KB5012170: Security update for Secure Boot DBX - Microsoft Support
Windows devices that has Unified Extensible Firmware Interface (UEFI) based firmware can run with Secure Boot enabled. The Secure Boot Forbidden Signature Database (DBX) prevents UEFI modules from loading. This update adds modules to the DBX. A security feature bypass vulnerability exists in secure boot.
Microsoft guidance for applying Secure Boot DBX update (KB4575994)
Provides guidance for installing a DBX update to fix a vulnerability that exists in some Secure Boot modules if they trust the Microsoft third-party UEFI CA.
KB4535680: Security update for Secure Boot DBX: January 12, 2021
To resolve this issue, contact your firmware OEM. If BitLocker Group Policy Configure TPM platform validation profile for native UEFI firmware configurations is enabled and PCR7 is selected by policy, it may result in the BitLocker recovery key being required on some devices where PCR7 binding is not possible.
KB5025885: How to manage the Windows Boot Manager revocations for ...
Step 1: Install the Windows security update released on or after July 9, 2024, on all supported versions. Step 2: Evaluate the changes and how they affect your environment. Step 3: Enforce the changes. All Windows devices with Secure Boot protections enabled are affected by the BlackLotus bootkit.
KB5016061: Secure Boot DB and DBX variable update events
To help keep Windows devices secure, Microsoft adds vulnerable bootloader modules to the Secure Boot DBX revocation list (maintained in the system UEFI-based firmware) to invalidate the vulnerable modules.
Description of the update rollup of revoked noncompliant UEFI modules ...
Provides a link to Microsoft security advisory (2962824): Update rollup of revoked noncompliant UEFI modules.
MS16-100: Description of the security update for Secure Boot: August 9 ...
To get the stand-alone package for this update, go to the Microsoft Update Catalog website. For Windows 8.1, Windows Server 2012 R2 and Windows Server 2012, you can obtain the stand-alone update package through the Microsoft Download Center. Follow the installation instructions on the download page to install the update.
Security update for Windows 10, version 1507, Windows 8.1, Server 2012 ...
Learn about security update KB4502496, including improvements and fixes, any known issues, and how to get the update.
Microsoft security advisory: Update to revoke noncompliant UEFI boot ...
Restart the computer by using recovery media (on USB, DVD, or network (PXE) boot), and then perform recovery operations. For more information, go to the following Microsoft webpage:
Security update for Windows 10, version 1607, 1703, 1709, 1803, 1809 ...
Learn about security update KB4524244, including improvements and fixes, any known issues, and how to get the update.