Microsoft guidance for applying Secure Boot DBX update

See the products that this article applies to.

Summary

On July 29, 2020, Microsoft published security advisory 200011 that describes a new vulnerability that’s related to Secure Boot. Devices that trust the Microsoft third-party Unified Extensible Firmware Interface (UEFI) Certificate Authority (CA) in their Secure Boot configuration may be susceptible to an attacker who has administrative privileges or physical access to the device.

This article provides guidance to apply the latest Secure Boot DBX revocation list to invalidate the vulnerable modules. Microsoft plans to push an update to Windows Update to address this vulnerability after further testing in 2021.

The Secure Boot update binaries are hosted on https://uefi.org/revocationlistfile.

The posted files are as follows:

  • UEFI Revocation List File for x86 (32 bit)

  • UEFI Revocation List File for x64 (64 bit)

  • UEFI Revocation List File for arm64

After these hashes are added to the Secure Boot DBX on your device, those applications will no longer be allowed to load.

Important This site hosts files for every architecture. Each hosted file includes only the hashes of applications that apply to the specific architecture. You must apply one of these files to every device, but make sure that you apply the file that is relevant to its architecture. Although it is technically possible to apply an update for a different architecture, not installing the appropriate update will leave the device unprotected.


Read the main advisory article about this vulnerability before you try any of these steps. Incorrectly applying DBX updates could prevent your device from starting.

You should follow these steps only if the following conditions are true:
 

  • You have verified that your device trusts the third-party UEFI CA in your Secure Boot configuration. To do this, run the following line of PowerShell from an administrative PowerShell session:

    [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Microsoft Corporation UEFI CA 2011'

  • You do not rely on starting any of the boot applications that are being blocked by this update.

More information

Applying a DBX update on Windows

After you read the warnings and verify that your device is compatible, follow these steps to update the Secure Boot DBX:

  1. Download the appropriate UEFI Revocation List File (Dbxupdate.bin) for your platform from https://uefi.org/revocationlistfile.

  2. You will have to split the Dbxupdate.bin file into the necessary components in order to apply them by using PowerShell cmdlets. To do this, follow these steps

    1. Download the PowerShell script from https://aka.ms/DbxSplitScript.

    2. Run the following PowerShell script on the Dbxupdate.bin file: SplitDbxAuthInfo.ps1 “c:\path\to\file\dbxupdate.bin”

    3. Verify that the command created the following files:

      • Content.bin – update contents

      • Signature.p7 – signature authorizing the update process

  3. In an administrative PowerShell session, run the Set-SecureBootUefi cmdlet to apply the DBX update:

    Set-SecureBootUefi -Name dbx -ContentFilePath .\content.bin -SignedFilePath .\signature.p7 -Time 2010-03-06T19:17:21Z -AppendWrite

  4. Restart the device to complete the process

For more information about the Secure Boot configuration cmdlet and how to use it for DBX updates, see Set-Secure

Need more help?

Expand your skills
Explore Training
Get new features first
Join Microsoft Insiders

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.

×