KB5012170: Security update for Secure Boot DBX
NOTE Improved diagnostics have been added to detect and report issue details through the event log. Please see KB5016061: Addressing vulnerable and revoked Boot Managers for more information.
Applies to
This security update applies only to the following Windows versions:
- Windows Server 2012
- Windows 8.1 and Windows Server 2012 R2
- Windows 10, version 1507
- Windows 10, version 1607 and Windows Server 2016
- Windows 10, version 1809 and Windows Server 2019
- Windows 10, version 20H2
- Windows 10, version 21H1
- Windows 10, version 21H2
- Windows 10, version 22H2
- Windows Server 2022
- Windows 11, version 21H2
- Windows 11, version 22H2
- Azure Stack HCI, version 1809
- Azure Stack Data Box, version 1809 (ASDB)
Summary
This security update makes improvements to Secure Boot DBX for the supported Windows versions listed in the "Applies to" section. Key changes include the following:
To learn more about this security vulnerability, see the following advisory:
- Windows devices that has Unified Extensible Firmware Interface (UEFI) based firmware can run with Secure Boot enabled. The Secure Boot Forbidden Signature Database (DBX) prevents UEFI modules from loading. This update adds modules to the DBX.
A security feature bypass vulnerability exists in secure boot. An attacker who successfully exploited the vulnerability might bypass secure boot and load untrusted software.
This security update addresses the vulnerability by adding the signatures of the known vulnerable UEFI modules to the DBX.
For additional information about this security vulnerability, see the following resources:
- CVE-2022-34301 | Eurosoft Boot Loader Bypass
- CVE-2022-34302 | New Horizon Data Systems Inc Boot Loader Bypass
- CVE-2022-34303 | Crypto Pro Boot Loader Bypass
Known issues
Issue Next step If BitLocker Group Policy Configure TPM platform validation profile for native UEFI firmware configurations is enabled and PCR7 is selected by policy, it may result in the update failing to install.
To view the PCR7 binding status, run the Microsoft System Information (Msinfo32.exe) tool with administrative permissions.To workaround this issue, do one of the following before you deploy this update:
- On a device that does not have Credential Gard enabled, run following command from an Administrator command prompt to suspend BitLocker for 1 restart cycle:
Manage-bde –Protectors –Disable C: -RebootCount 1
Then, deploy the update and restart the device to resume the BitLocker protection.- On a device that has Credential Guard enabled, run the following command from an Administrator command prompt to suspend BitLocker for 2 restart cycles:
Manage-bde –Protectors –Disable C: -RebootCount 3
Then, deploy the update and restart the device to resume the BitLocker protection.When attempting to install this update, it might fail to install, and you might receive Error 0x800f0922.
Note This issue only affects this security update for Secure Boot DBX (KB5012170) and does not affect the latest cumulative security updates, monthly rollups, or security-only updates.To resolve this issue, install the Servicing Stack Update (SSU) released March 14, 2023, or a later SSU update, for your supported Windows operating system:
For information about the new error events added by these SSU updates and actions to take when an error occurs, see KB5016061.
- Windows 11, version 22H2 SSU (SSU installed from cumulative update KB5023706)
- Windows 11, version 21H2 SSU (SSU installed from cumulative update KB5023698)
- Windows Server 2022 SSU (SSU installed from cumulative update KB5023705)
- Windows 10, version 20H2, 21H2, and 22H2 SSU (SSU installed from cumulative update KB5023696)
- Windows 10, version 1809/Windows Server 2019 (SSU installed from cumulative update KB5023702)
- Windows Server 2016 SSU KB5023788
- Windows 10 SSU KB5023787
- Windows Server 2012 R2 SSU KB5023790
- Windows Server 2012 SSU KB5023791
Some devices might enter BitLocker Recovery on the first or second restart after attempting to install this update on Windows 11. This issue is addressed in the servicing stack updates (SSU) and the latest cumulative updates (LCU) dated July 12, 2022 and later. How to get this update
Prerequisites
Release Channel Available Next Step Windows Update or Microsoft Update Yes None. This update will be downloaded and installed automatically from Windows Update. Windows Update for Business Yes None. This update will be downloaded and installed automatically from Windows Update in accordance with configured policies. Microsoft Update Catalog Yes To get the standalone package for this update, go to the Microsoft Update Catalog website. Windows Server Update Services (WSUS) Yes This update will automatically synchronize with WSUS if you configure Products and Classifications as follows:
Product: Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows 10, version 1903 and later, Windows 11, Azure Stack HCI, Azure Data Box
Classification: Security Updates
Make sure you have the lastest servicing stack update (SSU) installed. For information about the latest SSU for your operating system, see ADV990001 | Latest Servicing Stack Updates.
Restart information
Your device does not have to restart when you apply this update. If you have Windows Defender Credential Guard (Virtual Secure Mode) enabled, your device might request a restart.
Update replacement information
This update replaces previously released update KB4535680.
Source:
KB5012170: Security update for Secure Boot DBX - Microsoft Support
support.microsoft.com
Check Windows Updates
Direct download links for KB5012170 MSU file from Microsoft Update Catalog:
Download KB5012170 MSU for Windows 11 v22H2 64-bit (x64) - 182 KB
Download KB5012170 MSU for Windows 11 v22H2 ARM64 - 207 KB
