KB5012170: Security update for Secure Boot DBX: August 9, 2022

KB5012170: Security update for Secure Boot DBX: August 9, 2022

Applies to

This security update applies only to the following Windows versions:
  • Windows Server 2012
  • Windows 8.1 and Windows Server 2012 R2
  • Windows 10, version 1507
  • Windows 10, version 1607 and Windows Server 2016
  • Windows 10, version 1809 and Windows Server 2019
  • Windows 10, version 20H2
  • Windows 10, version 21H1
  • Windows 10, version 21H2
  • Windows Server 2022
  • Windows 11, version 21H2 (original release)
  • Azure Stack HCI, version 1809
  • Azure Stack Data Box, version 1809 (ASDB)
Summary

This security update makes improvements to Secure Boot DBX for the supported Windows versions listed in the "Applies to" section. Key changes include the following:
  • Windows devices that has Unified Extensible Firmware Interface (UEFI) based firmware can run with Secure Boot enabled. The Secure Boot Forbidden Signature Database (DBX) prevents UEFI modules from loading. This update adds modules to the DBX.

    A security feature bypass vulnerability exists in secure boot. An attacker who successfully exploited the vulnerability might bypass secure boot and load untrusted software.

    This security update addresses the vulnerability by adding the signatures of the known vulnerable UEFI modules to the DBX.
To learn more about this security vulnerability, see the following advisory:
For additional information about this security vulnerability, see the following resources:
Known issues

IssueNext step
Some original equipment manufacturer (OEM) firmware might not allow for the installation of this update.To resolve this issue, contact your firmware OEM.
If BitLocker Group Policy Configure TPM platform validation profile for native UEFI firmware configurations is enabled and PCR7 is selected by policy, it may result in the update failing to install.

To view the PCR7 binding status, run the Microsoft System Information (Msinfo32.exe) tool with administrative permissions.
To workaround this issue, do one of the following before you deploy this update:
  • On a device that does not have Credential Gard enabled, run following command from an Administrator command prompt to suspend BitLocker for 1 restart cycle:

    Code:
    Manage-bde –Protectors –Disable C: -RebootCount 1

    Then, deploy the update and restart the device to resume the BitLocker protection.
  • On a device that has Credential Guard enabled, run the following command from an Administrator command prompt to suspend BitLocker for 2 restart cycles:

    Code:
    Manage-bde –Protectors –Disable C: -RebootCount 3

    Then, deploy the update and restart the device to resume the BitLocker protection.

How to get this update

Release ChannelAvailableNext Step
Windows Update or Microsoft UpdateYesNone. This update will be downloaded and installed automatically from Windows Update.
Windows Update for BusinessYesNone. This update will be downloaded and installed automatically from Windows Update in accordance with configured policies.
Microsoft Update CatalogYesTo get the standalone package for this update, go to the Microsoft Update Catalog website.
Windows Server Update Services (WSUS)YesThis update will automatically synchronize with WSUS if you configure Products and Classifications as follows:
Product: Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows 10, version 1903 and later, Windows 11, Azure Stack HCI, Azure Data Box
Classification: Security Updates

Prerequisites

Make sure you have the lastest servicing stack update (SSU) installed. For information about the latest SSU for your operating system, see ADV990001 | Latest Servicing Stack Updates.

Restart information
Your device does not have to restart when you apply this update. If you have Windows Defender Credential Guard (Virtual Secure Mode) enabled, your device might request a restart.

Update replacement information

This update replaces previously released update KB4535680.

File information

The English (United States) version of this security update installs files that have the attributes that are listed in the following tables.


Read more: KB5012170: Security update for Secure Boot DBX: August 9, 2022
 
Last edited:
Top