[German]Another short addendum from patchday, August 9, 2022. A security update for the Secure Boot module was also provided there by Microsoft. It is a security update for the Secure Boot (DBX) that can be used by Windows on UEFI machines. The update affects all versions of Windows that are still in support. Addendum: Some users are facing an install error 0x800f0922.
Advertising
An anonymous blog reader pointed out security update KB5012170 (Security update for Secure Boot DBX: August 9, 2021) in this comment. Here is some information about it.
Background to update KB5012170
Windows devices with UEFI (Unified Extensible Firmware Interface)-based firmware can be operated with Secure Boot enabled. The Secure Boot Forbidden Signature Database (DBX) prevents the loading of UEFI modules. The security update KB5012170 (Security update for Secure Boot DBX: August 9, 2022) brings improvements to the Secure Boot DBX for the supported Windows versions by adding new modules to the DBX.
The reason for this addition: there is a vulnerability in bypassing security features during secure boot. An attacker who successfully exploited this vulnerability could bypass the safe boot process and load untrusted software. Details about this vulnerability can be found in the following documents:
- ADV200011 | Microsoft Guidance for Addressing Security Feature Bypass in GRUB
- CVE-2022-34301 | Eurosoft Boot Loader Bypass
- CVE-2022-34302 | New Horizon Data Systems Inc Boot Loader Bypass
- CVE-2022-34303 | Crypto Pro Boot Loader Bypass
Affected Windows versions
Security update KB5012170 is available for the following Windows versions when installed on UEFI hardware.
- Windows Server 2012
- Windows 8.1 and Windows Server 2012 R2
- Windows 10, version 1507
- Windows 10, version 1607 and Windows Server 2016
- Windows 10, version 1809 and Windows Server 2019
- Windows 10, version 20H2
- Windows 10, version 21H1
- Windows 10, version 21H2
- Windows Server 2022
- Windows 11, version 21H2 (original release)
- Azure Stack HCI, version 1809
- Azure Stack Data Box, version 1809 (ASDB)
Windows 7 or 32-bit Windows versions are not supported. The update is deployed via Windows Update, via WSUS, in the Microsoft Update Catalog, and via Windows Update for Business.
Advertising
What to note
If you want to install the update, you should read the notes in KB5012170. Some original equipment manufacturer (OEM) firmware may not allow installation of this update. Contact your firmware OEM to resolve this issue.
Addendum: Some users are facing an install error 0x800f0922. I have two cases reported by German blog readers – another thread may be found here. The reason could a system reserved partition, that's to small. And there are cases, that the manufacturer of the main board (OEM) / firmware maker has to bee contacted, because the update can't be installed. In the MS answers forum is a thread, where a user solved it. He run the system in BIOS mode, but the update has been offered (although it not applyable in BIOS mode).
Care should also be taken if the BitLocker group policy "Configure TPM platform validation profile for native UEFI firmware configurations" is enabled and PCR7 is selected by policy. This may cause this to require the BitLocker recovery key on some devices where PCR7 binding is not possible. Details can be found in the KB post.
Similar article:
Microsoft Office Updates (August 2, 2022)
Microsoft Security Update Summary (August 9, 2022)
Patchday: Windows 10-Updates (August 9, 2022)
Patchday: Windows 11/Server 2022-Updates (August 9, 2022)
Windows 7/Server 2008R2; Windows 8.1/Server 2012R2: Updates (August 9, 2022)
Patchday: Microsoft Office Updates (August 9, 2022)
error 0x800f0922 when installing KB5012170 is now listed as one of the "known issues" in MS support article 5012170
also, the KB5012170 update is even offered thru WU to my Win10 LTSC machines that use legacy BIOS (aka non-UEFI). hid that update using wushowhide.diagcab
"32-bit Windows versions are not supported"
not true this time for KB5012170. there are also x86/32bit editions of KB5012170 available on MS Update Catalog:
https://www.catalog.update.microsoft.com/Search.aspx?q=kb5012170%20×86
only Win7 is not supported
Thx for mention! That was also reported by German readers – I have had not the time to mentioned it here (it's some times a challenge, to run two IT blogs in German and English as a "one man show", so the English blog comes always on 2nd place (due to the amount of daily users).
Concerning the 32-bit version: Users should be careful – in my understanding, the UEFI mode is suitable for 64-bit Windows (mainly). 32-bit systems are using CSM mainly – which could end in an install error.
guenni
the KB5012170 updates are no longer needed or "not applicable" when the May 2023 cumulative updates for win10/win11 are installed.
The very same is true for all supported Windows Server versions: While TpmTasks.dll was updated in all cumulative OS update before, the May OS updates also include dbxupdate.bin, obviously making May OS updates technically supersede KB5012170. Trying to nevertheless installing these August 22 updates afterwards results in 0x80240017 = WU_E_NOT_APPLICABLE. Note that Microsoft by design does not maintain supersedence relationships between security-only updates (like KB5012170) and cumulative updates (like KB5026362).