I wish to elaborate on the reasons I am requesting a BIOS and firmware update, with the possibility of having an advanced, unlocked BIOS to address these issues properly.
I must emphasise that under Linux it is possible to mitigate these problems without requiring BIOS/firmware access or updates, but for Windows users the situation is markedly different and solutions rely exclusively on updated and available firmware.
I apologise in advance for the length of this message:
My System Configuration:
- Windows 11 25H2 (latest updates applied)
- SecureBoot enabled
---
1. Intel Management Engine Analysis
The following report from Intel's MEInfoWin64.exe reveals the current firmware state:
.\MEInfoWin64.exe
Intel (R) ME Info Version: 16.0.15.1829
Copyright (C) 2005 - 2022, Intel Corporation. All rights reserved.
General FW Information
Platform Type Mobile
FW Image Type Production
Last ME Reset Reason Other
BIOS Boot State (EOP) Post Boot
BIOS Boot State (CBD) Post Boot
Boot Critical Code Redundancy Disabled
Current Boot Partition 1
OEM Chipset Init Available
OEM Chipset Init Version 12.0.4616.65535
Factory Defaults Restoration Status Disabled
Factory Defaults Recovery Status Enabled
Firmware Update OEM ID 00000000-0000-0000-0000-000000000000
Intel(R) ICPS SW SKUing Eligible Disabled
Camera privacy feature control disabled True
Crypto HW Support Enabled
Intel(R) ISH Power State Disabled
OEM Tag 0x00
FW Update State Enabled
TLS State Enabled
CSME Measured Boot to TPM Disabled
BIOS Recovery State Disabled
Intel(R) ME Code Versions
BIOS Version 1.07.02RME1_017
MEI Driver Version 2407.6.1.0
FW Version 16.1.27.2225 LP Consumer
IUPs Information
PMC FW Version 160.1.0.1030
OEM FW Version 0.0.0.0000
IOM FW Version 36.7.0.0000
NPHY FW Version 14.530.509.8258
TBT FW Version 16.0.0.0202
PCHC FW Version 16.1.0.1014
PCH Information
PCH Name ADL
PCH Device ID 5182
PCH Revision ID A1
PCH SKU Type Production PRQ Revenue
PCH Replacement State Disabled
PCH Replaceable Counter 0
PCH Unlocked State Disabled
Transactional FW Information
Original image type Consumer
Current sku type Consumer
Flash Information
Storage Device Type SPI
SPI Flash ID 1 EF4019
RPMC Unsupported
RPMC Bind Counter 0
RPMC Bind Status Pre-bind
RPMC Rebind Supported
RPMC Replay Protection Max Rebind 15
BIOS Read Access 0xFFFF
BIOS Write Access 0xFFFF
GBE Read Access 0xFFFF
GBE Write Access 0xFFFF
ME Read Access 0xFFFF
ME Write Access 0xFFFF
EC Read Access 0xFFFF
EC Write Access 0xFFFF
FW Capabilities 0x31309200
Intel(R) Protected Audio Video Path Present/Enabled
Intel(R) Dynamic Application Loader Present/Enabled
Intel(R) Platform Trust Technology Present/Enabled
Persistent RTC and Memory Present/Enabled
End Of Manufacturing
NVAR Configuration State Unlocked
EOM Settings Lock(Flash,Config)
EOM Flow Not set
HW Binding State Enabled
Flash Protection Mode Unprotected
FPF Committed No
Intel(R) Protected Audio Video Path
PAVP State Yes
Security Version Numbers
Trusted Computing Base SVN 1
Firmware Version Control SVNs
PMC 0 [minimum allowed: 0]
CSE 4 [minimum allowed: 0]
ROT KM 0 [minimum allowed: 0]
IDLM 0 [minimum allowed: 0]
CSME bootstrap 0 [minimum allowed: 0]
SECURE BOOT BSMM 1 [minimum allowed: 0]
OEM KM 0 [minimum allowed: 0]
SECURE BOOT KM 1 [minimum allowed: 0]
UCODE 1 [minimum allowed: 0]
SECURE BOOT ACM 2 [minimum allowed: 0]
HW Glitch Detection 0x1989
TRC Polarity Rising Trans
TRC Mode Full-cycle polarity trans
TRC State Enabled
Intel(R) Platform Trust Technology
Intel(R) PTT initial power-up state Enabled
Intel(R) PTT State Enabled
SMx State Enabled
RSA1K Support Disabled
FW Supported FPFs FPF UEP
*In Use
--- ---
1st OEM Key Hash Revoked Not set Disabled
1st OEM Key Hash size Not set Enabled
1st OEM RSA Key size Not set Enabled
2nd OEM Key Hash Revoked Not set Disabled
2nd OEM Key Hash size Not set Enabled
2nd OEM RSA Key size Not set Enabled
BSMM Firmware Version Control Not set Enabled
CSE FW Firmware Version Control Not set Enabled
CSME Bootstrap Firmware Version Control Not set Enabled
DNX Firmware Version Control Not set Enabled
Error Enforcement Policy 0 Not set Enabled
Error Enforcement Policy 1 Not set Enabled
Flash Descriptor Verification Not set Disabled
Glitch Detection Disabled Not set Enabled
IDLM Firmware Version Control Not set Enabled
Intel PTT Encryption Key Not set Not Revoked
Intel(R) Manageability HW Fuse Status Not set Enabled
Intel(R) PTT Not set Enabled
OEM ID Not set 0x00
OEM KM Firmware Version Control Not set Enabled
OEM Key Manifest Not set Enabled
OEM Key Revocation State Not set Disabled
OEM Platform ID Not set 0x00
OEM Secure Boot Policy Not set 0x7B
CPU Debugging Not set Disabled
BSP Initialization Not set Enabled
Protect BIOS Environment Not set Enabled
Measured Boot Not set Enabled
Verified Boot Not set Enabled
Key Manifest ID Not set 0x01
Force Boot Guard ACM Not set Enabled
OEM key Hash RSA key size Not set Enabled
PID Refurbish Counter Not set 0x00
PMC Firmware Version Control Not set Enabled
PTT Lockout Override Counter Not set 0x00
Persistent PRTC Backup Power Not set Enabled
ROT Firmware Version Control Not set Enabled
RPMB Monotonic Counters Not set 0x00
RPMC Rebinding Not set Enabled
RPMC Support Not set Enabled
SOC Config Lock State Not set Disabled
SPI Boot Source Not set Enabled
SPIRAL CPU Not set Enabled
Secure boot KM Firmware Version Control Not set Enabled
TXT Supported Not set Disabled
UFS Boot Source Not set Disabled
uCode Firmware Version Control Not set Enabled
DNX SVN Not set 0x00
IDLM SVN Not set 0x00
OEM KM SVN Not set 0x00
PMC SVN Not set 0x00
ROT KM SVN Not set 0x00
Secure boot ACM SVN Not set 0x00
Secure boot BSMM SVN Not set 0x00
Secure boot KM SVN Not set 0x00
Ucode SVN Not set 0x00
1st OEM Public Key Hash FPF Not set
1st OEM Public Key Hash UEP
2nd OEM Public Key Hash FPF Not set
2nd OEM Public Key Hash UEP
2. Windows Event Viewer: Known Firmware Issues
The Event Viewer has logged critical errors demonstrating that certain security updates are being blocked due to known firmware deficiencies. These issues cannot be resolved without an updated firmware from the vendor.
2.1 SecureBoot DBX Update Failure
Windows is unable to apply essential SecureBoot DBX updates due to a documented firmware issue:
Nombre de registro:System
Origen: Microsoft-Windows-TPM-WMI
Fecha: 02/01/2026 19:49:31
Id. del evento:1802
Categoría de la tarea:Ninguno
Nivel: Error
Palabras clave:
Usuario: SYSTEM
Equipo:
Descripción:
The Secure Boot update DBX was blocked due to a known firmware issue on the device. Check with your device vendor for a firmware update that addresses the issue. This device signature information is included here.
DeviceAttributes: BaseBoardManufacturer:MEDION;FirmwareManufacturer:INSYDE Corp.;FirmwareVersion:1.07.02RME1_017;OEMModelNumber:Scout E30i;OEMModelBaseBoard:NPxxRNx;OEMModelSystemFamily:ERAZER;OEMManufacturerName:MEDION;OEMModelSKU:ML-210009 40089778;OSArchitecture:amd64;
BucketId: 7bc076751cee2a9e371d9a118ec83727f663f96a99b94f46b927c88911903e74
BucketConfidenceLevel:
SkipReason: KI_4.
For more information, please see https://go.microsoft.com/fwlink/?linkid=2339472
Key issue: The firmware version (1.07.02RME1_017) is preventing critical security updates from being applied. Microsoft's documentation explicitly states this requires a vendor firmware update. Aside from this, DBX (neither DB, MOK, KEK, etc) cannot be updated using BIOS menu.
3. Speculation Control Settings: Disabled Security Mitigations
The Microsoft SpeculationControl module reveals that several CPU vulnerability mitigations are disabled due to firmware configuration issues:
> powershell.exe -ExecutionPolicy Bypass -Command "Import-Module SpeculationControl; Get-SpeculationControlSettings"
For more information about the output below, please refer to https://support.microsoft.com/help/4074629
Speculation control settings for CVE-2017-5715 [branch target injection]
Hardware support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is enabled: True
Speculation control settings for CVE-2017-5754 [rogue data cache load]
Hardware is vulnerable to rogue data cache load: False
Hardware requires kernel VA shadowing: False
Speculation control settings for CVE-2018-3639 [speculative store bypass]
Hardware is vulnerable to speculative store bypass: True
Hardware support for speculative store bypass disable is present: True
Windows OS support for speculative store bypass disable is present: True
Windows OS support for speculative store bypass disable is enabled system-wide: False
Speculation control settings for CVE-2018-3620 [L1 terminal fault]
Hardware is vulnerable to L1 terminal fault: False
Speculation control settings for MDS [microarchitectural data sampling]
Windows OS support for MDS mitigation is present: True
Hardware is vulnerable to MDS: False
Speculation control settings for SBDR [shared buffers data read]
Windows OS support for SBDR mitigation is present: True
Hardware is vulnerable to SBDR: False
Speculation control settings for FBSDP [fill buffer stale data propagator]
Windows OS support for FBSDP mitigation is present: True
Hardware is vulnerable to FBSDP: False
Speculation control settings for PSDP [primary stale data propagator]
Windows OS support for PSDP mitigation is present: True
Hardware is vulnerable to PSDP: False
BTIHardwarePresent : True
BTIWindowsSupportPresent : True
BTIWindowsSupportEnabled : True
BTIDisabledBySystemPolicy : False
BTIDisabledByNoHardwareSupport : False
BTIKernelRetpolineEnabled : False
BTIKernelImportOptimizationEnabled : True
RdclHardwareProtectedReported : True
RdclHardwareProtected : True
KVAShadowRequired : False
KVAShadowWindowsSupportPresent : True
KVAShadowWindowsSupportEnabled : False
KVAShadowPcidEnabled : False
SSBDWindowsSupportPresent : True
SSBDHardwareVulnerable : True
SSBDHardwarePresent : True
SSBDWindowsSupportEnabledSystemWide : False
L1TFHardwareVulnerable : False
L1TFWindowsSupportPresent : True
L1TFWindowsSupportEnabled : False
L1TFInvalidPteBit : 0
L1DFlushSupported : True
HvL1tfStatusAvailable : True
HvL1tfProcessorNotAffected : True
MDSWindowsSupportPresent : True
MDSHardwareVulnerable : False
MDSWindowsSupportEnabled : False
FBClearWindowsSupportPresent : True
SBDRSSDPHardwareVulnerable : False
FBSDPHardwareVulnerable : False
PSDPHardwareVulnerable : False
FBClearWindowsSupportEnabled : False
BhbEnabled : False
BhbDisabledSystemPolicy : True
BhbDisabledNoHardwareSupport : False
BranchConfusionReported : True
BranchConfusionStatus : SYSTEM_SPECULATION_CONTROL_BRANCH_CONFUSION_MITIGATED
GdsReported : True
GdsStatus : SYSTEM_SPECULATION_CONTROL_GDS_MITIGATION_UNSUPPORTED
SrsoReported : True
SrsoStatus : SYSTEM_SPECULATION_CONTROL_SRSO_HARDWARE_IMMUNE
DivideByZeroReported : True
DivideByZeroStatus : SYSTEM_SPECULATION_CONTROL_DIVIDE_BY_ZERO_HARDWARE_IMMUNE
RfdsReported : True
RfdsStatus : SYSTEM_SPECULATION_CONTROL_RFDS_MITIGATION_UNSUPPORTED
Critical findings:
- CVE-2018-3639 (Speculative Store Bypass): The hardware is vulnerable, hardware support for mitigation is present, but SSBDWindowsSupportEnabledSystemWide: False — the mitigation is disabled system-wide due to firmware constraints.
- Several mitigation features remain unsupported or disabled, leaving the system exposed to known vulnerabilities.
Conclusion
In essence, having a locked BIOS (with minimal configuration options) and outdated firmware, certain bugs and impediments prevent me from:
- Using Intel TXT
- Enabling CSME Measured Boot to TPM
- Applying SecureBoot DBX updates
- Activating system-wide Speculative Store Bypass Disable (SSBD) mitigation
- Enabling various CPU vulnerability mitigations properly
- Accessing advanced security features that require firmware support
I trust I have adequately explained the reasons for my request and hope to obtain an update in line with what has been requested.
The device, on the whole, has excellent hardware and performance; this is my first experience with Medion, and aside from the issues detailed here, I am pleased with the device
(en-gb) ▼ 
Klick hier, um diese Seite auf Deutsch zu lesen
Click here to read this page in English
Cliquez ici pour lire cette page en français
Klik hier om deze pagina in het Nederlands te lezen
