UEFI Bootloader and KB5012170
-
I'm attempting to determine if a problem I'm having with installing Windows 10 update KB5012170 is related to the UEFI bootloader used by the VM.
XCP-ng version is 8.2.1 and is nearly fully patched (have not installed 4.13.4-9.24.1.xcpng8.2 yet).
I started noticing 4 Windows 10 VMs (on separate hosts) rebooting every night for the past 5 days and found that KB5012170 was not installing because of error 0x800f0922. I've found that this is probably because of the UEFI bootloader now being in the Secure Boot DBX (Forbidden Signature Database). I'm basing this on this this article: https://www.bleepingcomputer.com/news/security/windows-kb5012170-secure-boot-dbx-update-may-fail-with-0x800f0922-error/
Apparently if the UEFI bootloader is signed by keys from one of three vendors (New Horizon Datasys Inc, CryptoPro Secure Disk, Eurosoft (UK) Ltd) then KB5012170 will fail to install with error 0x800f0922 because these signatures have been blacklisted.
I know the VMs are using the TianoCore UEFI implementation. I've looked at the TianoCore bugtracker but didn't find anything related - although if issue is in fact caused by Microsoft blacklisting the signature, I don't know that would even be a bug, per se.
-
Secure Boot was not enabled in the VM. I enabled Secure Boot in the VM and was able to install KB5012170 without any problem.
I tested further to see if there were any issues related to enabling then disabling Secure Boot in the VM. I did not experience any problems booting the VM after disabling Secure Boot. There were no problems booting the VM after moving it to a pool where the default UEFI Certificates had not been installed.
For anyone wanting to resolve the KB5012170 update error, here are the steps I took:
- On the pool/host for the VM, install the UEFI Certificates with
secureboot-certs install - Shut down the problem VM
- Enable Secure Boot on the VM. I do this via Xen Orchestra but it can also be done with
xe vm-param-set uuid=[uuid of VM] platform:secureboot=true - Boot the VM
- Apply the KB5012170 update
- Shut down the VM
- Disable Secure Boot on the VM via XO or
xe vm-param-set uuid=[uuid of VM] platform:secureboot=false - Boot the VM
https://xcp-ng.org/docs/guides.html#guest-uefi-secure-boot is a very thorough guide on Secure Boot in XCP-ng.
Thanks for the help @stormi
- On the pool/host for the VM, install the UEFI Certificates with
-
I've not been able to find information on the signature used by the UEFI bootloader and if that is on the DBX update in KB5012170. Since my original post, Microsoft has updated the Known Issues documentation for KB5012170 and it seems that this problem is now 'known' and has a proposed resolution of, "We are presently investigating and will provide an update in an upcoming release."
So at this point, it appears Microsoft is investigating this as an issue Microsoft needs to resolve, not an issue with the bootloader itself.
Reference: https://support.microsoft.com/en-us/topic/kb5012170-security-update-for-secure-boot-dbx-august-9-2022-72ff5eed-25b4-47c7-be28-c42bd211bb15
(see the third issue listed in Known Issues, which didn't exist until after my initial post) -
Is SecureBoot enabled on the Windows VMs. If not, would enabling it let the update install correctly?
See https://xcp-ng.org/docs/guides.html#guest-uefi-secure-boot about the requirements to enable secure boot.
-
Secure Boot was not enabled in the VM. I enabled Secure Boot in the VM and was able to install KB5012170 without any problem.
I tested further to see if there were any issues related to enabling then disabling Secure Boot in the VM. I did not experience any problems booting the VM after disabling Secure Boot. There were no problems booting the VM after moving it to a pool where the default UEFI Certificates had not been installed.
For anyone wanting to resolve the KB5012170 update error, here are the steps I took:
- On the pool/host for the VM, install the UEFI Certificates with
secureboot-certs install - Shut down the problem VM
- Enable Secure Boot on the VM. I do this via Xen Orchestra but it can also be done with
xe vm-param-set uuid=[uuid of VM] platform:secureboot=true - Boot the VM
- Apply the KB5012170 update
- Shut down the VM
- Disable Secure Boot on the VM via XO or
xe vm-param-set uuid=[uuid of VM] platform:secureboot=false - Boot the VM
https://xcp-ng.org/docs/guides.html#guest-uefi-secure-boot is a very thorough guide on Secure Boot in XCP-ng.
Thanks for the help @stormi
- On the pool/host for the VM, install the UEFI Certificates with
-
@christopher-petzel Thanks for those tips. This seemed to work well on two Windows Server 2019 VM's, but not on a Windows 10 VM which sat there saying "Preparing Automatic Repair" for ages, so I reverted back to non-secure boot.
john
-
@christopher-petzel Thanks for this information I've been coming across this issue on a few 2019 servers and this worked perfectly!
-
O olivierlambert marked this topic as a question on
-
O olivierlambert has marked this topic as solved on
-
@christopher-petzel
Many thanks saved me from hours of searching for a fix
