[German]The Secure Boot DBX update KB5012170, which was first rolled out on August 9, 2022, still seems to cause trouble in December 2022. I had reported several times in the blog. Microsoft admitted in the follow-up to the patchday on Dec. 13, 2022, that this update can lead to the installation error 0x800F0922. Affected are all clients from Windows 10 and all servers from 2012. Below is a brief follow-up.
Secure Boot DBX Update KB5012170
Microsoft released the security update KB5012170 (Security update for Secure Boot DBX) on August 9, 2022 (see also Windows Security Update KB5012170 for Secure Boot DBX (August 9, 2022)). The reason was a vulnerability that allowed a bypass of Secure Boot. The background is that Windows devices with UEFI (Unified Extensible Firmware Interface)-based firmware can be operated with Secure Boot enabled. The Secure Boot Forbidden Signature Database (DBX) prevents UEFI modules from being loaded.
The update was supposed to update the signatures of the database, but led to various problems. Some systems ran into Bitlocker problems, as I described in the blog post Update KB5012170 for Secure Boot DBX causes Bitlocker issues. The bug is now listed in the Know Issues of support post KB5012170.
Furthermore, the installation error 0x800F0922 could occur if an incompatible UEFI was present. I had briefly mentioned this in the blog post Windows 11 22H2: Secure Boot DBX Update KB5012170 (Dec. 2022). This bug is also listed in the Know Issues of the support article KB5012170.
Renewed rollouts of KB5012170
Actually, the issue should have been settled with the update KB5012170 since August 2022 after the first rollout. But Microsoft must have rolled out revised versions again. I had already addressed this in October, after a reader tip, in the blog post Windows Update KB5012170 (Secure Boot DBX) re-released for WSUS (Oct. 2022). Revised metadata was probably the cause that the update was offered again in WSUS.
In December 2022, the update KB5012170 was then rolled out for Windows 11 22H2 (see Windows 11 22H2: Secure Boot DBX Update KB5012170 (Dec. 2022)). Reason: Windows 11 version was not yet released in August 2022, so did not receive the update. Furthermore, I read in the patchmanagement.org mailing list (see Google Group) on Dec 8, 2022 from Aboddi that Windows 10 22H2 also received the update.
Installation error 0x800F0922 confirmed
As of December 14, 2022, Microsoft then confirmed the 0x800F0922 installation error on the Windows Server 2022 Release Health status page, for example. There is an entry KB5012170 might fail to install and you might receive a 0x800f0922 error in the Know Issues section. Microsoft writes that when installing update KB5012170, the installation may fail with error 0x800f0922. The following Windows clients are affected:
- Windows 11, version 22H2
- Windows 11, version 21H2
- Windows 10, version 22H2
- Windows 10, version 21H2
- Windows 10, version 21H1
- Windows 10, version 20H2
- Windows 10 Enterprise LTSC 2019
- Windows 10 Enterprise LTSC 2016
- Windows 10 Enterprise 2015 LTSB
- Windows 8.1
and the following Windows Server versions:
- Windows Server 2022
- Windows Server, version 20H2
- Windows Server 2019
- Windows Server 2016
- Windows Server 2012 R2
- Windows Server 2012
Microsoft is currently investigating the problem and will provide an update in one of the next versions. Furthermore, Microsoft writes since August 2022 that the problem can be fixed on some devices by updating the UEFI bios to the latest version before installing KB5012170.
Microsoft Office Updates (December 6, 2022)
Microsoft Security Update Summary (December 13, 2022)
Patchday: Windows 10-Updates (December 13, 2022)
Patchday: Windows 11/Server 2022-Updates (December 13, 2022)
Windows 7/Server 2008 R2; Windows 8.1/Server 2012 R2: Updates (December 13, 2022)
Patchday: Microsoft Office Updates (December 13, 2022)
Windows: 0Patch Micropatch for MOTOW ZIP file bug (0-day, no CVE)
Microsoft confirms Direct Access issues after Nov. 2022 updates
DirectAccess fails after Windows Updates from November 2022
Windows Server November 2022 updates cause LSASS memory leak
Windows Security Update KB5012170 for Secure Boot DBX (August 9, 2022)
Update KB5012170 for Secure Boot DBX causes Bitlocker issues
Windows Update KB5012170 (Secure Boot DBX) re-released for WSUS (Oct. 2022)
Windows 11 22H2: Secure Boot DBX Update KB5012170 (Dec. 2022)
Cookies helps to fund this blog: Cookie settings
Thank you for posting about this issue (again). My older Asus system still refuses this update, presumably because of incompatible BIOS. It was fixed by the August update, but is now broken (again) by the December update. Sigh.
You may deactivate the broken KB5012170 by downloading and running wushowhide.diagcab from Microsoft (usage and link in in https://www.tenforums.com/tutorials/8280-hide-show-windows-updates-windows-10-a.html), that's what I did twice: first for Win 10 21H2, now for Win 10 22H2.