Windows 10: KB5012170 --- secure boot?

fpefpe · Jan 14, 2023

Hello --- there seems to be much written about this fix/patch but what I don't understand why is MS trying to apply this to old computer that are BIOS/MBR units? I just updated an old computer from win7 to win10 22H2 and update tried to apply this patch 2 times and failed --- it does not make sense --- is MS listening?

:)

Blue O · Jan 14, 2023

KB5012170: Security update for Secure Boot DBX: August 9, 2022 - Install error - 0x800f0922

I've been fighting the same issues all day. KB5012170 fails to install with error 0x800f0922. Looking through C:\Windows\Logs\CBS\CBS.log reveals errors pointing to BitLocker (which is a red herring) and Secure Boot (the real culprit).

I finally got it to install successfully as follows:

1. Open a cmd.exe or powershell.exe window running as Administrator

2. dism.exe /online /cleanup-image /restorehealth

3. sfc /scannow

4. Reboot

5. Manually download the MSU appropriate for your Windows version directly from the Microsoft Update Catalog here: Microsoft Update Catalog

6. Double click the MSU file to install

This still didn't work for me, but it did clean up the CBS store and allowed me to successfully install the August 2022 Cumulative Update. However, manually installing KB5012170 still failed with the same error as Windows Update in Settings: 0x800f0922

Next, I also performed these additional steps:

7. Reboot into UEFI BIOS

8. Enabled Secure Boot (it was disabled in my case) => Note: This alone didn't work for me. I also needed to do the next step.

9. Clear Secure Boot keys (i.e. reset the Secure Boot keys to default factory settings)

10. Save and exit UEFI BIOS

After this, I repeated Steps 1-6 above and the KB5012170 MSU package successfully installed.

Not sure if this will work for everyone, but since KB5012170 updates the Secure Boot Forbidden Signature Database (DBX) in UEFI, clearing the old and potentially stale boot keys and resetting to factory defaults allowed the update to install required changes to DBX.

Motherboard: Asrock Z87 Extreme6/ac

grooner · Jan 14, 2023

KB5012170: Security update for Secure Boot DBX: August 9, 2022 - Install error - 0x800f0922

...

Next, I also performed these additional steps:

7. Reboot into UEFI BIOS

8. Enabled Secure Boot (it was disabled in my case) => Note: This alone didn't work for me. I also needed to do the next step.

9. Clear Secure Boot keys (i.e. reset the Secure Boot keys to default factory settings)

10. Save and exit UEFI BIOS

After this, I repeated Steps 1-6 above and the KB5012170 MSU package successfully installed.

Not sure if this will work for everyone, but since KB5012170 updates the Secure Boot Forbidden Signature Database (DBX) in UEFI, clearing the old and potentially stale boot keys and resetting to factory defaults allowed the update to install required changes to DBX.
Click to expand...

Its temporarily disabling Secure Boot that's allowed me - and others - to install the update.

Loading default factory keys is an important step in allowing Secure Boot to be Enabled.

I'm not sure I would reset them after enabling Secure Boot or understand that doing this removes "old and potentially stale boot keys" - there can either be the factory default keys needed for Windows or custom keys.

Also the DBX seems to be a forbidden signatures database - something different from the keys.

Secure Boot keys settings should be changed with care as doing it the wrong way leads to a boot loops on some systems.

Brink · Jan 14, 2023

KB5012170: Security update for Secure Boot DBX: August 9, 2022

KB5012170: Security update for Secure Boot DBX: August 9, 2022

Applies to

This security update applies only to the following Windows versions:

Windows Server 2012

Windows 8.1 and Windows Server 2012 R2

Windows 10, version 1507

Windows 10, version 1607 and Windows Server 2016

Windows 10, version 1809 and Windows Server 2019

Windows 10, version 20H2

Windows 10, version 21H1

Windows 10, version 21H2

Windows Server 2022

Windows 11, version 21H2 (original release)

Azure Stack HCI, version 1809

Azure Stack Data Box, version 1809 (ASDB)

Summary

This security update makes improvements to Secure Boot DBX for the supported Windows versions listed in the "Applies to" section. Key changes include the following:

Windows devices that has Unified Extensible Firmware Interface (UEFI) based firmware can run with Secure Boot enabled. The Secure Boot Forbidden Signature Database (DBX) prevents UEFI modules from loading. This update adds modules to the DBX.

A security feature bypass vulnerability exists in secure boot. An attacker who successfully exploited the vulnerability might bypass secure boot and load untrusted software.

This security update addresses the vulnerability by adding the signatures of the known vulnerable UEFI modules to the DBX.

To learn more about this security vulnerability, see the following advisory:

ADV200011 | Microsoft Guidance for Addressing Security Feature Bypass in GRUB

For additional information about this security vulnerability, see the following resources:

CVE-2022-34301 | Eurosoft Boot Loader Bypass

CVE-2022-34302 | New Horizon Data Systems Inc Boot Loader Bypass

CVE-2022-34303 | Crypto Pro Boot Loader Bypass

Known issues

[table][tr][td]Issue[/td] [td]Next step[/td] [/tr] [tr][td]Some original equipment manufacturer (OEM) firmware might not allow for the installation of this update.[/td] [td]To resolve this issue, contact your firmware OEM.[/td] [/tr] [tr][td]If BitLocker Group Policy Configure TPM platform validation profile for native UEFI firmware configurations is enabled and PCR7 is selected by policy, it may result in the update failing to install. To view the PCR7 binding status, run the Microsoft System Information (Msinfo32.exe) tool with administrative permissions.[/td] [td]To workaround this issue, do one of the following before you deploy this update:

On a device that does not have Credential Gard enabled, run following command from an Administrator command prompt to suspend BitLocker for 1 restart cycle: Manage-bde –Protectors –Disable C: -RebootCount 1 Then, deploy the update and restart the device to resume the BitLocker protection.

On a device that has Credential Guard enabled, run the following command from an Administrator command prompt to suspend BitLocker for 2 restart cycles: Manage-bde –Protectors –Disable C: -RebootCount 3 Then, deploy the update and restart the device to resume the BitLocker protection.

[/td] [/tr] [tr][td]When attempting to install this update, it might fail to install, and you might receive Error 0x800f0922. Note This issue only affects this security update for Secure Boot DBX (KB5012170) and does not affect the latest cumulative security updates, monthly rollups, or security-only updates released on August 9, 2022.[/td] [td]This issue can be mitigated on some devices by updating the UEFI bios to the latest version before attempting to install this update. We are presently investigating and will provide an update in an upcoming release.[/td] [/tr] [tr][td]Some devices might enter BitLocker Recovery on the first or second restart after attempting to install this update on Windows 11.[/td] [td]If your device is prompting for a BitLocker Recovery key, you will need to supply it to start Windows. For more information, see Finding your BitLocker recovery key in Windows. If you have not installed this update and have BitLocker enabled on your device, follow the instructions below to temporarily suspend BitLocker before installing. If you have installed this update and have not yet restarted your device or have only restarted your device once, temporarily suspend BitLocker by using the instructions below. IMPORTANT: If you have restarted your device two times or more after installing this update, your device is not affected by this issue. To temporarily suspend BitLocker, or to avoid a BitLocker recovery when deploying this update, follow these steps:

Run the following command from an Administrator command prompt: Manage-bde -protectors -disable %systemdrive% -rebootcount 2

Install this update, if not already installed.

Restart the device.

Then, restart the device a second time.

BitLocker should automatically be enabled after two restarts. If you want to manually resume BitLocker to verify that it is enabled, use the following command: Manage-bde -protectors -Enable %systemdrive%

Status: We are working on a resolution and will provide an update in an upcoming release.[/td] [/tr] [/table]

How to get this update

[table][tr]Release Channel Available Next Step [/tr] [tr][td]Windows Update or Microsoft Update[/td] [td]Yes[/td] [td]None. This update will be downloaded and installed automatically from Windows Update.[/td] [/tr] [tr][td]Windows Update for Business[/td] [td]Yes[/td] [td]None. This update will be downloaded and installed automatically from Windows Update in accordance with configured policies.[/td] [/tr] [tr][td]Microsoft Update Catalog[/td] [td]Yes[/td] [td]To get the standalone package for this update, go to the Microsoft Update Catalog website.[/td] [/tr] [tr][td]Windows Server Update Services (WSUS)[/td] [td]Yes[/td] [td]This update will automatically synchronize with WSUS if you configure Products and Classifications as follows: Product: Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows 10, version 1903 and later, Windows 11, Azure Stack HCI, Azure Data Box Classification: Security Updates[/td] [/tr] [/table]

Prerequisites

Make sure you have the lastest servicing stack update (SSU) installed. For information about the latest SSU for your operating system, see ADV990001 | Latest Servicing Stack Updates.

Restart information
Your device does not have to restart when you apply this update. If you have Windows Defender Credential Guard (Virtual Secure Mode) enabled, your device might request a restart.

Update replacement information

This update replaces previously released update KB4535680.

File information

The English (United States) version of this security update installs files that have the attributes that are listed in the following tables.
Click to expand...

Read more: https://support.microsoft.com/en-us/...8-c42bd211bb15

Windows 10: KB5012170 --- secure boot?

KB5012170 --- secure boot?

KB5012170 --- secure boot?

KB5012170 --- secure boot?

KB5012170 --- secure boot? - Similar Threads - KB5012170 secure boot

KB5012170 Secure Boothole is already installed.

KB5012170 Secure Boothole is already installed.

KB5012170 Secure Boothole is already installed.

Security Update KB5012170

Security Update KB5012170

Security Update KB5012170

KB5012170 --- secure boot?

KB5012170 --- secure boot?

KB5012170: Security update for Secure Boot DBX: August 9, 2022 - Install error - 0x800f0922