KB5012170: Security update for Secure Boot DBX: August 9, 2022

Brink · Aug 9, 2022

Code:
KB5012170: Security update for Secure Boot DBX: August 9, 2022

Applies to

This security update applies only to the following Windows versions:

Windows Server 2012

Windows 8.1 and Windows Server 2012 R2

Windows 10, version 1507

Windows 10, version 1607 and Windows Server 2016

Windows 10, version 1809 and Windows Server 2019

Windows 10, version 20H2

Windows 10, version 21H1

Windows 10, version 21H2

Windows Server 2022

Windows 11, version 21H2 (original release)

Azure Stack HCI, version 1809

Azure Stack Data Box, version 1809 (ASDB)

Summary

This security update makes improvements to Secure Boot DBX for the supported Windows versions listed in the "Applies to" section. Key changes include the following:

Windows devices that has Unified Extensible Firmware Interface (UEFI) based firmware can run with Secure Boot enabled. The Secure Boot Forbidden Signature Database (DBX) prevents UEFI modules from loading. This update adds modules to the DBX.

A security feature bypass vulnerability exists in secure boot. An attacker who successfully exploited the vulnerability might bypass secure boot and load untrusted software.

This security update addresses the vulnerability by adding the signatures of the known vulnerable UEFI modules to the DBX.

To learn more about this security vulnerability, see the following advisory:

ADV200011 | Microsoft Guidance for Addressing Security Feature Bypass in GRUB

For additional information about this security vulnerability, see the following resources:

CVE-2022-34301 | Eurosoft Boot Loader Bypass

CVE-2022-34302 | New Horizon Data Systems Inc Boot Loader Bypass

CVE-2022-34303 | Crypto Pro Boot Loader Bypass

Known issues

Issue Next step
Some original equipment manufacturer (OEM) firmware might not allow for the installation of this update. To resolve this issue, contact your firmware OEM.
If BitLocker Group Policy Configure TPM platform validation profile for native UEFI firmware configurations is enabled and PCR7 is selected by policy, it may result in the update failing to install.

To view the PCR7 binding status, run the Microsoft System Information (Msinfo32.exe) tool with administrative permissions. To workaround this issue, do one of the following before you deploy this update:

On a device that does not have Credential Gard enabled, run following command from an Administrator command prompt to suspend BitLocker for 1 restart cycle:

Code:

Manage-bde –Protectors –Disable C: -RebootCount 1

Then, deploy the update and restart the device to resume the BitLocker protection.

On a device that has Credential Guard enabled, run the following command from an Administrator command prompt to suspend BitLocker for 2 restart cycles:

Code:

Manage-bde –Protectors –Disable C: -RebootCount 3

Then, deploy the update and restart the device to resume the BitLocker protection.

How to get this update

Release Channel Available Next Step
Windows Update or Microsoft Update Yes None. This update will be downloaded and installed automatically from Windows Update.
Windows Update for Business Yes None. This update will be downloaded and installed automatically from Windows Update in accordance with configured policies.
Microsoft Update Catalog Yes To get the standalone package for this update, go to the Microsoft Update Catalog website.
Windows Server Update Services (WSUS) Yes This update will automatically synchronize with WSUS if you configure Products and Classifications as follows:
Product: Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows 10, version 1903 and later, Windows 11, Azure Stack HCI, Azure Data Box
Classification: Security Updates

Prerequisites

Make sure you have the lastest servicing stack update (SSU) installed. For information about the latest SSU for your operating system, see ADV990001 | Latest Servicing Stack Updates.

Restart information
Your device does not have to restart when you apply this update. If you have Windows Defender Credential Guard (Virtual Secure Mode) enabled, your device might request a restart.

Update replacement information

This update replaces previously released update KB4535680.

File information

The English (United States) version of this security update installs files that have the attributes that are listed in the following tables.

Read more: KB5012170: Security update for Secure Boot DBX: August 9, 2022

Issue	Next step
Some original equipment manufacturer (OEM) firmware might not allow for the installation of this update.	To resolve this issue, contact your firmware OEM.
If BitLocker Group Policy Configure TPM platform validation profile for native UEFI firmware configurations is enabled and PCR7 is selected by policy, it may result in the update failing to install. To view the PCR7 binding status, run the Microsoft System Information (Msinfo32.exe) tool with administrative permissions.	To workaround this issue, do one of the following before you deploy this update: On a device that does not have Credential Gard enabled, run following command from an Administrator command prompt to suspend BitLocker for 1 restart cycle: Code: `Manage-bde –Protectors –Disable C: -RebootCount 1` Then, deploy the update and restart the device to resume the BitLocker protection. On a device that has Credential Guard enabled, run the following command from an Administrator command prompt to suspend BitLocker for 2 restart cycles: Code: `Manage-bde –Protectors –Disable C: -RebootCount 3` Then, deploy the update and restart the device to resume the BitLocker protection.

Release Channel	Available	Next Step
Windows Update or Microsoft Update	Yes	None. This update will be downloaded and installed automatically from Windows Update.
Windows Update for Business	Yes	None. This update will be downloaded and installed automatically from Windows Update in accordance with configured policies.
Microsoft Update Catalog	Yes	To get the standalone package for this update, go to the Microsoft Update Catalog website.
Windows Server Update Services (WSUS)	Yes	This update will automatically synchronize with WSUS if you configure Products and Classifications as follows: Product: Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows 10, version 1903 and later, Windows 11, Azure Stack HCI, Azure Data Box Classification: Security Updates