About alexandergl

@Fishtown @JVirtanen  More evidences: Absence of the WSMT ACPI Table: Although this Alder Lake cpu and the platform support memory isolation (IOMMU) are compatible (and usable on Linux platform)... a  WMI query maintains the "SmmIsolationLevel" at 0 instead.  WMI testing confirms that the current firmware does not provide the WSMT (Windows SMM Security Mitigations Table). Without this tables (without the ability of managing them in the BIOS properly) the Windows Kernel cannot validate the integrity of the System Management Mode (SMM), leaving the system vulnerable to "Ring -2" level attacks that can bypass the Win hypervisor Inconsistency in Security Instrumentation (WMI): It has been detected that in recent Windows 11 builds (26100+), the security management infrastructure is unable to correctly instantiate Win32_DeviceGuard classes... due to obsolete firmware definitions that do not align with Microsoft's latest attestation standards System Guard (Secure Launch) Blockage: The hardware reports capability for DMA (Direct Memory Access) Protection (Property "5" in WMI query -ClassName "AvailableSecurityProperties")... but the firmware prevents its actual activation. This invalidates one of Windows 11's core defenses against malicious devices/software attempting to access memory via DMA Persistence of Compromised UEFI Keys: It still confirmed that the current firmware (version 1.07.02RME1_017) enables compromised PK/KEK/DB keys from 2011. This, combined with the inability to apply DBX (Secure Boot Revocation List) updates due to documented firmware errors (Event ID: 1802 logged in previous messages), still breaks the Secure Boot chain of trust     ... View more

Totally agree with you. The problem is that Medion is not complying with this. It is very complicated for me to maintain two different operating systems (Windows, Linux), on different nvme's, each with its own configuration requirements in UEFI I face problems that cannot be handled: Windows is not able to update the DBX keys neither from its own Windows Update, nor manually From Linux I cannot manage my own signing of kernel modules for things like NVIDIA either (the standard MOK system for UEFI must have a bug in the provided firmware) The firmware incorporates old, compromised UEFI keys (2011) as standard Windows constantly eats up the /boot/efi of the Linux hard drive because a password cannot be set for each hard drive from the UEFI like in any other PC I cannot configure reasonable options in the UEFI And many others That's why I came here, asking @Fishtown , after trying to resolve it through other means.   Medion has access to everything CLEVO has, and could easily solve it. ... View more

@Fishtown , perhaps Medion has an EC and BIOS update?   In CLEVO repositories, for the same system (without Medion's OEM branding), updates do exist, but they cannot be applied directly (they lack Medion's OEM flag).   Could we check this, please? ... View more

Yes, @Fishtown , I have already tried everything possible via Updates and the Microsoft Store. In fact, latest DBX updates tend to come via Windows Update. At this point the only way I "could fix" the issue would be to compile an updated version of the firmware, CSME and UEFI myself and reprogram the BIOS IC. But I’m not Medion/Clevo, so I don’t have easy access to the latest updates, and I don’t want to void my warranty. So my question is: Is there any BIOS/firmware update beyond 1.07.02RME1 for this model? And is there any way to obtain a full BIOS configuration utility? Thanks in advance. ... View more

I wish to elaborate on the reasons I am requesting a BIOS and firmware update, with the possibility of having an advanced, unlocked BIOS to address these issues properly.   I must emphasise that under Linux it is possible to mitigate these problems without requiring BIOS/firmware access or updates, but for Windows users the situation is markedly different and solutions rely exclusively on updated and available firmware.   I apologise in advance for the length of this message:     My System Configuration: Windows 11 25H2 (latest updates applied) SecureBoot enabled ---   1. Intel Management Engine Analysis The following report from Intel's MEInfoWin64.exe reveals the current firmware state: .\MEInfoWin64.exe Intel (R) ME Info Version: 16.0.15.1829 Copyright (C) 2005 - 2022, Intel Corporation. All rights reserved. General FW Information Platform Type Mobile FW Image Type Production Last ME Reset Reason Other BIOS Boot State (EOP) Post Boot BIOS Boot State (CBD) Post Boot Boot Critical Code Redundancy Disabled Current Boot Partition 1 OEM Chipset Init Available OEM Chipset Init Version 12.0.4616.65535 Factory Defaults Restoration Status Disabled Factory Defaults Recovery Status Enabled Firmware Update OEM ID 00000000-0000-0000-0000-000000000000 Intel(R) ICPS SW SKUing Eligible Disabled Camera privacy feature control disabled True Crypto HW Support Enabled Intel(R) ISH Power State Disabled OEM Tag 0x00 FW Update State Enabled TLS State Enabled CSME Measured Boot to TPM Disabled BIOS Recovery State Disabled Intel(R) ME Code Versions BIOS Version 1.07.02RME1_017 MEI Driver Version 2407.6.1.0 FW Version 16.1.27.2225 LP Consumer IUPs Information PMC FW Version 160.1.0.1030 OEM FW Version 0.0.0.0000 IOM FW Version 36.7.0.0000 NPHY FW Version 14.530.509.8258 TBT FW Version 16.0.0.0202 PCHC FW Version 16.1.0.1014 PCH Information PCH Name ADL PCH Device ID 5182 PCH Revision ID A1 PCH SKU Type Production PRQ Revenue PCH Replacement State Disabled PCH Replaceable Counter 0 PCH Unlocked State Disabled Transactional FW Information Original image type Consumer Current sku type Consumer Flash Information Storage Device Type SPI SPI Flash ID 1 EF4019 RPMC Unsupported RPMC Bind Counter 0 RPMC Bind Status Pre-bind RPMC Rebind Supported RPMC Replay Protection Max Rebind 15 BIOS Read Access 0xFFFF BIOS Write Access 0xFFFF GBE Read Access 0xFFFF GBE Write Access 0xFFFF ME Read Access 0xFFFF ME Write Access 0xFFFF EC Read Access 0xFFFF EC Write Access 0xFFFF FW Capabilities 0x31309200 Intel(R) Protected Audio Video Path Present/Enabled Intel(R) Dynamic Application Loader Present/Enabled Intel(R) Platform Trust Technology Present/Enabled Persistent RTC and Memory Present/Enabled End Of Manufacturing NVAR Configuration State Unlocked EOM Settings Lock(Flash,Config) EOM Flow Not set HW Binding State Enabled Flash Protection Mode Unprotected FPF Committed No Intel(R) Protected Audio Video Path PAVP State Yes Security Version Numbers Trusted Computing Base SVN 1 Firmware Version Control SVNs PMC 0 [minimum allowed: 0] CSE 4 [minimum allowed: 0] ROT KM 0 [minimum allowed: 0] IDLM 0 [minimum allowed: 0] CSME bootstrap 0 [minimum allowed: 0] SECURE BOOT BSMM 1 [minimum allowed: 0] OEM KM 0 [minimum allowed: 0] SECURE BOOT KM 1 [minimum allowed: 0] UCODE 1 [minimum allowed: 0] SECURE BOOT ACM 2 [minimum allowed: 0] HW Glitch Detection 0x1989 TRC Polarity Rising Trans TRC Mode Full-cycle polarity trans TRC State Enabled Intel(R) Platform Trust Technology Intel(R) PTT initial power-up state Enabled Intel(R) PTT State Enabled SMx State Enabled RSA1K Support Disabled FW Supported FPFs FPF UEP *In Use --- --- 1st OEM Key Hash Revoked Not set Disabled 1st OEM Key Hash size Not set Enabled 1st OEM RSA Key size Not set Enabled 2nd OEM Key Hash Revoked Not set Disabled 2nd OEM Key Hash size Not set Enabled 2nd OEM RSA Key size Not set Enabled BSMM Firmware Version Control Not set Enabled CSE FW Firmware Version Control Not set Enabled CSME Bootstrap Firmware Version Control Not set Enabled DNX Firmware Version Control Not set Enabled Error Enforcement Policy 0 Not set Enabled Error Enforcement Policy 1 Not set Enabled Flash Descriptor Verification Not set Disabled Glitch Detection Disabled Not set Enabled IDLM Firmware Version Control Not set Enabled Intel PTT Encryption Key Not set Not Revoked Intel(R) Manageability HW Fuse Status Not set Enabled Intel(R) PTT Not set Enabled OEM ID Not set 0x00 OEM KM Firmware Version Control Not set Enabled OEM Key Manifest Not set Enabled OEM Key Revocation State Not set Disabled OEM Platform ID Not set 0x00 OEM Secure Boot Policy Not set 0x7B CPU Debugging Not set Disabled BSP Initialization Not set Enabled Protect BIOS Environment Not set Enabled Measured Boot Not set Enabled Verified Boot Not set Enabled Key Manifest ID Not set 0x01 Force Boot Guard ACM Not set Enabled OEM key Hash RSA key size Not set Enabled PID Refurbish Counter Not set 0x00 PMC Firmware Version Control Not set Enabled PTT Lockout Override Counter Not set 0x00 Persistent PRTC Backup Power Not set Enabled ROT Firmware Version Control Not set Enabled RPMB Monotonic Counters Not set 0x00 RPMC Rebinding Not set Enabled RPMC Support Not set Enabled SOC Config Lock State Not set Disabled SPI Boot Source Not set Enabled SPIRAL CPU Not set Enabled Secure boot KM Firmware Version Control Not set Enabled TXT Supported Not set Disabled UFS Boot Source Not set Disabled uCode Firmware Version Control Not set Enabled DNX SVN Not set 0x00 IDLM SVN Not set 0x00 OEM KM SVN Not set 0x00 PMC SVN Not set 0x00 ROT KM SVN Not set 0x00 Secure boot ACM SVN Not set 0x00 Secure boot BSMM SVN Not set 0x00 Secure boot KM SVN Not set 0x00 Ucode SVN Not set 0x00 1st OEM Public Key Hash FPF Not set 1st OEM Public Key Hash UEP 2nd OEM Public Key Hash FPF Not set 2nd OEM Public Key Hash UEP   2. Windows Event Viewer: Known Firmware Issues The Event Viewer has logged critical errors demonstrating that certain security updates are being blocked due to known firmware deficiencies. These issues cannot be resolved without an updated firmware from the vendor.   2.1 SecureBoot DBX Update Failure Windows is unable to apply essential SecureBoot DBX updates due to a documented firmware issue: Nombre de registro:System Origen: Microsoft-Windows-TPM-WMI Fecha: 02/01/2026 19:49:31 Id. del evento:1802 Categoría de la tarea:Ninguno Nivel: Error Palabras clave: Usuario: SYSTEM Equipo: Descripción: The Secure Boot update DBX was blocked due to a known firmware issue on the device. Check with your device vendor for a firmware update that addresses the issue. This device signature information is included here. DeviceAttributes: BaseBoardManufacturer:MEDION;FirmwareManufacturer:INSYDE Corp.;FirmwareVersion:1.07.02RME1_017;OEMModelNumber:Scout E30i;OEMModelBaseBoard:NPxxRNx;OEMModelSystemFamily:ERAZER;OEMManufacturerName:MEDION;OEMModelSKU:ML-210009 40089778;OSArchitecture:amd64; BucketId: 7bc076751cee2a9e371d9a118ec83727f663f96a99b94f46b927c88911903e74 BucketConfidenceLevel: SkipReason: KI_4. For more information, please see https://go.microsoft.com/fwlink/?linkid=2339472 Key issue: The firmware version (1.07.02RME1_017) is preventing critical security updates from being applied. Microsoft's documentation explicitly states this requires a vendor firmware update. Aside from this, DBX (neither DB, MOK, KEK, etc) cannot be updated using BIOS menu.   3. Speculation Control Settings: Disabled Security Mitigations The Microsoft SpeculationControl module reveals that several CPU vulnerability mitigations are disabled due to firmware configuration issues: > powershell.exe -ExecutionPolicy Bypass -Command "Import-Module SpeculationControl; Get-SpeculationControlSettings" For more information about the output below, please refer to https://support.microsoft.com/help/4074629 Speculation control settings for CVE-2017-5715 [branch target injection] Hardware support for branch target injection mitigation is present: True Windows OS support for branch target injection mitigation is present: True Windows OS support for branch target injection mitigation is enabled: True Speculation control settings for CVE-2017-5754 [rogue data cache load] Hardware is vulnerable to rogue data cache load: False Hardware requires kernel VA shadowing: False Speculation control settings for CVE-2018-3639 [speculative store bypass] Hardware is vulnerable to speculative store bypass: True Hardware support for speculative store bypass disable is present: True Windows OS support for speculative store bypass disable is present: True Windows OS support for speculative store bypass disable is enabled system-wide: False Speculation control settings for CVE-2018-3620 [L1 terminal fault] Hardware is vulnerable to L1 terminal fault: False Speculation control settings for MDS [microarchitectural data sampling] Windows OS support for MDS mitigation is present: True Hardware is vulnerable to MDS: False Speculation control settings for SBDR [shared buffers data read] Windows OS support for SBDR mitigation is present: True Hardware is vulnerable to SBDR: False Speculation control settings for FBSDP [fill buffer stale data propagator] Windows OS support for FBSDP mitigation is present: True Hardware is vulnerable to FBSDP: False Speculation control settings for PSDP [primary stale data propagator] Windows OS support for PSDP mitigation is present: True Hardware is vulnerable to PSDP: False BTIHardwarePresent : True BTIWindowsSupportPresent : True BTIWindowsSupportEnabled : True BTIDisabledBySystemPolicy : False BTIDisabledByNoHardwareSupport : False BTIKernelRetpolineEnabled : False BTIKernelImportOptimizationEnabled : True RdclHardwareProtectedReported : True RdclHardwareProtected : True KVAShadowRequired : False KVAShadowWindowsSupportPresent : True KVAShadowWindowsSupportEnabled : False KVAShadowPcidEnabled : False SSBDWindowsSupportPresent : True SSBDHardwareVulnerable : True SSBDHardwarePresent : True SSBDWindowsSupportEnabledSystemWide : False L1TFHardwareVulnerable : False L1TFWindowsSupportPresent : True L1TFWindowsSupportEnabled : False L1TFInvalidPteBit : 0 L1DFlushSupported : True HvL1tfStatusAvailable : True HvL1tfProcessorNotAffected : True MDSWindowsSupportPresent : True MDSHardwareVulnerable : False MDSWindowsSupportEnabled : False FBClearWindowsSupportPresent : True SBDRSSDPHardwareVulnerable : False FBSDPHardwareVulnerable : False PSDPHardwareVulnerable : False FBClearWindowsSupportEnabled : False BhbEnabled : False BhbDisabledSystemPolicy : True BhbDisabledNoHardwareSupport : False BranchConfusionReported : True BranchConfusionStatus : SYSTEM_SPECULATION_CONTROL_BRANCH_CONFUSION_MITIGATED GdsReported : True GdsStatus : SYSTEM_SPECULATION_CONTROL_GDS_MITIGATION_UNSUPPORTED SrsoReported : True SrsoStatus : SYSTEM_SPECULATION_CONTROL_SRSO_HARDWARE_IMMUNE DivideByZeroReported : True DivideByZeroStatus : SYSTEM_SPECULATION_CONTROL_DIVIDE_BY_ZERO_HARDWARE_IMMUNE RfdsReported : True RfdsStatus : SYSTEM_SPECULATION_CONTROL_RFDS_MITIGATION_UNSUPPORTED Critical findings: CVE-2018-3639 (Speculative Store Bypass): The hardware is vulnerable, hardware support for mitigation is present, but SSBDWindowsSupportEnabledSystemWide: False — the mitigation is disabled system-wide due to firmware constraints. Several mitigation features remain unsupported or disabled, leaving the system exposed to known vulnerabilities.   Conclusion In essence, having a locked BIOS (with minimal configuration options) and outdated firmware, certain bugs and impediments prevent me from: Using Intel TXT Enabling CSME Measured Boot to TPM Applying SecureBoot DBX updates Activating system-wide Speculative Store Bypass Disable (SSBD) mitigation Enabling various CPU vulnerability mitigations properly Accessing advanced security features that require firmware support   I trust I have adequately explained the reasons for my request and hope to obtain an update in line with what has been requested. The device, on the whole, has excellent hardware and performance; this is my first experience with Medion, and aside from the issues detailed here, I am pleased with the device ... View more

Yes, @Fishtown  : Model: ERAZER Scout E30i (MD 62652) ES (NB BB CLV NP70RNC Scout E30i ERAZER bk ) MSM: 3003 8551   ... View more