Security update for Secure Boot DBX: January 12, 2021

Applies to

This security update applies only to the following Windows versions:

  • Windows Server 2012 x64-bit

  • Windows Server 2012 R2 x64-bit

  • Windows 8.1 x64-bit

  • Windows Server 2016 x64-bit

  • Windows Server 2019 x64-bit

  • Windows 10, version 1607 x64-bit

  • Windows 10, version 1803 x64-bit

  • Windows 10, version 1809 x64-bit

  • Windows 10, version 1909 x64-bit

Summary

This security update makes improvements to Secure Boot DBX for the supported Windows versions listed in the "Applies to" section. Key changes include the following:

  • Windows devices that has Unified Extensible Firmware Interface (UEFI) based firmware can run with Secure Boot enabled. The Secure Boot Forbidden Signature Database (DBX) prevents UEFI modules from loading. This update adds modules to the DBX.

    A security feature bypass vulnerability exists in secure boot. An attacker who successfully exploited the vulnerability might bypass secure boot and load untrusted software.

    This security update addresses the vulnerability by adding the signatures of the known vulnerable UEFI modules to the DBX.

To learn more about this security vulnerability, see CVE-2020-0689 | Microsoft Secure Boot Security Feature Bypass Vulnerability.

Known issues

Issue

Workaround

Some original equipment manufacturer (OEM) firmware might not allow for the installation of this update.

To resolve this issue, contact your firmware OEM.

If BitLocker Group Policy Configure TPM platform validation profile for native UEFI firmware configurations is enabled and PCR7 is selected by policy, it may result in the BitLocker recovery key being required on some devices where PCR7 binding is not possible.

To view the PCR7 binding status, run the Microsoft System Information (Msinfo32.exe) tool with administrative permissions.

Important Changing from the default platform validation profile affects the security and manageability of your device. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased, depending on inclusion or exclusion (respectively) of the PCRs. Specifically, setting this policy with PCR7 omitted, will override the Allow Secure Boot for integrity validation Group Policy. This prevents BitLocker from using Secure Boot for platform or Boot Configuration Data (BCD) integrity validation. Setting this policy may result in BitLocker recovery when the firmware is updated. If you set this policy to include PCR0, you must suspend BitLocker before you apply firmware updates.

We recommend not to configure this policy, but to let Windows select the PCR profile for the best combination of security and usability based on the available hardware on each device.

To workaround this issue, do one of the following based on credential guard configuration before you deploy this update:

  • On a device that does not have Credential Gard enabled, run following command from an Administrator command prompt to suspend BitLocker for 1 reboot cycle:

    Manage-bde –Protectors –Disable C: -RebootCount 1


    Then, restart the device to resume the BitLocker protection.

    Note Do not enable BitLocker protection without additionally restarting the device as it would result in BitLocker recovery.

  • On a device that has Credential Guard enabled, there may be multiple restarts during the update that require BitLocker to be suspended. Run the following command from an Administrator command prompt to suspend BitLocker for 3 restart cycles. Manage-bde –Protectors –Disable C: -RebootCount 3

    This update is expected to restart the system two times. Restart the device once again to resume the BitLocker protection.

    Note Do not enable BitLocker protection without additionally restarting as it would result in BitLocker recovery.

How to get this update

Method 1: Windows Update 

This update is available through Windows Update. It will be downloaded and installed automatically.  

Method 2: Microsoft Update Catalog 

To get the stand-alone package for this update, go to the Microsoft Update Catalog website.

Method 3: Windows Server Update Services

This update is also available through Windows Server Update Services (WSUS).

Prerequisites

Make sure you have the lastest servicing stack update (SSU) installed. For information about the latest SSU for your operating system, see ADV990001 | Latest Servicing Stack Updates.

Restart information 

Your device does not have to restart when you apply this update. If you have Windows Defender Credential Guard (Virtual Secure Mode) enabled, your device will restart two times.

Update replacement information 

This update does not replace any previously released update.

File information

Windows 10, version 1909


File attributes

The English (United States) version of this software update installs files that have the attributes that are listed in the following tables.

Windows 10, version 1809 and Windows Server 2019


File attributes

The English (United States) version of this software update installs files that have the attributes that are listed in the following tables.

Windows 10, version 1803


File attributes

The English (United States) version of this software update installs files that have the attributes that are listed in the following tables.

 

Windows 10, version 1607 and Windows Server 2016


File attributes

The English (United States) version of this software update installs files that have the attributes that are listed in the following tables.

 

Windows 8.1 and Windows Server 2012 R2


File attributes

The English (United States) version of this software update installs files that have the attributes that are listed in the following tables.

Note: The MANIFEST files (.manifest) and MUM files (.mum) that are installed are not listed.


Windows Server 2012


File attributes

The English (United States) version of this software update installs files that have the attributes that are listed in the following tables.

Note: The MANIFEST files (.manifest) and MUM files (.mum) that are installed are not listed.

File verification

File hash information

File name

SHA1 hash

SHA256 hash

Windows10.0-KB4535680-x64.msu

66C7276B01FC94651BF0D63C969D42A8D229233D

F842005F83043E8C322E1CA5A01C5AAC7DC8EB0C316B3918750CEEC5A611DC9F

For all supported x64-based versions

File name

File size

Date

Time

Dbupdate.bin

46

23-Sep-2019

23:13

Dbxupdate.bin

1,368

23-Sep-2019

23:13

Dbupdate.bin

46

23-Sep-2019

23:13

Dbxupdate.bin

2,840

23-Sep-2019

23:13

Tpmtasks.dll

3,339

23-Sep-2019

23:13

Tpmtasks.dll

2,892

23-Sep-2019

23:13

File verification

File hash information

File name

SHA1 hash

SHA256 hash

Windows10.0-KB4535680-x64.msu

4A6F51365ED7F4C9AD34986AA2F61005AF267E24

E0E06F57EAFAF0A565B7F03B71FC9D9001F35A1D74950ACA33F5FA5417088372

For all supported x64-based versions

File name

File size

Date

Time

Dbupdate.bin

46

25-Sep-2019

01:14

Dbxupdate.bin

1,368

25-Sep-2019

01:14

Dbupdate.bin

46

25-Sep-2019

01:14

Dbxupdate.bin

2,840

25-Sep-2019

01:14

Tpmtasks.dll

1,998

25-Sep-2019

01:14

Tpmtasks.dll

1,568

25-Sep-2019

01:14

File verification

File hash information

File name

SHA1 hash

SHA256 hash

Windows10.0-KB4535680-x64.msu

24C59946A58755DD26DA81F248895D224066D5F7

0411EEE0DB7441921F2182F2FFE68BD23E2DC42AE18A1EF9A26700EBA77FA551

For all supported x64-based versions

File name

File version

File size

Date

Time

Dbupdate.bin

Not applicable

3

30-Oct-2017

01:01

Dbxupdate.bin

Not applicable

7,361

10-Sep-2019

01:21

Tpmtasks.dll

10.0.17134.1060

51,712

10-Sep-2019

03:55

File verification

File hash information

File name

SHA1 hash

SHA256 hash

Windows10.0-KB4535680-x64.msu

980ED67D1AAEEB5BB8A6B79E68438BD402865443

93CE5768F2A232C0458098AFCC229A52C819F29DEAA1C769A7D2F85F5BF059B4

For all supported x64-based versions

File name

File version

File size

Date

Time

Dbupdate.bin

Not applicable

2

03-Sep-2019

22:05

Dbxupdate.bin

Not applicable

7,361

12-Sep-2019

01:01

Tpmtasks.dll

10.0.14393.3001

44,032

16-Sep-2019

05:04

File verification

File hash information

File name

SHA1 hash

SHA256 hash

Windows8.1-KB4535680-x64.msu

1CD22F094D7465F7C88B958F0DFA9C7CB3304A44

EF6C57183BDE7B63C63527F1CE80F5AFE9C1C511CF90C75A78749113838B9990

For all supported x64-based versions

File name

File version

File size

Date

Time

Dbupdate.bin

Not applicable

2

25-Sep-2019

04:21

Dbxupdate.bin

Not applicable

7,361

25-Sep-2019

04:21

Tpmtasks.dll

6.3.9600.19501

176,128

25-Sep-2019

06:30

File verification

File hash information

File name

SHA1 hash

SHA256 hash

Windows8-RT-KB4535680-x64.msu

B33D60C3A01588048F7EFEA16C275F282C811F56

78AECFDC033EE4C16C49EE9A0B60D56991AFD621610453284D4E8BAC917C9111

For all supported x64-based versions

File name

File version

File size

Date

Time

Dbupdate.bin

Not applicable

2

20-Jun-2019

00:06

Dbxupdate.bin

Not applicable

7,361

10-Sep-2019

00:07

Tpmtasks.dll

6.2.9200.22884

95,232

25-Sep-2019

04:30

References

Learn about the terminology that Microsoft uses to describe software updates.

Need more help?

Expand your skills
Explore Training
Get new features first
Join Microsoft Insiders

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.

×