Applies to
This security update applies only to the following Windows versions:
-
Windows Server 2012 x64-bit
-
Windows Server 2012 R2 x64-bit
-
Windows 8.1 x64-bit
-
Windows Server 2016 x64-bit
-
Windows Server 2019 x64-bit
-
Windows 10, version 1607 x64-bit
-
Windows 10, version 1803 x64-bit
-
Windows 10, version 1809 x64-bit
-
Windows 10, version 1909 x64-bit
Summary
This security update makes improvements to Secure Boot DBX for the supported Windows versions listed in the "Applies to" section. Key changes include the following:
-
Windows devices that has Unified Extensible Firmware Interface (UEFI) based firmware can run with Secure Boot enabled. The Secure Boot Forbidden Signature Database (DBX) prevents UEFI modules from loading. This update adds modules to the DBX.
A security feature bypass vulnerability exists in secure boot. An attacker who successfully exploited the vulnerability might bypass secure boot and load untrusted software.
This security update addresses the vulnerability by adding the signatures of the known vulnerable UEFI modules to the DBX.
To learn more about this security vulnerability, see CVE-2020-0689 | Microsoft Secure Boot Security Feature Bypass Vulnerability.
Known issues
Issue |
Workaround |
Some original equipment manufacturer (OEM) firmware might not allow for the installation of this update. |
To resolve this issue, contact your firmware OEM. |
If BitLocker Group Policy Configure TPM platform validation profile for native UEFI firmware configurations is enabled and PCR7 is selected by policy, it may result in the BitLocker recovery key being required on some devices where PCR7 binding is not possible. To view the PCR7 binding status, run the Microsoft System Information (Msinfo32.exe) tool with administrative permissions.
Important Changing from the default platform validation profile affects the security and manageability of your device. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased, depending on inclusion or exclusion (respectively) of the PCRs. Specifically, setting this policy with PCR7 omitted, will override the Allow Secure Boot for integrity validation Group Policy. This prevents BitLocker from using Secure Boot for platform or Boot Configuration Data (BCD) integrity validation. Setting this policy may result in BitLocker recovery when the firmware is updated. If you set this policy to include PCR0, you must suspend BitLocker before you apply firmware updates. |
To workaround this issue, do one of the following based on credential guard configuration before you deploy this update:
|
How to get this update
Method 1: Windows Update
This update is available through Windows Update. It will be downloaded and installed automatically.
Method 2: Microsoft Update Catalog
To get the stand-alone package for this update, go to the Microsoft Update Catalog website.
Method 3: Windows Server Update Services
This update is also available through Windows Server Update Services (WSUS).
Prerequisites
Make sure you have the lastest servicing stack update (SSU) installed. For information about the latest SSU for your operating system, see ADV990001 | Latest Servicing Stack Updates.
Restart information
Your device does not have to restart when you apply this update. If you have Windows Defender Credential Guard (Virtual Secure Mode) enabled, your device will restart two times.
Update replacement information
This update does not replace any previously released update.
File information
Windows 10, version 1909
File attributes
The English (United States) version of this software update installs files that have the attributes that are listed in the following tables.
Windows 10, version 1809 and Windows Server 2019
File attributes
The English (United States) version of this software update installs files that have the attributes that are listed in the following tables.
Windows 10, version 1803
File attributes
The English (United States) version of this software update installs files that have the attributes that are listed in the following tables.
Windows 10, version 1607 and Windows Server 2016
File attributes
The English (United States) version of this software update installs files that have the attributes that are listed in the following tables.
Windows 8.1 and Windows Server 2012 R2
File attributes
The English (United States) version of this software update installs files that have the attributes that are listed in the following tables.
Note: The MANIFEST files (.manifest) and MUM files (.mum) that are installed are not listed.
Windows Server 2012
File attributes
The English (United States) version of this software update installs files that have the attributes that are listed in the following tables.
Note: The MANIFEST files (.manifest) and MUM files (.mum) that are installed are not listed.
File verification
File hash information
File name |
SHA1 hash |
SHA256 hash |
---|---|---|
Windows10.0-KB4535680-x64.msu |
66C7276B01FC94651BF0D63C969D42A8D229233D |
F842005F83043E8C322E1CA5A01C5AAC7DC8EB0C316B3918750CEEC5A611DC9F |
For all supported x64-based versions
File name |
File size |
Date |
Time |
Dbupdate.bin |
46 |
23-Sep-2019 |
23:13 |
Dbxupdate.bin |
1,368 |
23-Sep-2019 |
23:13 |
Dbupdate.bin |
46 |
23-Sep-2019 |
23:13 |
Dbxupdate.bin |
2,840 |
23-Sep-2019 |
23:13 |
Tpmtasks.dll |
3,339 |
23-Sep-2019 |
23:13 |
Tpmtasks.dll |
2,892 |
23-Sep-2019 |
23:13 |
File verification
File hash information
File name |
SHA1 hash |
SHA256 hash |
---|---|---|
Windows10.0-KB4535680-x64.msu |
4A6F51365ED7F4C9AD34986AA2F61005AF267E24 |
E0E06F57EAFAF0A565B7F03B71FC9D9001F35A1D74950ACA33F5FA5417088372 |
For all supported x64-based versions
File name |
File size |
Date |
Time |
Dbupdate.bin |
46 |
25-Sep-2019 |
01:14 |
Dbxupdate.bin |
1,368 |
25-Sep-2019 |
01:14 |
Dbupdate.bin |
46 |
25-Sep-2019 |
01:14 |
Dbxupdate.bin |
2,840 |
25-Sep-2019 |
01:14 |
Tpmtasks.dll |
1,998 |
25-Sep-2019 |
01:14 |
Tpmtasks.dll |
1,568 |
25-Sep-2019 |
01:14 |
File verification
File hash information
File name |
SHA1 hash |
SHA256 hash |
---|---|---|
Windows10.0-KB4535680-x64.msu |
24C59946A58755DD26DA81F248895D224066D5F7 |
0411EEE0DB7441921F2182F2FFE68BD23E2DC42AE18A1EF9A26700EBA77FA551 |
For all supported x64-based versions
File name |
File version |
File size |
Date |
Time |
Dbupdate.bin |
Not applicable |
3 |
30-Oct-2017 |
01:01 |
Dbxupdate.bin |
Not applicable |
7,361 |
10-Sep-2019 |
01:21 |
Tpmtasks.dll |
10.0.17134.1060 |
51,712 |
10-Sep-2019 |
03:55 |
File verification
File hash information
File name |
SHA1 hash |
SHA256 hash |
---|---|---|
Windows10.0-KB4535680-x64.msu |
980ED67D1AAEEB5BB8A6B79E68438BD402865443 |
93CE5768F2A232C0458098AFCC229A52C819F29DEAA1C769A7D2F85F5BF059B4 |
For all supported x64-based versions
File name |
File version |
File size |
Date |
Time |
Dbupdate.bin |
Not applicable |
2 |
03-Sep-2019 |
22:05 |
Dbxupdate.bin |
Not applicable |
7,361 |
12-Sep-2019 |
01:01 |
Tpmtasks.dll |
10.0.14393.3001 |
44,032 |
16-Sep-2019 |
05:04 |
File verification
File hash information
File name |
SHA1 hash |
SHA256 hash |
---|---|---|
Windows8.1-KB4535680-x64.msu |
1CD22F094D7465F7C88B958F0DFA9C7CB3304A44 |
EF6C57183BDE7B63C63527F1CE80F5AFE9C1C511CF90C75A78749113838B9990 |
For all supported x64-based versions
File name |
File version |
File size |
Date |
Time |
Dbupdate.bin |
Not applicable |
2 |
25-Sep-2019 |
04:21 |
Dbxupdate.bin |
Not applicable |
7,361 |
25-Sep-2019 |
04:21 |
Tpmtasks.dll |
6.3.9600.19501 |
176,128 |
25-Sep-2019 |
06:30 |
File verification
File hash information
File name |
SHA1 hash |
SHA256 hash |
---|---|---|
Windows8-RT-KB4535680-x64.msu |
B33D60C3A01588048F7EFEA16C275F282C811F56 |
78AECFDC033EE4C16C49EE9A0B60D56991AFD621610453284D4E8BAC917C9111 |
For all supported x64-based versions
File name |
File version |
File size |
Date |
Time |
Dbupdate.bin |
Not applicable |
2 |
20-Jun-2019 |
00:06 |
Dbxupdate.bin |
Not applicable |
7,361 |
10-Sep-2019 |
00:07 |
Tpmtasks.dll |
6.2.9200.22884 |
95,232 |
25-Sep-2019 |
04:30 |
References
Learn about the terminology that Microsoft uses to describe software updates.