Update KB5012170 for Secure Boot DBX causes Bitlocker issues

Windows[English]I'll pull out one issue separately, which I had already covered in the blog with a note. The update KB5012170 released by Microsoft on August 9, 2022 causes problems on some systems. Security update for the Secure Boot Module, which is supposed to prevent vulnerability exploitation, causes some users to have the Bitlocker key requested there at boot time. Others have installation errors, and the screen remains dark for some users.


Advertising

Security update KB5012170

Security update KB5012170 (Security update for Secure Boot DBX: August 9, 2022) brings improvements to the Secure Boot DBX for the supported Windows versions by adding new modules to the DBX. Background were vulnerabilities in this environment. I had addressed this update in question in the blog post Windows Security Update KB5012170 for Secure Boot DBX (August 9, 2022).

Update causes Bitlocker problems

I had seen a user post on a german forum, where someone was complaining that the system was prompting for the Bitlocker key on Windows 11 after installing the update.

Bitlocker needs the key after the update fix KB5012170 fails

Hello All,

after I have updated a few computers of users with Windows 11, the system asks for the bitlocker key after restarting the computer.

This seems to be related to the FIX KB5012170 which failed on install on the affected machines, and does a rollback.

In my blog post linked above, there was the following note from me:

Addendum: Some users are facing an install error 0x800f0922. I have two cases reported by German blog readers – another thread may be found here. The reason could a system  reserved partition, that's to small. And there are cases, that the manufacturer of the main board (OEM) / firmware maker has to bee contacted, because the update can't be installed. In the MS answers forum is a thread, where a user solved it. He run the system in BIOS mode, but the update has been offered (although it not applyable in BIOS mode).

Care should also be taken if the BitLocker group policy "Configure TPM platform validation profile for native UEFI firmware configurations" is enabled and PCR7 is selected by policy. This may cause this to require the BitLocker recovery key on some devices where PCR7 binding is not possible. Details can be found in the KB post.

and in the above forum post later came the addendum: "Check out the "Known Issues" for this. I guess you have to have an "up-to-date BIOS firmware" installed before the fix can be installed."

Another message from a user

Blog reader Cornelia contacted me by email this morning (thanks for that) because she became aware of this issue through customers and wrote:


Advertising

Good morning

This might be something for the blog.

The installation of a Windows 11 update can lead to the Bitlocker Recovery Key having to be entered when rebooting.

Yesterday, a customer contacted us in despair because she only saw a blue screen – without text – after she had probably pressed Esc. In the course of later analysis in our office, the familiar Bitlocker view came up at some point. Fortunately, we were able to find the key thanks to her Microsoft account.

Today we already had another laptop requesting the key.

She had even read my note in the blog post Windows Security Update KB5012170 for Secure Boot DBX (August 9, 2022), but didn't immediately locate it. She wrote me, "Yes, I had read the note about TPM and PCR7 in the post, but assumed that was only relevant for domain computers where a server-side group policy is applied. That's why I had more or less ignored it."

A problem update

Colleagues at Bleeping Computer have explicitly addressed it again in this post today (following a report from The Register). Microsoft Answers also has this forum post, and reddit.com has a discussion of the issue here. There are also cases where the machine only starts with a black screen. In addition, there are a number of people where the update installation aborts with an error. The only thing that helps here is to contact the OEMs for the BIOS/UEFI to clarify whether there is an update for this component.


Cookies helps to fund this blog: Cookie settings
Advertising


##1

This entry was posted in issue, Update, Windows and tagged , , . Bookmark the permalink.

4 Responses to Update KB5012170 for Secure Boot DBX causes Bitlocker issues

  1. EP says:

    KB5012170 feels like a similar fiasco again with the old KB4535680 secure boot dbx update that you mentioned early last year:
    https://borncity.com/win/2021/02/16/windows-10-lst-kb4535680-ein-bitlocker-recovery-aus/

Leave a Reply

Your email address will not be published. Required fields are marked *