The trials and tribulations of Microsoft’s KB5012170 patch
Earlier this 12 months, Microsoft rolled out an replace to Secure Boot in Windows methods. It’s at greatest a combined blessing that may do extra hurt than good for a lot of customers.
Zoljo / Getty Images
KB5012170 is many issues to many Windows customers. First, it’s a patch that both installs with no issues or results in a blue display of demise (BSOD). It can be an indicator we now have an issue getting up to date drivers on our methods. It can reveal how customers don’t sustain with Bios updates. And it exhibits that some OEMs allow Bitlocker on the methods they promote (not essentially in a great way).
In brief, it’s a problematic patch that simply retains rearing its head.
Also referred to as “Security Update for Secure Boot DBX,” KB5012170 was launched earlier this 12 months and makes enhancements to the Secure Boot Forbidden Signature Database (DBX). Windows units which have Unified Extensible Firmware Interface (UEFI)-based firmware have Secure Boot enabled. It ensures solely trusted software program could be loaded and executed on through the boot course of through the use of cryptographic signatures to confirm the integrity of the method and the software program being loaded.
Secure Boot is usually used with different safety measures, equivalent to trusted platform modules (TPMs) and bootloaders that help key administration. It’s supposed to guard towards malware and different varieties of unauthorized software program that would compromise safety.
Typically applied in system firmware, Secure Boot could be configured to permit the loading of solely trusted software program signed with a trusted key; untrusted software program is prevented from working.
That stated, there’s a safety function bypass in Secure Boot; it particularly provides signatures of recognized weak UEFI modules to the DBX. The vulnerability is known as “Hole in the boot” and might be used to bypass the Secure Boot. (Note: for any assault to happen, the attacker would want admin privileges or bodily entry.)
This is the place KB5012170 comes into the image.
On enterprise computer systems, or authorities computer systems, or methods in danger for a focused assault, that is the kind of patch you’d need put in. But on residence computer systems or methods that aren’t managed or up to date frequently with driver and firmware updates, it will probably do extra hurt than good. Documented unintended effects embody BSODs and Error 0x800f0922, and except you block the replace it’s going to try to put in once more. One consumer in a Reddit publish famous he “needed to restart my computer and an update was pending restart to complete installation. I restarted and my computer failed to start. I got a BSOD with the error 0xc000021a.” It seems that is occurring on older computer systems with settings modified to disable driver enforcement.
At this level, for residence customers, the most effective factor to do is to make use of one of many instruments highlighted at Blockapatch.com to dam KB5012170 proactively. The advantages don’t outweigh the dangers.
There is a second facet impact arising from this replace. Workstations with Bitlocker enabled could set off a request for a Bitlocker restoration key. This generally is a drawback for shopper and residential customers with methods which have Bitlocker routinely enabled. If you have no idea the place your Bitlocker restoration secret’s saved, you might need to reinstall Windows from scratch. (To decide you probably have Bitlocker enabled, click on on File Explorer and right-mouse click on in your C drive. If you see the choice to show OFF Bitlocker, be sure to know the place your Bitlocker restoration secret’s saved. If you arrange your pc with a Microsoft account, it will likely be saved there. If you’re uncertain the place your Bitlocker restoration secret’s situated, both reset or disable it.)
For enterprise patchers, the unintended effects needs to be weighed towards the dangers of not putting in KB5012170. I’ve not seen many enterprise BSOD reviews, although I’ve seen reviews of methods demanding a Bitlocker restoration key when deploying this replace. Thus, earlier than deploying it, evaluation your methods to make sure that their firmware is updated.
Historically in enterprise settings, you put in firmware updates upon deployment and by no means evaluation them once more. But with Windows 10 and Windows 11, you possibly can not be protected doing that. Ensure that you’ve got a course of in place to stock and consider firmware and replace accordingly. Firmware needs to be reviewed no less than every year. Now that Microsoft has moved Feature releases to an annual launch cadence, use that schedule to incorporate evaluation and updating of firmware, video drivers, audio drivers and different key {hardware} drivers that work together with the system.
Since KB5012170 (or one thing prefer it) will most likely pop up once more, guarantee your system is ready for it by both proactively blocking it or maintaining your firmware and drivers updated. That’s the easiest way to keep away from issues down the street.