KB5012170: Security update for Secure Boot DBX (2023)

Table of Contents
Applies to Summary Known issues How to get this update File information Azure Stack HCI, version 1809 Azure Stack Data Box, version 1809 Windows 11, version 22H2 Windows 11, version 21H2 Windows Server 2022 Windows 10, version 22H2 Windows 10, version 20H2, 21H1, and 21H2 Windows 10, version 1809 and Windows Server 2019 Windows 10, version 1607 and Windows Server 2016 Windows 10, version 1507 Windows 8.1and Windows Server 2012 R2 Windows Server 2012 References Videos

Applies to

This security update applies onlyto the following Windows versions:

    • Windows Server 2012

    • Windows 8.1 and Windows Server 2012 R2

    • Windows 10, version 1507

    • Windows 10, version 1607 and Windows Server 2016

    • Windows 10, version 1809 and Windows Server 2019

    • Windows 10, version 20H2

    • Windows 10, version 21H1

    • Windows 10, version 21H2

    • Windows 10, version 22H2

    • Windows Server 2022

    • Windows 11, version 21H2

    • Windows 11, version 22H2

    • Azure Stack HCI, version 1809

    • Azure Stack Data Box, version 1809 (ASDB)

Summary

This security update makesimprovementsto Secure Boot DBX for the supported Windowsversions listed in the "Applies to" section. Key changes include the following:

    • Windows devices that has Unified Extensible Firmware Interface (UEFI) based firmware can run with Secure Boot enabled. The Secure Boot Forbidden Signature Database (DBX) prevents UEFI modules from loading. This update adds modules to the DBX.

      A security feature bypass vulnerability exists in secure boot. An attacker who successfully exploited the vulnerability might bypass secure boot and load untrusted software.

      This security update addresses the vulnerability by adding the signatures of the known vulnerable UEFI modules to the DBX.

To learn more about this security vulnerability, see the following advisory:

    • ADV200011 | Microsoft Guidance for Addressing Security Feature Bypass in GRUB

For additional information about thissecurity vulnerability, see the following resources:

Known issues

Issue

Next step

Someoriginal equipment manufacturer (OEM) firmware might not allow for the installation of this update.

To resolve this issue, contact your firmware OEM.

If BitLocker Group Policy Configure TPM platform validation profile for native UEFI firmware configurationsis enabled and PCR7 is selected by policy, it may result in the update failing to install.

Toview the PCR7 binding status,runthe Microsoft System Information (Msinfo32.exe) tool with administrative permissions.

To workaround this issue, do one of the followingbefore you deploy this update:

  • On a device that does not have Credential Gard enabled, run following command from an Administrator command prompt to suspend BitLocker for 1 restart cycle:

    Manage-bde –Protectors –Disable C: -RebootCount 1

    Then, deploy the update and restart the device to resume the BitLocker protection.

  • On a device that hasCredential Guard enabled,run the following command from an Administrator command prompt to suspend BitLocker for 2 restart cycles:

    Manage-bde –Protectors –Disable C: -RebootCount 3

    Then, deploy the update and restart the device to resume the BitLocker protection.

When attempting to install this update, it might fail to install, and you might receive Error 0x800f0922.

Note This issue only affects thissecurity update for Secure Boot DBX (KB5012170) and does not affect the latest cumulative security updates, monthly rollups, or security-only updates.

This issue can be mitigated on some devices by updating the UEFI bios to the latest version before attempting to install this update.

We are presently investigating and will provide an update in an upcoming release.

Some devices might enter BitLocker Recovery on the first or second restart after attempting to install this update on Windows 11.

This issue is addressed in theservicing stack updates (SSU) and the latest cumulative updates (LCU) dated July 12, 2022 and later.

How to get this update

Release Channel

Available

Next Step

Windows Update or Microsoft Update

Yes

None. This update will be downloaded and installed automatically from Windows Update.

Windows Update for Business

Yes

None. This update will be downloaded and installed automatically from Windows Update in accordance with configured policies.

Microsoft Update Catalog

Yes

To get the standalone package for this update, go to theMicrosoft Update Catalogwebsite.

Windows Server Update Services (WSUS)

Yes

This update will automatically synchronize with WSUS if you configureProducts and Classificationsas follows:

Product: Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows 10, version 1903 and later, Windows 11, Azure Stack HCI, Azure Data Box

Classification: Security Updates

Prerequisites

Make sure you have the lastest servicing stack update (SSU) installed. For information about the latest SSU for your operating system, seeADV990001 | Latest Servicing Stack Updates.

Restart information

See Also
Windows 10: Block/manage Updates with WuMgr (2021)Security guidelines for system services in Windows Server 2016Windows on Arm documentation

Your device does not have to restart when you apply this update. If you have Windows Defender Credential Guard (Virtual Secure Mode) enabled, your device might request a restart.

Update replacement information

This updatereplaces previously released update KB4535680.

File information

The English (United States) version of this security update installs files that have the attributes that are listed in the following tables.

Azure Stack HCI, version 1809

File name

File version

Date

Time

File size

dbupdate.bin

Not versioned

13-Jul-2022

18:12

3

dbxupdate.bin

Not versioned

13-Jul-2022

18:12

13,778

TpmTasks.dll

10.0.17784.2602

20-Jul-2022

21:53

114,688

Azure Stack Data Box, version 1809

File name

File version

Date

Time

File version

dbupdate.bin

Not versioned

13-Jun-2022

21:46

3

dbxupdate.bin

Not versioned

11-Jul-2022

17:50

6,002

TpmTasks.dll

10.0.17763.10933

20-Jul-2022

21:13

84,992

File name

File version

Date

Time

File size

dbupdate.bin

Not versioned

13-Jul-2022

18:07

3

dbxupdate.bin

Not versioned

13-Jul-2022

18:07

13,778

TpmTasks.dll

10.0.17763.10933

20-Jul-2022

21:32

110,592

Windows 11, version 22H2

File name

File version

Date

Time

File size

dbupdate.bin

Not versioned

16-Jun-2022

19:56

3

dbxupdate.bin

Not versioned

11-Jul-2022

18:18

13,778

TpmTasks.dll

10.0.19041.1880

11-Jul-2022

21:05

296,960

File name

File version

Date

Time

File size

dbupdate.bin

Not versioned

6-Jun-2022

18:24

3

dbxupdate.bin

Not versioned

11-Jul-2022

18:16

4,370

TpmTasks.dll

10.0.19041.1880

11-Jul-2022

20:43

324,096
(Video) Microsoft release famous security update KB5012170 fixing a Secure Boot DBX vulnerability

Windows 11, version 21H2

File name

File version

Date

Time

File size

dbupdate.bin

Not versioned

23-Apr-2022

14:18

3

dbxupdate.bin

Not versioned

11-Jul-2022

18:06

13,778

TpmTasks.dll

10.0.22000.850

11-Jul-2022

20:34

323,584

File name

File version

Date

Time

File size

dbupdate.bin

Not versioned

23-Apr-2022

14:18

3

dbxupdate.bin

Not versioned

11-Jul-2022

18:04

4,370

TpmTasks.dll

10.0.22000.850

11-Jul-2022

20:50

313,856

Windows Server 2022

File name

File version

Date

Time

File size

dbupdate.bin

Not versioned

23-Apr-2022

14:18

3

dbxupdate.bin

Not versioned

11-Jul-2022

18:06

13,778

TpmTasks.dll

10.0.22000.850

11-Jul-2022

20:34

323,584

File name

File version

Date

Time

File size

dbupdate.bin

Not versioned

23-Apr-2022

14:18

3

dbxupdate.bin

Not versioned

11-Jul-2022

18:04

4,370

TpmTasks.dll

10.0.22000.850

11-Jul-2022

20:50

313,856

Windows 10, version 22H2

File name

File version

Date

Time

File size

dbupdate.bin

Not versioned

30-Dec-21

18:29

3

dbxupdate.bin

Not versioned

21-Jul-22

0:24

6,002

TpmTasks.dll

10.0.14393.5285

21-Jul-22

0:25

59,904

File name

File version

Date

Time

File size

dbupdate.bin

Not versioned

30-Sep-21

13:17

3

dbxupdate.bin

Not versioned

21-Jul-22

1:38

13,778

TpmTasks.dll

10.0.14393.5285

21-Jul-22

1:42

72,192

File name

File version

Date

Time

File size

dbupdate.bin

Not versioned

6-Jun-2022

18:24

3

dbxupdate.bin

Not versioned

11-Jul-2022

18:16

4,370

TpmTasks.dll

10.0.19041.1880

11-Jul-2022

20:43

324,096

Windows 10, version 20H2, 21H1, and 21H2

File name

File version

Date

Time

File size

dbupdate.bin

Not versioned

11-Jul-2022

18:16

3

dbxupdate.bin

Not versioned

11-Jul-2022

18:16

6,002

TpmTasks.dll

10.0.19041.1880

11-Jul-2022

20:38

242,688
(Video) Fix Windows Update Failed Error - Secure Boot ( KB5012170 )

File name

File version

Date

Time

File size

dbupdate.bin

Not versioned

16-Jun-2022

19:56

3

dbxupdate.bin

Not versioned

11-Jul-2022

18:18

13,778

TpmTasks.dll

10.0.19041.1880

11-Jul-2022

21:05

296,960

File name

File version

Date

Time

File size

dbupdate.bin

Not versioned

6-Jun-2022

18:24

3

dbxupdate.bin

Not versioned

11-Jul-2022

18:16

4,370

TpmTasks.dll

10.0.19041.1880

11-Jul-2022

20:43

324,096

Windows 10, version 1809 and Windows Server 2019

File name

File version

Date

Time

File size

dbupdate.bin

Not versioned

27-Jun-2022

17:57

3

dbxupdate.bin

Not versioned

11-Jul-2022

17:47

6,002

TpmTasks.dll

10.0.17763.3280

11-Jul-2022

21:36

84,992

File name

File version

Date

Time

File size

dbupdate.bin

Not versioned

24-May-2022

12:34

3

dbxupdate.bin

Not versioned

11-Jul-2022

17:50

13,778

TpmTasks.dll

10.0.17763.3280

11-Jul-2022

21:40

110,592

File name

File version

Date

Time

File size

dbupdate.bin

Not versioned

24-May-2022

12:33

3

dbxupdate.bin

Not versioned

11-Jul-2022

17:49

4,370

TpmTasks.dll

10.0.17763.3280

11-Jul-2022

21:30

115,712

Windows 10, version 1607 and Windows Server 2016

File name

File version

Date

Time

File size

dbupdate.bin

Not versioned

30-Dec-2021

18:29

3

dbxupdate.bin

Not versioned

12-Jul-2022

20:44

6,002

TpmTasks.dll

10.0.14393.5281

12-Jul-2022

20:44

59,904

File name

File version

Date

Time

File size

dbupdate.bin

Not versioned

30-Sep-2021

13:17

3

dbxupdate.bin

Not versioned

14-Jul-2022

2:15

13,778

TpmTasks.dll

10.0.14393.5281

14-Jul-2022

2:17

72,192
(Video) Microsoft UEFI DBX security update KB5012170 is failing to install with error 0x800f0922

Windows 10, version 1507

File name

File version

Date

Time

File size

dbupdate.bin

Not versioned

11-Jul-2022

18:41

3

dbxupdate.bin

Not versioned

11-Jul-2022

18:41

6,002

TpmTasks.dll

10.0.10240.19297

2-May-2022

16:52

46,080

File name

File version

Date

Time

File size

dbupdate.bin

Not versioned

11-Jul-2022

18:41

3

dbxupdate.bin

Not versioned

11-Jul-2022

18:41

13,778

TpmTasks.dll

10.0.10240.19297

2-May-2022

16:56

56,320

Windows 8.1and Windows Server 2012 R2

File name

File version

Date

Time

File size

dbupdate.bin

Not versioned

28-Oct-2021

12:35

3

dbxupdate.bin

Not versioned

11-Jul-2022

18:51

6,002

TpmTasks.dll

6.3.9600.20512

11-Jul-2022

20:50

152,576

File name

File version

Date

Time

File size

dbupdate.bin

Not versioned

1-Jan-2022

0:00

3

dbxupdate.bin

Not versioned

12-Jul-2022

12:36

13,778

TpmTasks.dll

6.3.9600.20512

12-Jul-2022

14:57

181,760

File name

File version

Date

Time

File size

dbupdate.bin

Not versioned

14-Oct-2021

18:42

3

dbxupdate.bin

Not versioned

7-Jun-2022

12:03

7,085

TpmTasks.dll

6.3.9600.20512

11-Jul-2022

20:38

137,216

Windows Server 2012

File name

File version

Date

Time

File size

dbupdate.bin

Not versioned

11-Jul-2022

18:14

3

dbxupdate.bin

Not versioned

11-Jul-2022

18:14

6,002

TpmTasks.dll

6.2.9200.23709

21-Apr-2022

12:26

81,408

File name

File version

Date

Time

File size

dbupdate.bin

Not versioned

17-Jun-2022

18:01

3

dbxupdate.bin

Not versioned

11-Jul-2022

18:07

13,778

TpmTasks.dll

6.2.9200.23709

21-Apr-2022

12:45

99,328

References

Learn about the standard terminology that is used to describe Microsoft software updates.

Videos

1. WINDOWS KB5012170 SECURE BOOT DBX UPDATE MAY FAIL!
(EdwardPlaysstuff)
2. Windows 10 11 Users Getting weird old security update KB5012170 Secure boot
(Windows, computers and Technology)
3. How to fix KB5012170 fails to install in Windows 11 (not install)
(IT Networking)
4. Microsoft confirms that security update KB5012170 is available for Windows 11 and Windows 10 22H2
(BrenTech)
5. Unable to update "Secure Boot dbx Configuration Update": Failed to download, server response was 404
([SOLVED] ?)
6. Microsoft security update KB5012170 is now causing boot problems
(BrenTech)
Top Articles
Latest Posts
Article information

Author: Domingo Moore

Last Updated: 01/01/2023

Views: 6076

Rating: 4.2 / 5 (53 voted)

Reviews: 92% of readers found this page helpful

Author information

Name: Domingo Moore

Birthday: 1997-05-20

Address: 6485 Kohler Route, Antonioton, VT 77375-0299

Phone: +3213869077934

Job: Sales Analyst

Hobby: Kayaking, Roller skating, Cabaret, Rugby, Homebrewing, Creative writing, amateur radio

Introduction: My name is Domingo Moore, I am a attractive, gorgeous, funny, jolly, spotless, nice, fantastic person who loves writing and wants to share my knowledge and understanding with you.