Microsoft warns customers that while attempting to install the Windows KB5012170 Secure Boot security update on currently supported operating systems for consumers and the enterprise-class Server edition, they may encounter an error code of 0x800f0922.
The cumulative security updates, monthly rollups, or security-only upgrades that Microsoft made available on August 9 are unaffected by the issue.
Bootloader problems
KB5012170, a security update for the Secure Boot DBX (Forbidden Signature Database), a repository that houses revoked signatures for Unified Extensible Firmware Interface (UEFI) bootloaders, is solely responsible for Error 0x800f0922.
A UEFI bootloader is in charge of beginning the UEFI environment with the Secure Boot feature, which permits only trusted code to be executed when starting the Windows booting process, as soon as the computer is turned on.
Last week, security researchers from Eclypsium revealed flaws in three bootloaders signed by third parties that may be used to get around the Secure Boot feature and infect the system with malware that is hard to find and uninstall.
There are three packages.
CVE-2022-34302: New Horizon Datasys Inc. (bypass Secure Boot via custom installer)
Secure Disk by CryptoPro: CVE-2022-34303 (bypass Secure Boot via UEFI Shell execution)
CVE-2022-34301: Eurosoft (UK) Ltd. (bypass Secure Boot via UEFI Shell execution)
Microsoft has fixed the problem by including the signatures of the aforementioned bootloaders in the Secure Boot DBX, preventing the loading of susceptible UEFI modules.
Since a bootloader is required for Windows to launch with Secure Boot, Microsoft claims that the KB5012170 upgrade will produce error 0x800f0922 on systems that launch with one of the three bootloaders that are currently revoked.
Microsoft mentions the following platforms as being impacted:
Clients: Windows 11, version 21H2, Windows 10, version 21H2, Windows 10, version 20H2, Windows 10 Enterprise LTSC 2019, Windows 10 Enterprise LTSC 2016, Windows 10 Enterprise 2015 LTSB, and Windows 8.1 Servers: Windows Server 2022, version 20H2, Windows Server 2019, version 2016, Windows Server 2012 R2, and Windows Server 2012 Bootloader update fixes error 0x800f0922
According to Microsoft, the problem can be mitigated by updating the UEFI firmware to the most recent version available from the vendor.
Before attempting to update the DBX revocation list, Eclypsium researchers advise businesses to see if the bootloaders on their systems are vulnerable.
