The trials and tribulations of Microsoft’s KB5012170 patch

KB5012170 is several factors to numerous Home windows people. Initial, it is a patch that possibly installs with no challenges or sales opportunities to a blue screen of demise (BSOD). It can also be an indicator we have a challenge finding current motorists on our devices. It can show how users really do not preserve up with Bios updates. And it demonstrates that some OEMs permit Bitlocker on the techniques they promote (not always in a excellent way).

In brief, it’s a problematic patch that just keeps rearing its head.

Also acknowledged as “Security Update for Protected Boot DBX,” KB5012170 was introduced before this calendar year and makes improvements to the Protected Boot Forbidden Signature Databases (DBX).  Windows devices that have Unified Extensible Firmware Interface (UEFI)-dependent firmware have Protected Boot enabled. It assures only reliable application can be loaded and executed on through the boot process by utilizing cryptographic signatures to validate the integrity of the method and the software getting loaded.

Protected Boot is typically applied with other safety measures, this kind of as trustworthy system modules (TPMs) and bootloaders that assistance crucial administration. It is supposed to safeguard towards malware and other kinds of unauthorized software that could compromise stability.

Typically implemented in system firmware, Safe Boot can be configured to enable the loading of only reliable program signed with a trustworthy critical untrusted software package is prevented from working.

That claimed, there is a stability attribute bypass in Protected Boot it particularly provides signatures of acknowledged vulnerable UEFI modules to the DBX. The vulnerability is called “Hole in the boot” and could be used to bypass the Safe Boot. (Take note: for any attack to take place, the attacker would need to have admin privileges or bodily obtain.)

This is where by KB5012170 comes into the photo.

On small business personal computers, or federal government desktops, or methods at danger for a specific attack, this is the form of patch you’d want put in. But on property desktops or units that are not managed or up to date frequently with driver and firmware updates, it can do additional harm than great. Documented facet results incorporate BSODs and Mistake 0x800f0922, and unless you block the update it will endeavor to install once again. Just one person in a Reddit write-up pointed out he “needed to restart my laptop and an update was pending restart to full set up. I restarted and my pc unsuccessful to start off. I obtained a BSOD with the error 0xc000021a.” It seems this is taking place on older personal computers with configurations adjusted to disable driver enforcement.

At this issue, for household customers, the ideal thing to do is to use 1 of the resources highlighted at to block KB5012170 proactively. The advantages do not outweigh the risks.

There is a 2nd aspect influence arising from this update. Workstations with Bitlocker enabled could set off a request for a Bitlocker restoration vital. This can be a difficulty for consumer and dwelling people with devices that have Bitlocker quickly enabled. If you do not know in which your Bitlocker restoration crucial is stored, you may possibly have to reinstall Windows from scratch.  (To determine if you have Bitlocker enabled, click on on File Explorer and appropriate-mouse click on on your C travel. If you see the option to turn OFF Bitlocker, make confident you know the place your Bitlocker recovery critical is saved. If you established up your laptop or computer with a Microsoft account, it will be stored there. If you’re doubtful wherever your Bitlocker recovery critical is positioned, possibly reset or disable it.)

For enterprise patchers, the aspect results ought to be weighed from the risks of not putting in KB5012170. I’ve not noticed several small business BSOD experiences, even though I have seen reports of methods demanding a Bitlocker recovery essential when deploying this update. As a result, before deploying it, critique your programs to assure that their firmware is up to date.

Historically in company settings, you put in firmware updates upon deployment and never ever critique them again. But with Windows 10 and Home windows 11, you can no for a longer time be safe and sound accomplishing that. Be certain that you have a procedure in position to stock and assess firmware and update appropriately. Firmware really should be reviewed at minimum at the time a 12 months. Now that Microsoft has moved Feature releases to an annual launch cadence, use that agenda to include assessment and updating of firmware, movie drivers, audio drivers and other vital components motorists that interact with the program.

Given that KB5012170 (or something like it) will likely pop up all over again, assure your technique is organized for it by either proactively blocking it or preserving your firmware and drivers up to day. That is the finest way to keep away from complications down the street.

Copyright © 2022 IDG Communications, Inc.