. I purchased the NUC a day before in an online webshop as a private person. By the (EU) law, I have 14 days to return the device and the seller have to accept the return without any question and give full refund.
When the NUC became a brick, I returned it and purchased exact same device, same day.
If the same law exist in your country, I would initiate the RMA to Intel ASAP and purchase an other NUC temporarly. Yes, you need to invest a bit, but you will get back your money at the end, on the other hand you will have a working device during the RMA process.
@pleasefixthis asked a question and then deleted it, but I will answer it anyway since it was asked more than once.
You cannot downgrade by installing an older version over top of a newer one. This would be possible only if every pertinent firmware capsule in the package was regenerated with a new 'hotfix' version number. Since the NUC BIOS team does not own all of these capsules - and thus cannot regenerate them - this can't be done.
Intel owns it. I don't think customers should be expected to care about the internal (dysfunctional) organization of their teams and how they operate. Sometimes managers need to go up a few levels to make things happen. It *can* be done, they just don't want to. Probably not enough people being screwed right now. Can you imagine if firmware updates happened automatically? I don't see them asking thousands or millions of customers to send in their device for a replacement...
No, sorry, supporting a downgrade capability is simply not possible. This has been explained ad nauseum; I won't discuss it any further. When the fix clears validation, it will be released. When it is released, you will be notified.
If you want to have your unit replaced, this is certainly possible. I am willing to bet that the fix will be here before that process could be completed, however.
Your other option is to install Windows 10 Pro and run your Linux distro in a Hyper-V VM. Remember that you can (still) install Windows 10 Pro essentially for free if you have an old, unused license for Windows 7 Pro, Windows 7 Ultimate, Windows 8 Pro or Windows 8.1 Pro.