You are currently offline, waiting for your internet to reconnect

MS16-100: Description of the security update for Secure Boot: August 9, 2016

Summary
This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow security feature bypass if an attacker installs an affected boot manager and bypasses Windows security features.

To learn more about the vulnerability, see Microsoft Security Bulletin MS16-100.
More information
Important

  • All future security and non-security updates for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 require update 2919355 to be installed. We recommend that you install update 2919355 on your Windows RT 8.1-based, Windows 8.1-based, or Windows Server 2012 R2-based computer so that you receive future updates.
  • If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see Add language packs to Windows.
More information

Known issues in this security update

  • When you try to install this security update, you may receive an error message that resembles the following:

    The update is not applicable to your computer


    Each Windows version requires a Servicing Stack Update (SSU). If you install updates by using Windows Update, Windows Server Update Services (WSUS), or the Microsoft Update Catalog, an SSU is automatically installed as part of the update. If you receive this error message, and if security update 3172729 is not already installed, you must install the corresponding SSU.
    OS VersionSSU KB #
    Windows Server 2016 TP53173423
    Windows Server 20123173426
    Windows 10 Version 15113173428
    Windows 103173427
    Windows 8.1 or Windows Server 2012 R2 3173424
  • If you are running Windows 10 Version 1607 (Anniversary Edition), the Hyper-V firmware will already have the TP5 boot manager blacklisted.

    For example, when you set up Hyper-V on a Windows 10 Version 1607-based system, if you then create a Windows Server 2016 TP5-based virtual machine (VM), the VM does not start.

    To resolve this issue, follow these steps:

    1. Open the Hyper-V Manager, right-click the VM, and then select Settings.
    2. In the navigation pane, select Security.
    3. In the details pane, select Microsoft UEFI Certificate Authority in the Template list.
    4. In the details pane, click to clear the Enable Secure Boot check box, and then click OK.

      SecBoot
    After you have installed TP5 on the VM and installed security update 3172729, re-enable secure boot. To do this, follow these steps:
    1. Open the Hyper-V Manager, right-click the VM, and then select Settings.
    2. In the navigation pane, select Security.
    3. In the details pane, click to select the Enable Secure Boot check box.
    4. In the details pane, select Microsoft Windows in the Template list, and then click OK. SecrureBoot
How to obtain and install the update

Method 1: Windows Update

This update is available through Windows Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to turn on automatic updating, seeGet security updates automatically.

Note For Windows RT 8.1, this update is available through Windows Update only.

Method 2: Microsoft Update Catalog

To get the stand-alone package for this update, go to the Microsoft Update Catalog website.

Method 3: Microsoft Download Center

For Windows 8.1, Windows Server 2012 R2 and Windows Server 2012, you can obtain the stand-alone update package through the Microsoft Download Center. Follow the installation instructions on the download page to install the update.

Click the download link in Microsoft Security Bulletin MS16-100 that corresponds to the version of Windows that you are running.
More information

How to obtain help and support for this security update

Help for installing updates: Support for Microsoft Update

Security solutions for IT professionals: TechNet Security Troubleshooting and Support

Help for protecting your Windows-based computer from viruses and malware: Virus Solution and Security Center

Local support according to your country: International Support
File Information

File hash information

File nameSHA1 hashSHA256 hash
Windows10.0-KB3172729-v2-x64.msu (Windows Server 2016 TP5)19975CEF3C9B73FD9C09EB497364D9E8AF2384FE AC7443BFD844837B3C715793B7726F12734A76F8BB2EABD9F356981639C93398
Windows10.0-KB3172729-x64.msu (Windows 10 Version 1511)18DF742FAD6BEBC01E617C2D4F92E0D325E5138FF5B55D436056A905E755984D457BAC67295AD3E11531A6C33F3812CFB63CE010
Windows10.0-KB3172729-x86.msu (Windows 10 Version 1511)877795F675546BF16621464230D024863F9E512E6FEF8B54487B61676A6825BB2E68ED865DA81C8C108ABD93991D0FCCA722297A
Windows10.0-KB3172729-x64.msu3721C0D77731CA564387070698812DD496810BD8A4FE15534B7DD88DF4ADC73D68943EA340AF79EE79DD57360A19FC3D1F1CBD7C
Windows10.0-KB3172729-x86.msu2CCD3AF51D198B548C849226F66C81174303AAA3D05A11100EC2EA00F50140E3B0BFD08B48C364E5D381F23096CE8C661652096D
Windows8-RT-KB3172729-x64.msu69CAB4C7785B1FAA3FC450F32BED4873D53BB96F349D5602181E776DBF7FDADBAE9543181C53690FC1D1BDD891266E3A57F246D1
Windows8.1-KB3172729-x86.msuACB9DD33C1657AC9189158C1176E91540BA60CA3C7EA1C520FCCADE22FF0610DA99BFC5A5F9FF2B4F7AB861D2786AF0683436BE5
Windows8.1-KB3172729-x64.msuE8003822A7EF4705CBB65623B72FD3CEC73FE222D0FF89261A961F4C86D10BF5FCFAEAD9C3488DAB065C2C7338649B52A82112AB

File information

The English (United States) version of this software update installs files that have the attributes that are listed in the following tables.

Windows Server 2016 TP5

For all supported x64-based versions
File nameFile versionFile sizeDateTimePlatform
Boot.stlNot applicable4,84615-Jul-201600:54Not applicable
Bootmgfw.efi10.0.14368.10001,183,58415-Jul-201600:54Not applicable
Bootmgr.efi10.0.14300.10501,164,77615-Jul-201604:24Not applicable
Bootmgfw.efi10.0.14368.10001,183,58415-Jul-201600:54Not applicable
Dbupdate.binNot applicable330-May-201600:49Not applicable
Dbxupdate.binNot applicable7,08502-Jul-201603:09Not applicable
Abortpxe.comNot applicable7931-May-201604:48Not applicable
Bootmgr.exe10.0.14300.1050671,72015-Jul-201604:17x86
Hdlscom1.comNot applicable25,66231-May-201604:48Not applicable
Hdlscom1.n12Not applicable25,64631-May-201604:48Not applicable
Hdlscom2.comNot applicable25,66231-May-201604:48Not applicable
Hdlscom2.n12Not applicable25,64631-May-201604:48Not applicable
Pxeboot.comNot applicable25,35831-May-201604:48Not applicable
Pxeboot.n12Not applicable25,35831-May-201604:48Not applicable
Wdsnbp.comNot applicable30,83231-May-201604:48Not applicable
Abortpxe.comNot applicable7931-May-201604:48Not applicable
Bootmgfw.efi10.0.14368.1000991,58415-Jul-201600:58Not applicable
Bootmgr.exe10.0.14300.1050671,72015-Jul-201604:17x86
Hdlscom1.comNot applicable25,66231-May-201604:48Not applicable
Hdlscom1.n12Not applicable25,64631-May-201604:48Not applicable
Hdlscom2.comNot applicable25,66231-May-201604:48Not applicable
Hdlscom2.n12Not applicable25,64631-May-201604:48Not applicable
Pxeboot.comNot applicable25,35831-May-201604:48Not applicable
Pxeboot.n12Not applicable25,35831-May-201604:48Not applicable
Wdsnbp.comNot applicable30,83231-May-201604:48Not applicable

Windows 10 Version 1511 file information

For all supported x64-based versions
File nameFile versionFile sizeDateTimePlatform
Dbupdate.binNot applicable331-Mar-201501:31Not applicable
Dbxupdate.binNot applicable7,08513-Jul-201601:17Not applicable
For all supported x86-based versions
File nameFile versionFile sizeDateTimePlatform
Dbupdate.binNot applicable331-Mar-201501:16Not applicable
Dbxupdate.binNot applicable7,08513-Jul-201601:23Not applicable

Windows 10 file information

For all supported x64-based versions
File nameFile versionFile sizeDateTimePlatform
Dbupdate.binNot applicable318-Jun-201501:16Not applicable
Dbxupdate.binNot applicable7,08516-Jul-201601:53Not applicable
For all supported x86-based versions
File nameFile versionFile sizeDateTimePlatform
Dbupdate.binNot applicable327-Mar-201521:47Not applicable
Dbxupdate.binNot applicable7,08516-Jul-201601:50Not applicable

Windows Server 2012 file information

Notes
  • The files that apply to a specific product, milestone (RTM, SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table.
    Version Product Milestone Service branch
    6.2.920 0.17xxxWindows 8, Windows RT, or Windows Server 2012RTMGDR
    6.2.920 0.21xxxWindows 8, Windows RT, or Windows Server 2012RTMLDR
  • GDR service branches contain only those fixes that are widely released to address widespread, critical issues. LDR service branches contain hotfixes in addition to widely released fixes.
  • The MANIFEST files (.manifest) and MUM files (.mum) that are installed are not listed.
For all supported x64-based versions
File nameFile versionFile sizeDateTimePlatform
Dbupdate.binNot applicable302-Jun-201214:53Not applicable
Dbxupdate.binNot applicable7,08509-Jul-201601:13Not applicable
Tpmtasks.dll6.2.9200.2192694,20812-Jul-201615:57x64

Windows 8.1 and Windows Server 2012 R2 file information

Notes
  • The files that apply to a specific product, milestone (RTM, SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table:
    VersionProductMilestoneService branch
    6.3.960 0.16xxxWindows RT 8.1, Windows 8.1, and Windows Server 2012 R2RTMGDR
    6.3.960 0.17xxxWindows RT 8.1, Windows 8.1, and Windows Server 2012 R2RTMGDR
    6.3.960 0.18xxxWindows RT 8.1, Windows 8.1, and Windows Server 2012 R2RTMGDR
  • GDR service branches contain only those fixes that are widely released to address widespread, critical issues. LDR service branches contain hotfixes in addition to widely released fixes.
  • The MANIFEST files (.manifest) and MUM files (.mum) that are installed are not listed.
For all supported x86-based versions
File nameFile versionFile sizeDateTimePlatform
Dbupdate.binNot applicable318-Jun-201313:05Not applicable
Dbxupdate.binNot applicable7,08508-Jul-201613:35Not applicable
Tpmtasks.dll6.3.9600.18408147,45612-Jul-201614:04x86
For all supported x64-based versions
File nameFile versionFile sizeDateTimePlatform
Dbupdate.binNot applicable318-Jun-201315:29Not applicable
Dbxupdate.binNot applicable7,08508-Jul-201613:36Not applicable
Tpmtasks.dll6.3.9600.18408175,61612-Jul-201614:08x64
malicious attacker exploit
Properties

Article ID: 3172729 - Last Review: 08/24/2016 21:58:00 - Revision: 4.0

Windows 10, Windows 10 Version 1511, Windows 10 Version 1607, Windows Server 2012 R2 Datacenter, Windows Server 2012 R2 Standard, Windows Server 2012 R2 Essentials, Windows Server 2012 R2 Foundation, Windows 8.1 Enterprise, Windows 8.1 Pro, Windows 8.1, Windows RT 8.1, Windows Server 2012 Datacenter, Windows Server 2012 Standard, Windows Server 2012 Essentials, Windows Server 2012 Foundation

  • atdownload kbbug kbexpertiseinter kbfix kbsecbulletin kbsecurity kbsecvulnerability KB3172729
Feedback