Windows 10: KB5012170 Secure Boothole is already installed.

A few months back, KB5012170 was released to fix a vulnerability in Windows Security Feature Bypass in Secure Boot BootHole. We've installed this fix KB via SCCM and Powershell and confirmed that it is actually installed. However, Tenable is still detecting that the device is vulnerable as it sees the KB is "missing". We have tried to remove and re-install it but Tenable scan result is still the same. Any suggestion on how to properly install this fix KB?

:)

 

Windows Boothole vulnerability - how to verify if it is fixed

Boothole vulnerability

BootHole vulnerability in Secure Boot affecting Linux and Windows


Windows has recently released a patch for the boothole vulnerability

https://support.microsoft.com/en-us/...7-d0c32ead81e2


Based on the https://msrc.microsoft.com/update-gu.../CVE-2020-0689

For Windows server 2016
I installed the update based on this:
1. Servicing Stack Update KB4576750
2. Standalone Secure Boot Update Listed in this CVE KB4535680
3. Jan 2021 Security Update KB4598243


Based on https://msrc.microsoft.com/update-gu...lity/ADV200011
I just run this command to verify?

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Microsoft Corporation UEFI CA 2011'

 

KB5012170: Security update for Secure Boot DBX: August 9, 2022 - Install error - 0x800f0922

I've been fighting the same issues all day. KB5012170 fails to install with error 0x800f0922. Looking through C:\Windows\Logs\CBS\CBS.log reveals errors pointing to BitLocker (which is a red herring) and Secure Boot (the real culprit).

I finally got it to install successfully as follows:

1. Open a cmd.exe or powershell.exe window running as Administrator

2. dism.exe /online /cleanup-image /restorehealth

3. sfc /scannow

4. Reboot

5. Manually download the MSU appropriate for your Windows version directly from the Microsoft Update Catalog here: Microsoft Update Catalog

6. Double click the MSU file to install

This still didn't work for me, but it did clean up the CBS store and allowed me to successfully install the August 2022 Cumulative Update. However, manually installing KB5012170 still failed with the same error as Windows Update in Settings: 0x800f0922

Next, I also performed these additional steps:

7. Reboot into UEFI BIOS

8. Enabled Secure Boot (it was disabled in my case) => Note: This alone didn't work for me. I also needed to do the next step.

9. Clear Secure Boot keys (i.e. reset the Secure Boot keys to default factory settings)

10. Save and exit UEFI BIOS

After this, I repeated Steps 1-6 above and the KB5012170 MSU package successfully installed.

Not sure if this will work for everyone, but since KB5012170 updates the Secure Boot Forbidden Signature Database (DBX) in UEFI, clearing the old and potentially stale boot keys and resetting to factory defaults allowed the update to install required changes to DBX.

Motherboard: Asrock Z87 Extreme6/ac

 

KB5012170: Security update for Secure Boot DBX: August 9, 2022 - Install error - 0x800f0922

Its temporarily disabling Secure Boot that's allowed me - and others - to install the update.

Loading default factory keys is an important step in allowing Secure Boot to be Enabled.

I'm not sure I would reset them after enabling Secure Boot or understand that doing this removes "old and potentially stale boot keys" - there can either be the factory default keys needed for Windows or custom keys.

Also the DBX seems to be a forbidden signatures database - something different from the keys.

Secure Boot keys settings should be changed with care as doing it the wrong way leads to a boot loops on some systems.