Microsoft guidance for applying Secure Boot DBX update (KB4575994)

Applying a DBX update on Windows

After you read the warnings in the previous section and verify that your device is compatible, follow these steps to update the Secure Boot DBX:

1. Download the appropriate UEFI Revocation List File (Dbxupdate.bin) for your platform from this UEFI webpage.

2. You have to split the Dbxupdate.bin file into the necessary components in order to apply them by using PowerShell cmdlets. To do this, follow these steps:

   1. Download the PowerShell script from this PowerShell Gallery webpage.

   2. To help locate the script, run the following cmdlet:

      • Get-InstalledScript -name SplitDbxContent | select-object Name, Version, Author, PublishedDate, InstalledDate, InstalledLocation

   3. Verify that the cmdlet successfully downloads the script and provides output details, including Name, Version, Author, PublishedDate, InstalledDate, and InstalledLocation.

   4. Run the following cmdlets:

      • [string]$ScriptPath= @(Get-InstalledScript -name SplitDbxContent | select-object -ExpandProperty InstalledLocation)

      • cd $ScriptPath

      • ls

   5. Verify that the SplitDbxContent.ps1 file is now in the Scripts folder.

   6. Run the following PowerShell script on the Dbxupdate.bin file:
      
         SplitDbxContent.ps1 “c:\path\to\file\dbxupdate.bin"

   7. Verify that the command created the following files.

      

      • Content.bin – update contents

      • Signature.p7 – signature authorizing the update process

3. In an administrative PowerShell session, run the Set-SecureBootUefi cmdlet to apply the DBX update:
   
   Set-SecureBootUefi -Name dbx -ContentFilePath .\content.bin -SignedFilePath .\signature.p7 -Time 2010-03-06T19:17:21Z -AppendWrite
   
   Expected output
   
   

4. To complete the update installation process, restart the device.

For more information about the Secure Boot configuration cmdlet and how to use it for DBX updates, see Set-Secure.

Verifying that the update was successful  

After you successfully complete the steps in the previous section and restart the device, follow these steps to verify that the update was applied successfully. After successful verification, your device will no longer be affected by the GRUB vulnerability.

1. Download the DBX update verification scripts from this GitHub Gist webpage.

2. Extract the scripts and binaries from the compressed file.

3. Run the following PowerShell script within the folder that contains the expanded scripts and binaries to verify the DBX update: 
   
   Check-Dbx.ps1 '.\dbx-2021-April.bin' 

   Note: If a DBX update that matches the July 2020 or October 2020 versions from this revocation list file archive was applied, run the following appropriate command instead: 
   
   Check-Dbx.ps1 '.\dbx-2020-July.bin' 

   Check-Dbx.ps1 '.\dbx-2020-October.bin' 

4. Verify that the output matches the expected result.
   
   

FAQ

Q1: What does the error message "Get-SecureBootUEFI: Cmdlets not supported on this platform" mean?

A1: This error message indicates that NO Secure Boot feature is enabled on the computer. Therefore, this device is NOT affected by the GRUB vulnerability. No further action is necessary.

Q2: How do I configure the device to trust or not trust third-party UEFI CA? 

A2: We recommend that you consult your OEM vendor. 

For Microsoft Surface, change the Secure Boot setting to “Microsoft Only,” and then run the following PowerShell command (the result should be “False”): 

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Microsoft Corporation UEFI CA 2011' 

For more information about how to configure for Microsoft Surface, see Manage Surface UEFI settings - Surface | Microsoft Docs.

Q3: Does this problem affect Azure IaaS Generation 1 and Generation 2 virtual machines? 

A3: No. Azure guest virtual machines Gen1 and Gen2 do not support the Secure Boot feature. Therefore, they are unaffected by the chain of trust attack. 

Q4: Do ADV200011 and CVE-2020-0689 refer to the same vulnerability that's related to Secure Boot? 

A: No. These security advisories describe different vulnerabilities. "ADV200011" refers to a vulnerability in GRUB (Linux component) that could cause a Secure Boot bypass. "CVE-2020-0689" refers to a security feature bypass vulnerability that exists in Secure Boot. 

Q5: I can't run either of the PowerShell scripts. What should I do?

A: Verify the PowerShell execution policy by running the Get-ExecutionPolicy command. Depending on the output, you might have to update the execution policy:

• Set-ExecutionPolicy (Microsoft.PowerShell.Security) - PowerShell | Microsoft Docs