Windows Secure Boot (DBX) Update KB4535680 offered on BIOS Systems

[German]Microsoft has released the Windows security update KB4535680 for Secure Boot (DBX). The update will be offered via Windows Update. Some users with BIOS boards are also receiving this update. Here are a few remarks about that topics.


Advertising

What is Update KB4535680?

KB4535680 is a security update for Secure Boot DBX, released on January 12, 2021. It is intended to close vulnerabilities on UEFI systems that use Secure Boot on Windows. Specifically, the update adds fixes to the Secure Boot Forbidden Signature Database (DBX). The Secure Boot Forbidden Signature Database (DBX) prevents UEFI modules from loading. The security update adds new modules to the DBX, according to Microsoft. 

Microsoft writes in its support post that security update KB4535680 is available for subsequent Windows versions when installed on UEFI hardware.

  • Windows Server 2012 x64-bit
  • Windows Server 2012 R2 x64-bit
  • Windows 8.1 x64-bit
  • Windows Server 2016 x64-bit
  • Windows Server 2019 x64-bit
  • Windows 10, version 1607 x64-bit
  • Windows 10, version 1803 x64-bit
  • Windows 10, version 1809 x64-bit
  • Windows 10, version 1909 x64-bit

I had reported about the update in the blog post Windows Security Update KB4535680 for Secure Boot (DBX). ThereI also described there what else has to be considered in terms of boundary conditions. 

The UEFI secure boot update is offered on BIOS systems

Up to this point, everything is still fine, the update is offered on the affected systems via Windows Update, and that’s it. But it can also be distributed via WSUS and downloaded from the Microsoft Update Catalog. But blog reader EP has just left a comment, reporting the following observation:

WU seems to offer the KB4535680 update to non-UEFI based PCs (aka. PCs with legacy BIOS) and not just to only PCs using UEFI

I had to hide KB4535680 using either Wumgr or windows update minitool after doing a WU scan on an old non-uefi PC running Win10 LTSC 2019 v1809

He/she was puzzled, that Microsoft offers a security patch dedicated for UEFI systems via Windows Update also on BIOS systems, where it is pretty useless. This makes no sense at all – in the best case, this update is discarded during the installation as soon as it detects that there is no UEFI. In the dumbest case, the update fails during installation.


Advertising

However, since Microsoft no longer offers the option to hide the update package offered in Windows Update in Windows 10, EP had to use to a third-party tool like Windows Update Minitool or the Microsoft help tool Wumgr to hide the update. I had asked within my German blog, if anyone else made this observation. I got the feedback, that many users has been offered this update on BIOS systems. Some installed it, some blocked this update from installation.

Update KB4535680 should not harm

Here is some background, a German user sheded on this case. The update patches the following files on the Windows drive:

C:\Windows\System32\SecureBootUpdates\dbupdate.bin
C:\Windows\System32\SecureBootUpdates\dbxupdate.bin

On UEFI systems with secure book, the files are loaded during boot time. On BIOS systems, where no UEFI and no secure boot is present, these two files are just ignored. Beside the fact, that this update leaves some unnecessary clutter on a BIOS system, it should not harm.


Cookies helps to fund this blog: Cookie settings
Advertising


This entry was posted in Security, Update, Windows and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *