• ×
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.
    Windows 11 Support Center.
  • post a message
  • ×
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.
    Windows 11 Support Center.
  • post a message
Guidelines
Are you having HotKey issues? Click here for tips and tricks.
HP Recommended
HP Z8 G4 RCTO Base Model Workstation
Microsoft Windows 10 (64-bit)

Yesterday, Microsoft issued KB5012170: Security update for Secure Boot DBX, in Windows devices that have Unified Extensible Firmware Interface (UEFI) based firmware, for several versions of Windows.
URL: https://support.microsoft.com/en-us/topic/kb5012170-security-update-for-secure-boot-dbx-august-9-202...

 

This security update addresses a vulnerability by adding the signatures of the known vulnerable UEFI modules to the The Secure Boot Forbidden Signature Database (DBX).

 

Among Known issues with this update, Microsoft stated:

 

Some original equipment manufacturer (OEM) firmware might not allow for the installation of this update.
To resolve this issue, contact your firmware OEM.

 

So, does HP recommend installing this Security update in modern HP Z-workstations running UEFI firmware with Windows 8.1, 10, 11?

Please advise.

6 REPLIES 6
HP Recommended

please reread what you wrote

 

Some original equipment manufacturer (OEM) firmware might not allow for the installation of this update.
To resolve this issue, contact your firmware OEM.

 

Microsoft is "NOT" asking you to contact your OEM first,

 

they are saying to contact the OEM if you have a issue with installing this update

 

so if the update installs, then HP obviously is not doing anything that prevents it from installing.........................................

 

HP Recommended

Microsoft seems to be aware of possible issues with this 'Secure Boot' update, that may conflict with some OEM firmware.

 

However, Microsoft provides no hints as to what type of OEM firmware settings might be responsible, and how they should possibly be modified to avoid such issues.

[Microsoft refers to other aspects of this update and provides some workaround for them; I checked those and they are OK; yet Microsoft leaves us in mystery as to the main issue with OEM firmware in general.]

 

That's why I am turning to knowledgeable sources associated with the OEM of my workstation, i.e. this HP Forum, looking for some advice, as a preventive action.

 

Otherwise, 'Secure Boot' might inadvertently turn into 'No Boot'.

HP Recommended
HP Recommended

To Noelpg21,

 

Thanks for bringing these reports to my attention.

 

It is worth noting that Microsoft now says you can fix this error by checking for updated UEFI firmware from your device manufacturer.

 

This may mean that existing UEFI firmware versions may still be vulnerable to ill-effects of the 'offending' Microsoft update KB5012170.

 

Now, look at the time-line:

 

Microsoft update KB5012170 was issued on August 9, 2022;

 

The latest UEFI firmware for my Z8 G4 workstation, HP Z6/Z8-G4 Workstation System BIOS version 02.82 Rev.A, was issued by HP on April 27, 2022.

 

I mean, the MS update was published when latest UEFI firmware had already been available to customers of (OEM) device manufacturers.

 

So, does Microsoft expect (OEM) device manufacturers to hurry up and publish new updated firmware for their devices just to help avoid damage due to MS KB5012170 update?

 

HP Recommended

the bulletin for this specific KB plainly states that if your system is incompatible, this KB will fail to install 

 

AND THEN CONTACT YOUR OEM to see if a  UEFI/Bios  update is necessary

 

bitlocker issues with various MS updates have been around for years, nothing new here.

you should always disable bitlocker when doing any security update that modifies this feature

HP Recommended

OK, I was curious to find out the source of Neoqee232 detailed steps and comments on KB5012170, so I Googled for the following pair of strings:
"Next, I also performed these additional steps:"+"7. Reboot into UEFI BIOS"

 

As of this moment, that quoted text appears at a few sources on the Internet, the latest one is in this URL:
https://www.windowsphoneinfo.com/threads/kb5015878-kb5012170-not-installing.795242/

 

Interesting to note: That latest poster on the subject seems to have gone as far as creating Windows 10 installation media and installing Windows 10; Issue resolved.

It indicates to me that I should postpone installing KB5012170 for the foreseeable future, to avoid such complications.

 

I tend to accept the following view from URL:
https://www.windowsphoneinfo.com/threads/kb5012170-windows-update-error-0x800f0922-uefi-bios-update-...

 

"To exploit this vulnerability, an attacker would need to have administrative privileges or physical access on a system where Secure Boot is configured"; "Most Windows devices are not in immediate danger judging from the description."

my testing
† The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the <a href="https://www8.hp.com/us/en/terms-of-use.html" class="udrlinesmall">Terms of Use</a> and <a href="/t5/custom/page/page-id/hp.rulespage" class="udrlinesmall"> Rules of Participation</a>.