[German]Microsoft has released update KB4535680 on January 12, 2021. It is a security update for Secure Boot (DBX), which can be used by Windows on UEFI machines.
Advertising
A German blog reader pointed out security update KB4535680 (Security update for Secure Boot DBX: January 12, 2021) in this comment. Here is some information about it.
Some Background about Update KB4535680
Windows devices with UEFI (Unified Extensible Firmware Interface)-based firmware can be operated with Secure Boot enabled. The Secure Boot Forbidden Signature Database (DBX) prevents the loading of UEFI modules. The security update KB4535680 (Security update for Secure Boot DBX: January 12, 2021) brings improvements to the Secure Boot DBX for the supported Windows versions by adding new modules to the DBX.
The reason for this addition: a vulnerability has been found that allows bypassing security features in Secure Boot. An attacker who successfully exploited this vulnerability could bypass Secure Boot and load untrusted software. Details about this vulnerability can be found in CVE-2020-0689 | Microsoft Secure Boot Security Feature Bypass Vulnerability.
Affected Windows versions
Security update KB4535680 is available for the following Windows versions when installed on UEFI hardware.
- Windows Server 2012 x64-bit
- Windows Server 2012 R2 x64-bit
- Windows 8.1 x64-bit
- Windows Server 2016 x64-bit
- Windows Server 2019 x64-bit
- Windows 10, version 1607 x64-bit
- Windows 10, version 1803 x64-bit
- Windows 10, version 1809 x64-bit
- Windows 10, version 1909 x64-bit
Windows 7 or 32-bit Windows versions are not supported.
Advertising
What's improtant to know
Those who want to install the update should make sure that the servicing stack updates (SSUs) listed in the following table are installed.
| Product | SSU Package | Date Released |
| Windows Server 2012 | 4566426 | July 2020 |
| Windows 8.1/Server 2012 R2 | 4524445 | July 2020 |
| Windows 10 | 4565911 | July 2020 |
| Windows 10 Version 1607/Server 2016 | 4576750 | September 2020 |
| Windows 10 1803/Windows Server, version 1803 | 4580398 | October 2020 |
| Windows 10 1809/Server 2019 | 4598480 | January 2021 |
| Windows 10 1909/Windows Server, version 1909 | 4598479 | January 2021 |
Microsoft states that the following installation sequence should be followed:
- Servicing Stack Update
- Standalone Secure Boot Update
- Sicherheits-Update Januar 2021
In the KB article, Microsoft points out that some manufacturers do not allow the installation of this update. Care should also be taken if the BitLocker group policy "Configure TPM platform validation profile for native UEFI firmware configurations" is enabled and PCR7 is selected by policy. This may cause the BitLocker recovery key to be required on some devices where PCR7 binding is not possible. Details can be found in the KB post.
Similar articles:
Microsoft Office Patchday (January 5, 2021)
Microsoft Security Update Summary (January 12, 2021)
Patchday: Windows 10-Updates (January 12, 2021)
Patchday: Updates für Windows 7/Server 2008 R2 (January 12, 2021)
Patchday: Windows 8.1/Server 2012-Updates (January 12, 2021)
Patchday Microsoft Office Updates (January 12, 2021)
Advertising
guenni
WU seems to offer the KB4535680 update to non-UEFI based PCs (aka. PCs with legacy BIOS) and not just to only PCs using UEFI
I had to hide KB4535680 using either Wumgr or windows update minitool after doing a WU scan on an old non-uefi PC running Win10 LTSC 2019 v1809
Thanks, will drop a short note to my German blog to see, if there other users affected.
Addendum: Got the feedback, that it did not harm, to let the update install – it's probably skipped on non UEFI systems. See my blog post Windows Secure Boot (DBX) Update KB4535680 offered on BIOS Systems