Windows Security Update KB4535680 for Secure Boot (DBX)

[German]Microsoft has released update KB4535680 on January 12, 2021. It is a security update for Secure Boot (DBX), which can be used by Windows on UEFI machines.


A German  blog reader pointed out security update KB4535680 (Security update for Secure Boot DBX: January 12, 2021) in this comment. Here is some information about it.  

Some Background about Update KB4535680

Windows devices with UEFI (Unified Extensible Firmware Interface)-based firmware can be operated with Secure Boot enabled. The Secure Boot Forbidden Signature Database (DBX) prevents the loading of UEFI modules. The security update KB4535680 (Security update for Secure Boot DBX: January 12, 2021) brings improvements to the Secure Boot DBX for the supported Windows versions by adding new modules to the DBX.  

The reason for this addition: a vulnerability has been found that allows bypassing security features in Secure Boot. An attacker who successfully exploited this vulnerability could bypass Secure Boot and load untrusted software. Details about this vulnerability can be found in CVE-2020-0689 | Microsoft Secure Boot Security Feature Bypass Vulnerability.

Affected Windows versions

Security update KB4535680 is available for the following Windows versions when installed on UEFI hardware.

  • Windows Server 2012 x64-bit
  • Windows Server 2012 R2 x64-bit
  • Windows 8.1 x64-bit
  • Windows Server 2016 x64-bit
  • Windows Server 2019 x64-bit
  • Windows 10, version 1607 x64-bit
  • Windows 10, version 1803 x64-bit
  • Windows 10, version 1809 x64-bit
  • Windows 10, version 1909 x64-bit

Windows 7 or 32-bit Windows versions are not supported.


What's improtant to know

Those who want to install the update should make sure that the servicing stack updates (SSUs) listed in the following table are installed.

Product SSU Package Date Released
Windows Server 2012 4566426 July 2020
Windows 8.1/Server 2012 R2 4524445 July 2020
Windows 10 4565911 July 2020
Windows 10 Version 1607/Server 2016 4576750 September 2020
Windows 10 1803/Windows Server, version 1803 4580398 October 2020
Windows 10 1809/Server 2019 4598480 January 2021
Windows 10 1909/Windows Server, version 1909 4598479 January 2021

Microsoft states that the following installation sequence should be followed:

  • Servicing Stack Update
  • Standalone Secure Boot Update
  • Sicherheits-Update Januar 2021

In the KB article, Microsoft points out that some manufacturers do not allow the installation of this update. Care should also be taken if the BitLocker group policy "Configure TPM platform validation profile for native UEFI firmware configurations" is enabled and PCR7 is selected by policy. This may cause the BitLocker recovery key to be required on some devices where PCR7 binding is not possible. Details can be found in the KB post.

Similar articles:
Microsoft Office Patchday (January 5, 2021)
Microsoft Security Update Summary (January 12, 2021)
Patchday: Windows 10-Updates (January 12, 2021)
Patchday: Updates für Windows 7/Server 2008 R2 (January 12, 2021)
Patchday: Windows 8.1/Server 2012-Updates (January 12, 2021)
Patchday Microsoft Office Updates (January 12, 2021)

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Update, Windows and tagged , , , . Bookmark the permalink.

2 Responses to Windows Security Update KB4535680 for Secure Boot (DBX)

  1. EP says:


    WU seems to offer the KB4535680 update to non-UEFI based PCs (aka. PCs with legacy BIOS) and not just to only PCs using UEFI

    I had to hide KB4535680 using either Wumgr or windows update minitool after doing a WU scan on an old non-uefi PC running Win10 LTSC 2019 v1809

Leave a Reply to guenni Cancel reply

Your email address will not be published. Required fields are marked *