Lucene search

K
mskbMicrosoftKB4535680
HistoryFeb 11, 2020 - 8:00 a.m.

KB4535680: Security update for Secure Boot DBX: January 12, 2021

2020-02-1108:00:00
Microsoft
support.microsoft.com
173

CVSS2

4.6

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:P/I:P/A:P

CVSS3

6.7

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

AI Score

6.9

Confidence

High

EPSS

0

Percentile

9.5%

KB4535680: Security update for Secure Boot DBX: January 12, 2021

IMPORTANT This article is superseded by KB5012170: Security update for Secure Boot DBX.

Applies to

This security update applies only to the following Windows versions:

  • Windows Server 2012 x64-bit
  • Windows Server 2012 R2 x64-bit
  • Windows 8.1 x64-bit
  • Windows Server 2016 x64-bit
  • Windows Server 2019 x64-bit
  • Windows 10, version 1607 x64-bit
  • Windows 10, version 1803 x64-bit
  • Windows 10, version 1809 x64-bit
  • Windows 10, version 1909 x64-bit

Summary

This security update makes improvements to Secure Boot DBX for the supported Windows versions listed in the “Applies to” section. Key changes include the following:

  • Windows devices that has Unified Extensible Firmware Interface (UEFI) based firmware can run with Secure Boot enabled. The Secure Boot Forbidden Signature Database (DBX) prevents UEFI modules from loading. This update adds modules to the DBX.

A security feature bypass vulnerability exists in secure boot. An attacker who successfully exploited the vulnerability might bypass secure boot and load untrusted software.

This security update addresses the vulnerability by adding the signatures of the known vulnerable UEFI modules to the DBX.
To learn more about this security vulnerability, see CVE-2020-0689 | Microsoft Secure Boot Security Feature Bypass Vulnerability.

Known issues

Issue Workaround
Some original equipment manufacturer (OEM) firmware might not allow for the installation of this update. To resolve this issue, contact your firmware OEM.
If BitLocker Group Policy Configure TPM platform validation profile for native UEFI firmware configurations is enabled and PCR7 is selected by policy, it may result in the BitLocker recovery key being required on some devices where PCR7 binding is not possible.To view the PCR7 binding status, run the Microsoft System Information (Msinfo32.exe) tool with administrative permissions. To workaround this issue, do one of the following based on credential guard configuration before you deploy this update:
  • On a device that does not have Credential Gard enabled, run following command from an Administrator command prompt to suspend BitLocker for 1 reboot cycle:`

Manage-bde –Protectors –Disable C: -RebootCount 1

`
Then, restart the device to resume the BitLocker protection.

Note Do not enable BitLocker protection without additionally restarting the device as it would result in BitLocker recovery.

  • On a device that has Credential Guard enabled, there may be multiple restarts during the update that require BitLocker to be suspended. Run the following command from an Administrator command prompt to suspend BitLocker for 3 restart cycles. Manage-bde –Protectors –Disable C: -RebootCount 3This update is expected to restart the system two times. Restart the device once again to resume the BitLocker protection.Note Do not enable BitLocker protection without additionally restarting as it would result in BitLocker recovery.
    You might enter Bitlocker recovery if conflicting BitLocker group policy settings are configured after BitLocker has been enabled in environment. Bitlocker recovery can be triggered due to any of the below Group Policy settings:

  • Forcing Explicit configuration of PCR bindings that is different from what is already chosen by BitLocker.

  • Configuring GP “Allow Secure Boot for integrity validation” to dis-allow Secure boot for integrity validation but BitLocker is already using secure boot (PCR7).

  • Configuring Group Policy to Require additional Authentication during startup but BitLocker has been configured before deploying this group policy.
    | If this update has already been applied and the device hasn’t restarted, suspend BitLocker and restart after following the below steps:

  • If an explicit PCR configuration has been set through group policy or a policy is configured to disallow using secure boot for integrity validation, Suspend and resume BitLocker to clear the GP conflicts.

  • If the Require additional Authentication during startup policy is configured to require TPM and PIN, run the following command from an Administrative command prompt and enter the desired PIN: manage-bde -protectors -add c: -TPMAndPin * If the Require additional Authentication during startup policy is configured to require a startup key, execute the following command to create startup key:manage-bde -protectors -add c: -tpmandstartupkey <path to external key directory> * If the Require additional Authentication during startup policy is configured to require startup key and pin, execute the following command from Admin command prompt to create Pin and startup key. When prompted, enter the desired PIN:**manage-bde -protectors -add c: **-tpmandpinandstartupkey <path to external key directory>
    This update might not install on devices with an unsigned, non-Microsoft bootx64.efi boot manager file. This update might be offered and reoffered through Windows Update but might not install. When you try to install this update manually, you might receive an error, “Some updates were not installed” listing KB4565680. You can also check the CBS Log file in %systemroot%\logs\cbs for the following error: onecore\base\secureboot\servicing\advancedinstaller\securebootai.cpp(277): Error TRUST_E_NOSIGNATURE originated in function Windows::WCP::SecureBoot::BasicInstaller::Install expression: ApplySecureBootUpdate( dwAvailableUpdates)| We are working on a resolution and estimate a solution will be available for Windows 10, version 1909, Windows 10, version 2004 and Windows 10, version 20H2 in late March. The remaining supported versions of Windows are estimated to have a solution available in mid-April.For additional guidance before the release of the resolution, please contact your device manufacturer (OEM).

How to get this update

Method 1: Windows Update

This update is available through Windows Update. It will be downloaded and installed automatically.

Method 2: Microsoft Update Catalog

To get the stand-alone package for this update, go to the Microsoft Update Catalog website.

Method 3: Windows Server Update Services

This update is also available through Windows Server Update Services (WSUS).

Prerequisites

Make sure you have the lastest servicing stack update (SSU) installed. For information about the latest SSU for your operating system, see ADV990001 | Latest Servicing Stack Updates.

Restart information

Your device does not have to restart when you apply this update. If you have Windows Defender Credential Guard (Virtual Secure Mode) enabled, your device will restart two times.

Update replacement information

This update does not replace any previously released update.

File information

Windows 10, version 1909

__

File hash information

File name SHA1 hash SHA256 hash
Windows10.0-KB4535680-x64.msu 66C7276B01FC94651BF0D63C969D42A8D229233D F842005F83043E8C322E1CA5A01C5AAC7DC8EB0C316B3918750CEEC5A611DC9F

__

For all supported x64-based versions

The English (United States) version of this software update installs files that have the attributes that are listed in the following table.File name File size Date Time
Dbupdate.bin 46 23-Sep-2019 23:13
Dbxupdate.bin 1,368 23-Sep-2019 23:13
Dbupdate.bin 46 23-Sep-2019 23:13
Dbxupdate.bin 2,840 23-Sep-2019 23:13
Tpmtasks.dll 3,339 23-Sep-2019 23:13
Tpmtasks.dll 2,892 23-Sep-2019 23:13

Windows 10, version 1809 and Windows Server 2019

__

File hash information

File name SHA1 hash SHA256 hash
Windows10.0-KB4535680-x64.msu 4A6F51365ED7F4C9AD34986AA2F61005AF267E24 E0E06F57EAFAF0A565B7F03B71FC9D9001F35A1D74950ACA33F5FA5417088372

__

For all supported x64-based versions

The English (United States) version of this software update installs files that have the attributes that are listed in the following table.File name File size Date Time
Dbupdate.bin 46 25-Sep-2019 01:14
Dbxupdate.bin 1,368 25-Sep-2019 01:14
Dbupdate.bin 46 25-Sep-2019 01:14
Dbxupdate.bin 2,840 25-Sep-2019 01:14
Tpmtasks.dll 1,998 25-Sep-2019 01:14
Tpmtasks.dll 1,568 25-Sep-2019 01:14

Windows 10, version 1803

__

File hash information

File name SHA1 hash SHA256 hash
Windows10.0-KB4535680-x64.msu 24C59946A58755DD26DA81F248895D224066D5F7 0411EEE0DB7441921F2182F2FFE68BD23E2DC42AE18A1EF9A26700EBA77FA551

__

For all supported x64-based versions

The English (United States) version of this software update installs files that have the attributes that are listed in the following tables.File name File version File size Date Time
Dbupdate.bin Not applicable 3 30-Oct-2017 01:01
Dbxupdate.bin Not applicable 7,361 10-Sep-2019 01:21
Tpmtasks.dll 10.0.17134.1060 51,712 10-Sep-2019 03:55

Windows 10, version 1607 and Windows Server 2016

__

File hash information

File name SHA1 hash SHA256 hash
Windows10.0-KB4535680-x64.msu 980ED67D1AAEEB5BB8A6B79E68438BD402865443 93CE5768F2A232C0458098AFCC229A52C819F29DEAA1C769A7D2F85F5BF059B4

__

For all supported x64-based versions

The English (United States) version of this software update installs files that have the attributes that are listed in the following table. File name File version File size Date Time
Dbupdate.bin Not applicable 2 03-Sep-2019 22:05
Dbxupdate.bin Not applicable 7,361 12-Sep-2019 01:01
Tpmtasks.dll 10.0.14393.3001 44,032 16-Sep-2019 05:04

Windows 8.1 and Windows Server 2012 R2

__

File hash information

File name SHA1 hash SHA256 hash
Windows8.1-KB4535680-x64.msu 1CD22F094D7465F7C88B958F0DFA9C7CB3304A44 EF6C57183BDE7B63C63527F1CE80F5AFE9C1C511CF90C75A78749113838B9990

__

For all supported x64-based versions

The English (United States) version of this software update installs files that have the attributes that are listed in the following table.File name File version File size Date Time
Dbupdate.bin Not applicable 2 25-Sep-2019 04:21
Dbxupdate.bin Not applicable 7,361 25-Sep-2019 04:21
Tpmtasks.dll 6.3.9600.19501 176,128 25-Sep-2019 06:30

Windows Server 2012

__

File hash information

File name SHA1 hash SHA256 hash
Windows8-RT-KB4535680-x64.msu B33D60C3A01588048F7EFEA16C275F282C811F56 78AECFDC033EE4C16C49EE9A0B60D56991AFD621610453284D4E8BAC917C9111

__

For all supported x64-based versions

The English (United States) version of this software update installs files that have the attributes that are listed in the following table. File name File version File size Date Time
Dbupdate.bin Not applicable 2 20-Jun-2019 00:06
Dbxupdate.bin Not applicable 7,361 10-Sep-2019 00:07
Tpmtasks.dll 6.2.9200.22884 95,232 25-Sep-2019 04:30

References

Learn about the terminology that Microsoft uses to describe software updates.

CVSS2

4.6

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:P/I:P/A:P

CVSS3

6.7

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

AI Score

6.9

Confidence

High

EPSS

0

Percentile

9.5%