KB5012170 Security update for Secure Boot DBX Win Update

    KB5012170 Security update for Secure Boot DBX

    KB5012170 Security update for Secure Boot DBX

    Category: Win Update
    Posted: 14 Apr 2023

    KB5012170: Security update for Secure Boot DBX

    NOTE Improved diagnostics have been added to detect and report issue details through the event log. Please see KB5016061: Addressing vulnerable and revoked Boot Managers for more information.

    Applies to

    This security update applies only to the following Windows versions:

    • Windows Server 2012
    • Windows 8.1 and Windows Server 2012 R2
    • Windows 10, version 1507
    • Windows 10, version 1607 and Windows Server 2016
    • Windows 10, version 1809 and Windows Server 2019
    • Windows 10, version 20H2
    • Windows 10, version 21H1
    • Windows 10, version 21H2
    • Windows 10, version 22H2
    • Windows Server 2022
    • Windows 11, version 21H2
    • Windows 11, version 22H2
    • Azure Stack HCI, version 1809
    • Azure Stack Data Box, version 1809 (ASDB)

    Summary

    This security update makes improvements to Secure Boot DBX for the supported Windows versions listed in the "Applies to" section. Key changes include the following:

    • Windows devices that has Unified Extensible Firmware Interface (UEFI) based firmware can run with Secure Boot enabled. The Secure Boot Forbidden Signature Database (DBX) prevents UEFI modules from loading. This update adds modules to the DBX.

      A security feature bypass vulnerability exists in secure boot. An attacker who successfully exploited the vulnerability might bypass secure boot and load untrusted software.

      This security update addresses the vulnerability by adding the signatures of the known vulnerable UEFI modules to the DBX.

    To learn more about this security vulnerability, see the following advisory:


    For additional information about this security vulnerability, see the following resources:


    Known issues

    Issue Next step
    If BitLocker Group Policy Configure TPM platform validation profile for native UEFI firmware configurations is enabled and PCR7 is selected by policy, it may result in the update failing to install.

    To view the PCR7 binding status, run the Microsoft System Information (Msinfo32.exe) tool with administrative permissions.
    To workaround this issue, do one of the following before you deploy this update:

    • On a device that does not have Credential Gard enabled, run following command from an Administrator command prompt to suspend BitLocker for 1 restart cycle:

      Manage-bde –Protectors –Disable C: -RebootCount 1

      Then, deploy the update and restart the device to resume the BitLocker protection.
    • On a device that has Credential Guard enabled, run the following command from an Administrator command prompt to suspend BitLocker for 2 restart cycles:

      Manage-bde –Protectors –Disable C: -RebootCount 3

      Then, deploy the update and restart the device to resume the BitLocker protection.
    When attempting to install this update, it might fail to install, and you might receive Error 0x800f0922.

    Note This issue only affects this security update for Secure Boot DBX (KB5012170) and does not affect the latest cumulative security updates, monthly rollups, or security-only updates.
    To resolve this issue, install the Servicing Stack Update (SSU) released March 14, 2023, or a later SSU update, for your supported Windows operating system:

    • Windows 11, version 22H2 SSU (SSU installed from cumulative update KB5023706)
    • Windows 11, version 21H2 SSU (SSU installed from cumulative update KB5023698)
    • Windows Server 2022 SSU (SSU installed from cumulative update KB5023705)
    • Windows 10, version 20H2, 21H2, and 22H2 SSU (SSU installed from cumulative update KB5023696)
    • Windows 10, version 1809/Windows Server 2019 (SSU installed from cumulative update KB5023702)
    • Windows Server 2016 SSU KB5023788
    • Windows 10 SSU KB5023787
    • Windows Server 2012 R2 SSU KB5023790
    • Windows Server 2012 SSU KB5023791

    For information about the new error events added by these SSU updates and actions to take when an error occurs, see KB5016061.
    Some devices might enter BitLocker Recovery on the first or second restart after attempting to install this update on Windows 11. This issue is addressed in the servicing stack updates (SSU) and the latest cumulative updates (LCU) dated July 12, 2022 and later.

    How to get this update

    Release Channel Available Next Step
    Windows Update or Microsoft Update Yes None. This update will be downloaded and installed automatically from Windows Update.
    Windows Update for Business Yes None. This update will be downloaded and installed automatically from Windows Update in accordance with configured policies.
    Microsoft Update Catalog Yes To get the standalone package for this update, go to the Microsoft Update Catalog website.
    Windows Server Update Services (WSUS) Yes This update will automatically synchronize with WSUS if you configure Products and Classifications as follows:
    Product: Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows 10, version 1903 and later, Windows 11, Azure Stack HCI, Azure Data Box
    Classification: Security Updates

    Prerequisites
    Make sure you have the lastest servicing stack update (SSU) installed. For information about the latest SSU for your operating system, see ADV990001 | Latest Servicing Stack Updates.

    Restart information
    Your device does not have to restart when you apply this update. If you have Windows Defender Credential Guard (Virtual Secure Mode) enabled, your device might request a restart.

    Update replacement information
    This update replaces previously released update KB4535680.

    Source: https://support.microsoft.com/en-us/...8-c42bd211bb15
    Brink's Avatar Posted By: Brink
    14 Apr 2023


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 07:17.
Find Us




Windows 10 Forums