KB5016061: Addressing vulnerable and revoked Boot Managers

Event log	System
Event source	TPM-WMI
Event ID	<Event ID number>
Level	Error
Event message text	<message text>

When the updated DBX revocation list is installed on a device, Windows checks to determine whether the system depends on one of the vulnerable modules to start the device. If one of the vulnerable modules is detected, the update to the DBX list in the firmware is deferred. On each restart of the system, the device is rescanned to determine whether the vulnerable module has been updated and if it is safe to apply the updated DBX list.

Take action

In most cases, the vendor of the vulnerable module should have an updated version that addresses the vulnerability. Please contact your vendor to get the update.

Event log information

Event ID 1033 will be logged when a vulnerable boot loader that has been revoked by this update is detected on your device.

Event log	System
Event source	TPM-WMI
Event ID	1033
Level	Error
Event message text	Potentially revoked boot manager was detected in EFI partition. For more information, please see https://go.microsoft.com/fwlink/?linkid=2169931
Event Data BootMgr	<path and name of vulnerable file>

This event is logged when BitLocker on the system drive is configured in such a way that applying the Secure Boot DBX list to the firmware would cause BitLocker to go into recovery mode. The resolution is to suspend BitLocker temporarily for 2 restart cycles to let the update install.

Take action

To resolve this issue, run the following command from an Administrator command prompt to suspend BitLocker for 2 restart cycles:

• Manage-bde –Protectors –Disable %systemdrive% -RebootCount 2

Then, restart the device two times to resume BitLocker protection.

To make sure that BitLocker protection has been resumed, run the following command after restarting two times:

• Manage-bde –Protectors –enable %systemdrive%

Event log information

Event ID 1032 will be logged when the configuration of BitLocker on the system drive would cause the system to go into BitLocker recovery if the Secure Boot update is applied.

Event log	System
Event source	TPM-WMI
Event ID	1032
Level	Error
Event message text	The Secure Boot update was not applied due to a known incompatibility with the current BitLocker configuration.

When the updated DBX revocation list is applied to the firmware, the firmware may return an error. When an error occurs, an event is logged, and Windows will try to apply the DBX list to the firmware on the next system restart.

Take action

Contact your device manufacturer to determine if a firmware update is available.

Event log information

Event ID 1795 will be logged when the firmware in the device returns an error. The event log entry will include the error code returned from the firmware.

Event log	System
Event source	TPM-WMI
Event ID	1795
Level	Error
Event message text	The system firmware returned an error <firmware error code> when attempting to update a Secure Boot variable. For more information, please see https://go.microsoft.com/fwlink/?linkid=2169931

When the updated DBX revocation list is applied to a device, and an error occurs that is not covered by the events above, an event is logged, and Windows will try to apply the DBX list to the firmware on the next system restart.

Event log information

Event ID 1796 occurs when an unexpected error is encountered. The event log entry will include the error code for the unexpected error.

Event log	System
Event source	TPM-WMI
Event ID	1796
Level	Error
Event message text	The Secure Boot update failed to update a Secure Boot variable with error <error code>. For more information, please see https://go.microsoft.com/fwlink/?linkid=2169931

​​​​​​​