Applies to

This security update applies only to the following Windows versions:

    • Windows Server 2012

    • Windows 8.1 and Windows Server 2012 R2

    • Windows 10, version 1507

    • Windows 10, version 1607 and Windows Server 2016

    • Windows 10, version 1809 and Windows Server 2019

    • Windows 10, version 20H2

    • Windows 10, version 21H1

    • Windows 10, version 21H2

    • Windows Server 2022

    • Windows 11, version 21H2 (original release)

    • Azure Stack HCI, version 1809

    • Azure Stack Data Box, version 1809 (ASDB)

Summary

This security update makes improvements to Secure Boot DBX for the supported Windows versions listed in the "Applies to" section. Key changes include the following: 

    • Windows devices that has Unified Extensible Firmware Interface (UEFI) based firmware can run with Secure Boot enabled. The Secure Boot Forbidden Signature Database (DBX) prevents UEFI modules from loading. This update adds modules to the DBX.

      A security feature bypass vulnerability exists in secure boot. An attacker who successfully exploited the vulnerability might bypass secure boot and load untrusted software.

      This security update addresses the vulnerability by adding the signatures of the known vulnerable UEFI modules to the DBX.

To learn more about this security vulnerability, see the following advisory:

For additional information about this security vulnerability, see the following resources: 

Known issues

Issue

Next step

Some original equipment manufacturer (OEM) firmware might not allow for the installation of this update.

To resolve this issue, contact your firmware OEM.

If BitLocker Group Policy Configure TPM platform validation profile for native UEFI firmware configurations is enabled and PCR7 is selected by policy, it may result in the update failing to install.

To view the PCR7 binding status, run the Microsoft System Information (Msinfo32.exe) tool with administrative permissions.

To workaround this issue, do one of the following before you deploy this update:

  • On a device that does not have Credential Gard enabled, run following command from an Administrator command prompt to suspend BitLocker for 1 restart cycle:

    Manage-bde –Protectors –Disable C: -RebootCount 1

    Then, deploy the update and restart the device to resume the BitLocker protection.

  • On a device that has Credential Guard enabled, run the following command from an Administrator command prompt to suspend BitLocker for 2 restart cycles:

    Manage-bde –Protectors –Disable C: -RebootCount 3				

    Then, deploy the update and restart the device to resume the BitLocker protection.

When attempting to install this update, it might fail to install, and you might receive Error 0x800f0922.

Note This issue only affects this security update for Secure Boot DBX (KB5012170) and does not affect the latest cumulative security updates, monthly rollups, or security-only updates released on August 9, 2022.

This issue can be mitigated on some devices by updating the UEFI bios to the latest version before attempting to install this update.

We are presently investigating and will provide an update in an upcoming release.

Some devices might enter BitLocker Recovery on the first or second restart after attempting to install this update on Windows 11.

If your device is prompting for a BitLocker Recovery key, you will need to supply it to start Windows. For more information, see Finding your BitLocker recovery key in Windows.

If you have not installed this update and have BitLocker enabled on your device, follow the instructions below to temporarily suspend BitLocker before installing.

If you have installed this update and have not yet restarted your device or have only restarted your device once, temporarily suspend BitLocker by using the instructions below.

IMPORTANT: If you have restarted your device two times or more after installing this update, your device is not affected by this issue.

To temporarily suspend BitLocker, or to avoid a BitLocker recovery when deploying this update, follow these steps:

  1. Run the following command from an Administrator command prompt:

    Manage-bde -protectors -disable %systemdrive% -rebootcount 2
  2. Install this update, if not already installed.

  3. Restart the device.

  4. Then, restart the device a second time.

  5. BitLocker should automatically be enabled after two restarts. If you want to manually resume BitLocker to verify that it is enabled, use the following command:

    Manage-bde -protectors -Enable %systemdrive%

Status: We are working on a resolution and will provide an update in an upcoming release.

How to get this update

Release Channel

Available

Next Step

Windows Update or Microsoft Update

Yes

None. This update will be downloaded and installed automatically from Windows Update.

Windows Update for Business

Yes

None. This update will be downloaded and installed automatically from Windows Update in accordance with configured policies.

Microsoft Update Catalog

Yes

To get the standalone package for this update, go to the Microsoft Update Catalog website.

Windows Server Update Services (WSUS)

Yes

This update will automatically synchronize with WSUS if you configure Products and Classifications as follows:

Product: Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows 10, version 1903 and later, Windows 11, Azure Stack HCI, Azure Data Box

Classification: Security Updates

Prerequisites

Make sure you have the lastest servicing stack update (SSU) installed. For information about the latest SSU for your operating system, see ADV990001 | Latest Servicing Stack Updates.

Restart information 

Your device does not have to restart when you apply this update. If you have Windows Defender Credential Guard (Virtual Secure Mode) enabled, your device might request a restart. 

Update replacement information 

This update replaces previously released update KB4535680.

File information

The English (United States) version of this security update installs files that have the attributes that are listed in the following tables. 

Azure Stack HCI, version 1809

File name

File version

Date

Time

File size

dbupdate.bin

Not versioned

13-Jul-2022

18:12

3

dbxupdate.bin

Not versioned

13-Jul-2022

18:12

13,778

TpmTasks.dll

10.0.17784.2602

20-Jul-2022

21:53

114,688

Azure Stack Data Box, version 1809

File name

File version

Date

Time

File version

dbupdate.bin

Not versioned

13-Jun-2022

21:46

3

dbxupdate.bin

Not versioned

11-Jul-2022

17:50

6,002

TpmTasks.dll

10.0.17763.10933

20-Jul-2022

21:13

84,992

File name

File version

Date

Time

File size

dbupdate.bin

Not versioned

13-Jul-2022

18:07

3

dbxupdate.bin

Not versioned

13-Jul-2022

18:07

13,778

TpmTasks.dll

10.0.17763.10933

20-Jul-2022

21:32

110,592

Windows 11 (original release)

File name

File version

Date

Time

File size

dbupdate.bin

Not versioned

23-Apr-2022

14:18

3

dbxupdate.bin

Not versioned

11-Jul-2022

18:06

13,778

TpmTasks.dll

10.0.22000.850

11-Jul-2022

20:34

323,584

File name

File version

Date

Time

File size

dbupdate.bin

Not versioned

23-Apr-2022

14:18

3

dbxupdate.bin

Not versioned

11-Jul-2022

18:04

4,370

TpmTasks.dll

10.0.22000.850

11-Jul-2022

20:50

313,856

Windows Server 2022

File name

File version

Date

Time

File size

dbupdate.bin

Not versioned

23-Apr-2022

14:18

3

dbxupdate.bin

Not versioned

11-Jul-2022

18:06

13,778

TpmTasks.dll

10.0.22000.850

11-Jul-2022

20:34

323,584

File name

File version

Date

Time

File size

dbupdate.bin

Not versioned

23-Apr-2022

14:18

3

dbxupdate.bin

Not versioned

11-Jul-2022

18:04

4,370

TpmTasks.dll

10.0.22000.850

11-Jul-2022

20:50

313,856

Windows 10, version 20H2, 21H1, and 21H2

File name

File version

Date

Time

File size

dbupdate.bin

Not versioned

11-Jul-2022

18:16

3

dbxupdate.bin

Not versioned

11-Jul-2022

18:16

6,002

TpmTasks.dll

10.0.19041.1880

11-Jul-2022

20:38

242,688

File name

File version

Date

Time

File size

dbupdate.bin

Not versioned

16-Jun-2022

19:56

3

dbxupdate.bin

Not versioned

11-Jul-2022

18:18

13,778

TpmTasks.dll

10.0.19041.1880

11-Jul-2022

21:05

296,960

File name

File version

Date

Time

File size

dbupdate.bin

Not versioned

6-Jun-2022

18:24

3

dbxupdate.bin

Not versioned

11-Jul-2022

18:16

4,370

TpmTasks.dll

10.0.19041.1880

11-Jul-2022

20:43

324,096

Windows 10, version 1809 and Windows Server 2019

File name

File version

Date

Time

File size

dbupdate.bin

Not versioned

27-Jun-2022

17:57

3

dbxupdate.bin

Not versioned

11-Jul-2022

17:47

6,002

TpmTasks.dll

10.0.17763.3280

11-Jul-2022

21:36

84,992

File name

File version

Date

Time

File size

dbupdate.bin

Not versioned

24-May-2022

12:34

3

dbxupdate.bin

Not versioned

11-Jul-2022

17:50

13,778

TpmTasks.dll

10.0.17763.3280

11-Jul-2022

21:40

110,592

File name

File version

Date

Time

File size

dbupdate.bin

Not versioned

24-May-2022

12:33

3

dbxupdate.bin

Not versioned

11-Jul-2022

17:49

4,370

TpmTasks.dll

10.0.17763.3280

11-Jul-2022

21:30

115,712

Windows 10, version 1607 and Windows Server 2016

File name

File version

Date

Time

File size

dbupdate.bin

Not versioned

30-Dec-2021

18:29

3

dbxupdate.bin

Not versioned

12-Jul-2022

20:44

6,002

TpmTasks.dll

10.0.14393.5281

12-Jul-2022

20:44

59,904

File name

File version

Date

Time

File size

dbupdate.bin

Not versioned

30-Sep-2021

13:17

3

dbxupdate.bin

Not versioned

14-Jul-2022

2:15

13,778

TpmTasks.dll

10.0.14393.5281

14-Jul-2022

2:17

72,192

Windows 10, version 1507

File name

File version

Date

Time

File size

dbupdate.bin

Not versioned

11-Jul-2022

18:41

3

dbxupdate.bin

Not versioned

11-Jul-2022

18:41

6,002

TpmTasks.dll

10.0.10240.19297

2-May-2022

16:52

46,080

File name

File version

Date

Time

File size

dbupdate.bin

Not versioned

11-Jul-2022

18:41

3

dbxupdate.bin

Not versioned

11-Jul-2022

18:41

13,778

TpmTasks.dll

10.0.10240.19297

2-May-2022

16:56

56,320

Windows 8.1 and Windows Server 2012 R2

File name

File version

Date

Time

File size

dbupdate.bin

Not versioned

28-Oct-2021

12:35

3

dbxupdate.bin

Not versioned

11-Jul-2022

18:51

6,002

TpmTasks.dll

6.3.9600.20512

11-Jul-2022

20:50

152,576

File name

File version

Date

Time

File size

dbupdate.bin

Not versioned

1-Jan-2022

0:00

3

dbxupdate.bin

Not versioned

12-Jul-2022

12:36

13,778

TpmTasks.dll

6.3.9600.20512

12-Jul-2022

14:57

181,760

File name

File version

Date

Time

File size

dbupdate.bin

Not versioned

14-Oct-2021

18:42

3

dbxupdate.bin

Not versioned

7-Jun-2022

12:03

7,085

TpmTasks.dll

6.3.9600.20512

11-Jul-2022

20:38

137,216

Windows Server 2012

File name

File version

Date

Time

File size

dbupdate.bin

Not versioned

11-Jul-2022

18:14

3

dbxupdate.bin

Not versioned

11-Jul-2022

18:14

6,002

TpmTasks.dll

6.2.9200.23709

21-Apr-2022

12:26

81,408

File name

File version

Date

Time

File size

dbupdate.bin

Not versioned

17-Jun-2022

18:01

3

dbxupdate.bin

Not versioned

11-Jul-2022

18:07

13,778

TpmTasks.dll

6.2.9200.23709

21-Apr-2022

12:45

99,328

References

Learn about the standard terminology that is used to describe Microsoft software updates.

Need more help?

Expand your skills

EXPLORE TRAINING >

Get new features first

JOIN MICROSOFT INSIDERS >

Was this information helpful?

What affected your experience?

Thank you for your feedback!

×