The Secure Boot Forbidden Signature Database (DBX) prevents UEFI modules from loading. This update adds modules to the DBX. A security feature bypass vulnerability exists in secure boot. An attacker who successfully exploited the vulnerability might bypass secure boot and load untrusted software.

When a Secure Boot Signature Database (DB), a Revoked Signature Database (DBX), or a Key Exchange Key (KEK) update is applied to the firmware, the firmware may return an error.

These events are described in detail in Secure Boot DB and DBX variable update events. Please also check Monitoring and deployment section for how the events can show the state of pending updates.

See Secure Boot DB and DBX variable update events for a complete list of Secure Boot events. A note about restarts: While a restart might be required to complete the process, initiating the deployment of the Secure Boot updates will not cause a restart.

The July 9, 2024 or later security update will block mitigations #2 (boot manager) and #3 (DBX update) on affected systems. Microsoft is aware of the issue and an update will be released in the future to unblock TPM 2.0-based systems.

The Allowed Signature Database (DB) and the Disallowed Signature Database (DBX) determine which code can run in the UEFI environment before the OS starts. The DB includes certificates managed by Microsoft and the OEM, while the DBX is updated by Microsoft with the latest revocations.

Provides guidance for installing a DBX update to fix a vulnerability that exists in some Secure Boot modules if they trust the Microsoft third-party UEFI CA.

The Secure Boot Forbidden Signature Database (DBX) prevents UEFI modules from loading. This update adds modules to the DBX. A security feature bypass vulnerability exists in secure boot. An attacker who successfully exploited the vulnerability might bypass secure boot and load untrusted software.

The Allowed Signature Database (DB) and the Disallowed Signature Database (DBX) determine which code can run in the UEFI environment before the OS starts. The DB includes certificates managed by Microsoft and the OEM, while the DBX is updated by Microsoft with the latest revocations.

For the deployment operations described in this document, the firmware must be able to accept and process updates to the Secure Boot DB (Signature Database) and DBX (Forbidden Signature Database).