Microsoft has now confirmed an issue caused by a security update for Secure Boot. This update is supposed to protect against tampering during the PC boot process, but the update often fails and cannot be applied. The group has now confirmed this and made a new entry in the Windows Release Health documentation published.
The Windows team is now fixing installation issues with KB5012170. The Windows Release Health item we translated is attached at the bottom of this post. KB5012170 is a security update for DBX, a database of signatures that are not trusted (Secure Boot Forbidden Signature Database). The update was released on Patch Day August as a separate security update for all Windows versions from Windows 8.1 to Windows 11 and for Azure Stack.
We’ve already reported on the background of the update: Microsoft has excluded several third-party bootloaders from the safe boot. These boot loaders are initially signed by Microsoft and thus approved as trustworthy for the “Secure Boot” process (secure start). But now they are suspected of allowing vulnerabilities to take over other systems and bypassing Windows’ security measures.
Bypassing Secure Boot checks, threat actors can launch attacks, modify the operating system, disable security checks, and install more backdoors. Security experts criticize the handling of the vulnerability, but it is now clear that Microsoft has made another mistake. So Microsoft is now warning about Windows update errors and announcing that a UEFI update may be required to fix them.
Error code 0x800f0922
The Windows Health Dashboard documentation states that attempting to install the security update will cause Windows Update to generate error code 0x800f0922. Some patients report that the PC aborts the installation and restarts, resulting in a boot loop. Microsoft is investigating the issue and will provide a solution as soon as possible.
Known Issue OS Build 22000.850 / KB5012170
The update installation may fail and you may get the error 0x800f0922. If you try to install KB5012170, the installation may fail and you will get the error 0x800f0922. Note: This issue only affects the security update for Secure Boot DBX (KB5012170) and does not affect the latest cumulative security updates, monthly rollups, or security-only updates released on August 9, 2022. Workaround: This issue can be resolved on some devices by updating the UEFI bios to the latest version before installing KB5012170. Next steps: We are currently investigating the issue and will provide an update in a future release.
- Customer: Windows 11, version 21H2; Windows 10 version 21H2; Windows 10 version 21H1; Windows 10 version 20H2; Windows 10 Enterprise LTSC 2019; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise 2015 LTSB; Windows 8.1
- Server: Windows Server 2022; Windows Server, version 20H2; Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012