MicrosoftKB3172729MS16-100: Description of the security update for Secure Boot: August 9, 2016
MS16-100: Description of the security update for Secure Boot: August 9, 2016
Summary
This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow security feature bypass if an attacker installs an affected boot manager and bypasses Windows security features.
To learn more about the vulnerability, see Microsoft Security Bulletin MS16-100.
More Information
Important
- All future security and non-security updates for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 require update 2919355 to be installed. We recommend that you install update 2919355 on your Windows RT 8.1-based, Windows 8.1-based, or Windows Server 2012 R2-based computer so that you receive future updates.
- If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see Add language packs to Windows.
More Information
Known issues in this security update
- When you try to install this security update, you may receive an error message that resembles the following:
The update is not applicable to your computer
| Each Windows version requires a Servicing Stack Update (SSU). If you install updates by using Windows Update, Windows Server Update Services (WSUS), or the Microsoft Update Catalog, an SSU is automatically installed as part of the update. If you receive this error message, and if security update 3172729 is not already installed, you must install the corresponding SSU.OS Version | SSU KB # |
|---|---|
| Windows Server 2016 TP5 | 3173423 |
| Windows Server 2012 | 3173426 |
| Windows 10 Version 1511 | 3173428 |
| Windows 10 | 3173427 |
| Windows 8.1 or Windows Server 2012 R2 | 3173424 |
- If you are running Windows 10 Version 1607 (Anniversary Edition), the Hyper-V firmware will already have the TP5 boot manager blacklisted.
For example, when you set up Hyper-V on a Windows 10 Version 1607-based system, if you then create a Windows Server 2016 TP5-based virtual machine (VM), the VM does not start.
To resolve this issue, follow these steps:
1. Open the Hyper-V Manager, right-click the VM, and then select **Settings**.
2. In the navigation pane, select **Security**.
3. In the details pane, select **Microsoft UEFI Certificate Authority** in the**Template** list.
4. In the details pane, click to clear the **Enable Secure Boot** check box, and then click**OK**.
After you have installed TP5 on the VM and installed security update 3172729, re-enable secure boot. To do this, follow these steps:
1. Open the Hyper-V Manager, right-click the VM, and then select Settings.
2. In the navigation pane, select Security.
3. In the details pane, click to select the Enable Secure Boot check box.
4. In the details pane, select Microsoft Windows in the Template list, and then click OK.
How to obtain and install the update
Method 1: Windows Update
This update is available through Windows Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to turn on automatic updating, see
Get security updates automatically.
Note For Windows RT 8.1, this update is available through Windows Update only.
Method 2: Microsoft Update Catalog
To get the stand-alone package for this update, go to the Microsoft Update Catalog website.
Method 3: Microsoft Download Center
For Windows 8.1, Windows Server 2012 R2 and Windows Server 2012, you can obtain the stand-alone update package through the Microsoft Download Center. Follow the installation instructions on the download page to install the update.
Click the download link in Microsoft Security Bulletin MS16-100 that corresponds to the version of Windows that you are running.
More Information
How to obtain help and support for this security update
Help for installing updates: Support for Microsoft Update
Security solutions for IT professionals: TechNet Security Troubleshooting and Support
Help for protecting your Windows-based computer from viruses and malware: Virus Solution and Security Center
Local support according to your country: International Support
File Information
__
File hash information
| File name | SHA1 hash | SHA256 hash |
|---|---|---|
| Windows10.0-KB3172729-v2-x64.msu (Windows Server 2016 TP5) | 19975CEF3C9B73FD9C09EB497364D9E8AF2384FE | AC7443BFD844837B3C715793B7726F12734A76F8BB2EABD9F356981639C93398 |
| Windows10.0-KB3172729-x64.msu (Windows 10 Version 1511) | 18DF742FAD6BEBC01E617C2D4F92E0D325E5138F | F5B55D436056A905E755984D457BAC67295AD3E11531A6C33F3812CFB63CE010 |
| Windows10.0-KB3172729-x86.msu (Windows 10 Version 1511) | 877795F675546BF16621464230D024863F9E512E | 6FEF8B54487B61676A6825BB2E68ED865DA81C8C108ABD93991D0FCCA722297A |
| Windows10.0-KB3172729-x64.msu | 3721C0D77731CA564387070698812DD496810BD8 | A4FE15534B7DD88DF4ADC73D68943EA340AF79EE79DD57360A19FC3D1F1CBD7C |
| Windows10.0-KB3172729-x86.msu | 2CCD3AF51D198B548C849226F66C81174303AAA3 | D05A11100EC2EA00F50140E3B0BFD08B48C364E5D381F23096CE8C661652096D |
| Windows8-RT-KB3172729-x64.msu | 69CAB4C7785B1FAA3FC450F32BED4873D53BB96F | 349D5602181E776DBF7FDADBAE9543181C53690FC1D1BDD891266E3A57F246D1 |
| Windows8.1-KB3172729-x86.msu | ACB9DD33C1657AC9189158C1176E91540BA60CA3 | C7EA1C520FCCADE22FF0610DA99BFC5A5F9FF2B4F7AB861D2786AF0683436BE5 |
| Windows8.1-KB3172729-x64.msu | E8003822A7EF4705CBB65623B72FD3CEC73FE222 | D0FF89261A961F4C86D10BF5FCFAEAD9C3488DAB065C2C7338649B52A82112AB |
__
File information
| The English (United States) version of this software update installs files that have the attributes that are listed in the following tables.Windows Server 2016 TP5For all supported x64-based versionsFile name | File version | File size | Date | Time | Platform |
|---|---|---|---|---|---|
| Boot.stl | Not applicable | 4,846 | 15-Jul-2016 | 00:54 | Not applicable |
| Bootmgfw.efi | 10.0.14368.1000 | 1,183,584 | 15-Jul-2016 | 00:54 | Not applicable |
| Bootmgr.efi | 10.0.14300.1050 | 1,164,776 | 15-Jul-2016 | 04:24 | Not applicable |
| Bootmgfw.efi | 10.0.14368.1000 | 1,183,584 | 15-Jul-2016 | 00:54 | Not applicable |
| Dbupdate.bin | Not applicable | 3 | 30-May-2016 | 00:49 | Not applicable |
| Dbxupdate.bin | Not applicable | 7,085 | 02-Jul-2016 | 03:09 | Not applicable |
| Abortpxe.com | Not applicable | 79 | 31-May-2016 | 04:48 | Not applicable |
| Bootmgr.exe | 10.0.14300.1050 | 671,720 | 15-Jul-2016 | 04:17 | x86 |
| Hdlscom1.com | Not applicable | 25,662 | 31-May-2016 | 04:48 | Not applicable |
| Hdlscom1.n12 | Not applicable | 25,646 | 31-May-2016 | 04:48 | Not applicable |
| Hdlscom2.com | Not applicable | 25,662 | 31-May-2016 | 04:48 | Not applicable |
| Hdlscom2.n12 | Not applicable | 25,646 | 31-May-2016 | 04:48 | Not applicable |
| Pxeboot.com | Not applicable | 25,358 | 31-May-2016 | 04:48 | Not applicable |
| Pxeboot.n12 | Not applicable | 25,358 | 31-May-2016 | 04:48 | Not applicable |
| Wdsnbp.com | Not applicable | 30,832 | 31-May-2016 | 04:48 | Not applicable |
| Abortpxe.com | Not applicable | 79 | 31-May-2016 | 04:48 | Not applicable |
| Bootmgfw.efi | 10.0.14368.1000 | 991,584 | 15-Jul-2016 | 00:58 | Not applicable |
| Bootmgr.exe | 10.0.14300.1050 | 671,720 | 15-Jul-2016 | 04:17 | x86 |
| Hdlscom1.com | Not applicable | 25,662 | 31-May-2016 | 04:48 | Not applicable |
| Hdlscom1.n12 | Not applicable | 25,646 | 31-May-2016 | 04:48 | Not applicable |
| Hdlscom2.com | Not applicable | 25,662 | 31-May-2016 | 04:48 | Not applicable |
| Hdlscom2.n12 | Not applicable | 25,646 | 31-May-2016 | 04:48 | Not applicable |
| Pxeboot.com | Not applicable | 25,358 | 31-May-2016 | 04:48 | Not applicable |
| Pxeboot.n12 | Not applicable | 25,358 | 31-May-2016 | 04:48 | Not applicable |
| Wdsnbp.com | Not applicable | 30,832 | 31-May-2016 | 04:48 | Not applicable |
| Windows 10 Version 1511 file informationFor all supported x64-based versionsFile name | File version | File size | Date | Time | Platform |
| — | — | — | — | — | — |
| Dbupdate.bin | Not applicable | 3 | 31-Mar-2015 | 01:31 | Not applicable |
| Dbxupdate.bin | Not applicable | 7,085 | 13-Jul-2016 | 01:17 | Not applicable |
| For all supported x86-based versionsFile name | File version | File size | Date | Time | Platform |
| — | — | — | — | — | — |
| Dbupdate.bin | Not applicable | 3 | 31-Mar-2015 | 01:16 | Not applicable |
| Dbxupdate.bin | Not applicable | 7,085 | 13-Jul-2016 | 01:23 | Not applicable |
| Windows 10 file informationFor all supported x64-based versionsFile name | File version | File size | Date | Time | Platform |
| — | — | — | — | — | — |
| Dbupdate.bin | Not applicable | 3 | 18-Jun-2015 | 01:16 | Not applicable |
| Dbxupdate.bin | Not applicable | 7,085 | 16-Jul-2016 | 01:53 | Not applicable |
| For all supported x86-based versionsFile name | File version | File size | Date | Time | Platform |
| — | — | — | — | — | — |
| Dbupdate.bin | Not applicable | 3 | 27-Mar-2015 | 21:47 | Not applicable |
| Dbxupdate.bin | Not applicable | 7,085 | 16-Jul-2016 | 01:50 | Not applicable |
| Windows Server 2012 file informationNotes |
-
The files that apply to a specific product, milestone (RTM, SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table.
Version| Product| Milestone| Service branch
—|—|—|—
6.2.920 0.17xxx| Windows 8, Windows RT, or Windows Server 2012| RTM| GDR
6.2.920 0.21xxx| Windows 8, Windows RT, or Windows Server 2012| RTM| LDR -
GDR service branches contain only those fixes that are widely released to address widespread, critical issues. LDR service branches contain hotfixes in addition to widely released fixes.
-
The MANIFEST files (.manifest) and MUM files (.mum) that are installed are not listed.
For all supported x64-based versionsFile name| File version| File size| Date| Time| Platform
—|—|—|—|—|—
Dbupdate.bin| Not applicable| 3| 02-Jun-2012| 14:53| Not applicable
Dbxupdate.bin| Not applicable| 7,085| 09-Jul-2016| 01:13| Not applicable
Tpmtasks.dll| 6.2.9200.21926| 94,208| 12-Jul-2016| 15:57| x64
Windows 8.1 and Windows Server 2012 R2 file informationNotes -
The files that apply to a specific product, milestone (RTM, SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table:
Version| Product| Milestone| Service branch
—|—|—|—
6.3.960 0.16xxx| Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2| RTM| GDR
6.3.960 0.17xxx| Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2| RTM| GDR
6.3.960 0.18xxx| Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2| RTM| GDR -
GDR service branches contain only those fixes that are widely released to address widespread, critical issues. LDR service branches contain hotfixes in addition to widely released fixes.
-
The MANIFEST files (.manifest) and MUM files (.mum) that are installed are not listed.
For all supported x86-based versionsFile name| File version| File size| Date| Time| Platform
—|—|—|—|—|—
Dbupdate.bin| Not applicable| 3| 18-Jun-2013| 13:05| Not applicable
Dbxupdate.bin| Not applicable| 7,085| 08-Jul-2016| 13:35| Not applicable
Tpmtasks.dll| 6.3.9600.18408| 147,456| 12-Jul-2016| 14:04| x86
For all supported x64-based versionsFile name| File version| File size| Date| Time| Platform
—|—|—|—|—|—
Dbupdate.bin| Not applicable| 3| 18-Jun-2013| 15:29| Not applicable
Dbxupdate.bin| Not applicable| 7,085| 08-Jul-2016| 13:36| Not applicable
Tpmtasks.dll| 6.3.9600.18408| 175,616| 12-Jul-2016| 14:08| x64
Related
