Microsoft is warning that users may see a 0x800f0922 error when trying to install Windows KB5012170 Secure Boot security update on currently supported operating systems for consumers and the enterprise-class Server version.
The problem does not affect the cumulative security updates, monthly rollups, or security-only updates that Microsoft made available on August 9.
Bootloader issues
Error 0x800f0922 is related strictly to KB5012170, a security update for the Secure Boot DBX (Forbidden Signature Database), a repository that holds revoked signatures for Unified Extensible Firmware Interface (UEFI) bootloaders.
A UEFI bootloader runs immediately after turning on the system and is responsible for launching the UEFI environment with the Secure Boot feature that allows only trusted code to be executed when starting the Windows booting process.
Last week, security researchers from Eclypsium disclosed vulnerabilities in three signed third-party bootloaders that could be exploited to bypass the Secure Boot feature and infect the system with malicious code that is difficult to detect and remove.
The three packages are:
- New Horizon Datasys Inc: CVE-2022-34302 (bypass Secure Boot via custom installer)
- CryptoPro Secure Disk: CVE-2022-34303 (bypass Secure Boot via UEFI Shell execution)
- Eurosoft (UK) Ltd: CVE-2022-34301 (bypass Secure Boot via UEFI Shell execution)
Microsoft has addressed the issue by adding the signatures of the bootloaders above to the Secure Boot DBX so that vulnerable UEFI modules can no longer load.
On systems that start with one of the three now revoked bootloaders, Microsoft says that the KB5012170 update will generate error 0x800f0922 since a bootloader is essential for Windows to launch with Secure Boot.
Microsoft lists the following affected platforms:
- Client: Windows 11, version 21H2; Windows 10, version 21H2; Windows 10, version 21H1; Windows 10, version 20H2; Windows 10 Enterprise LTSC 2019; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise 2015 LTSB; Windows 8.1
- Server: Windows Server 2022; Windows Server, version 20H2; Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Bootloader update removes error 0x800f0922
Microsoft notes that mitigating the issue is possible by updating the UEFI version to the latest version from the vendor.
Researchers at Eclypsium recommend organizations check if the bootloaders on their systems are vulnerable before trying to update the DBX revocation list.
Bootloaders are typically stored in the EFI System Partition, which can be mounted on both Windows and Linux to inspect their version and learn if they are vulnerable or not.
The researchers warn that updating the DBX revocation list on systems with vulnerable bootloaders, where this is possible, will lead to device boot failure.
Updating DBX is recommended only after making sure that the device is running a non-vulnerable bootloader version from the vendor.
Comments
wackoinWaco - 2 years ago
I have Windows 10 21H1 and after I downloaded the update last week I noticed the boot
time change to VERY long, even now. Does that mean that I need to download an updated UEFI from the vendor (Asus)? And then update the DBX revocation list?
BH0 - 2 years ago
Can confirm that. Whats worse, the update changed my RAID mode to AHCI, so I had to manually put that back on approx 10 devices, that ran into BSOD. All of them. Almost brand new Latitudes 5320 and all behaved the same. You can see, if the update changed your RAID mode too.
I hate those idiotic updates. Burn in hell whoever came with the thought of "patch tuesday"
wackoinWaco - 2 years ago
Well as I see it, the best techs have left MS for greener pastures. Those FNG can't
do it right the first time. Job security.
"Skilled labor isn't cheap and cheap labor isn't skilled"
Computerdave911 - 2 years ago
I fixed by turning off secure boot in bios, then then update installed,
Turn back on secure boot in bios , FIXED>
noelprg4 - 1 year ago
the KB5012170 problems are also occurring recently on the Windows 11 2022 [22H2] update as well. see this Neowin page about KB5012170 on Win11 22H2:
https://www.neowin.net/news/microsoft-pushes-windows-11-22h2-secure-boot-dbx-update-thats-known-to-be-bug-ridden/