KB5012170: Security Update for Secure Boot DBX - What Sysadmins Need to Know
KB5012170 adds vulnerable UEFI module signatures to the Secure Boot DBX, blocking known boot loader bypass vulnerabilities on Windows 10, 11, and Server.

Summary
KB5012170 is a security update for the Secure Boot Forbidden Signature Database (DBX), covering Windows 8.1, Windows 10 (all supported versions), Windows 11, Windows Server 2012 through 2022, Azure Stack HCI, and Azure Stack Data Box. It addresses boot loader bypass vulnerabilities by adding known-vulnerable UEFI module signatures to the DBX. See Microsoft Support for the official page.
Improvements and fixes
- On UEFI-based devices running with Secure Boot enabled, the Secure Boot Forbidden Signature Database (DBX) prevents specific UEFI modules from loading. This update adds additional modules to the DBX to block known-vulnerable code.
- A security feature bypass vulnerability in Secure Boot allowed an attacker who successfully exploited it to bypass Secure Boot and load untrusted software. This update addresses that vulnerability by adding the signatures of known-vulnerable UEFI modules to the DBX.
- The update covers boot loader bypass vulnerabilities tracked as CVE-2022-34301 (Eurosoft Boot Loader Bypass), CVE-2022-34302 (New Horizon Data Systems Inc Boot Loader Bypass), and CVE-2022-34303 (Crypto Pro Boot Loader Bypass), as well as the earlier guidance under ADV200011 addressing security feature bypass in GRUB.
- Improved diagnostics have been added to detect and report issue details through the Windows event log. Microsoft's KB5016061 covers the new events and the actions to take when errors occur.
- This update replaces the previously released update KB4535680.
Known issues
BitLocker PCR7 policy may cause update installation failure
Symptom: If the BitLocker Group Policy setting "Configure TPM platform validation profile for native UEFI firmware configurations" is enabled and PCR7 is selected by policy, the update may fail to install. You can check PCR7 binding status by running the Microsoft System Information tool (Msinfo32.exe) with administrative permissions.
Workaround: Before deploying this update, do one of the following. On a device that does not have Credential Guard enabled, run the following command from an Administrator command prompt to suspend BitLocker for 1 restart cycle: Manage-bde -Protectors -Disable C: -RebootCount 1. Then deploy the update and restart to resume BitLocker protection. On a device that has Credential Guard enabled, run the following command to suspend BitLocker for 2 restart cycles: Manage-bde -Protectors -Disable C: -RebootCount 3. Then deploy the update and restart to resume BitLocker protection.
Update fails with Error 0x800f0922
Symptom: When attempting to install this update, it may fail and return Error 0x800f0922. Microsoft notes this issue affects only KB5012170 and does not affect the latest cumulative security updates, monthly rollups, or security-only updates.
Workaround: Install the Servicing Stack Update (SSU) released March 14, 2023, or a later SSU, for your operating system version. Applicable SSUs are: Windows 11 version 22H2 (SSU from KB5023706), Windows 11 version 21H2 (SSU from KB5023698), Windows Server 2022 (SSU from KB5023705), Windows 10 versions 20H2/21H2/22H2 (SSU from KB5023696), Windows 10 version 1809 and Windows Server 2019 (SSU from KB5023702), Windows Server 2016 (KB5023788), Windows 10 (KB5023787), Windows Server 2012 R2 (KB5023790), and Windows Server 2012 (KB5023791). For information about the new error events added by these SSUs, see KB5016061.
BitLocker Recovery triggered on first or second restart
Symptom: Some devices may enter BitLocker Recovery on the first or second restart after attempting to install this update on Windows 11.
Workaround: This issue is addressed in the servicing stack updates (SSU) and the latest cumulative updates (LCU) dated July 12, 2022 and later.
How to get this update
The update is available through the following channels:
- Windows Update and Microsoft Update - The update downloads and installs automatically. No additional action is required.
- Windows Update for Business - Downloads and installs automatically in accordance with configured policies. No additional action is required.
- Microsoft Update Catalog - Download the standalone package directly from the Microsoft Update Catalog website.
- Windows Server Update Services (WSUS) - The update synchronizes automatically when Products and Classifications are configured as follows - Product: Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows 10 version 1903 and later, Windows 11, Azure Stack HCI, Azure Data Box; Classification: Security Updates.
Prerequisites: Ensure the latest servicing stack update (SSU) is installed before applying this update. For the current SSU for each operating system, see ADV990001.
Restart behavior: A device restart is not required when applying this update. However, if Windows Defender Credential Guard (Virtual Secure Mode) is enabled, the device may request a restart.
Frequently asked questions
What does updating the Secure Boot DBX actually do on a device?
The Secure Boot Forbidden Signature Database (DBX) is a blocklist stored in UEFI firmware. When this update is applied, the signatures of known-vulnerable UEFI boot loader modules are added to that blocklist. After the update, firmware will refuse to load any of those flagged modules during the boot process, preventing an attacker from using them to bypass Secure Boot.
Which CVEs does KB5012170 address?
The update addresses three boot loader bypass CVEs: CVE-2022-34301 affecting the Eurosoft boot loader, CVE-2022-34302 affecting the New Horizon Data Systems Inc boot loader, and CVE-2022-34303 affecting the Crypto Pro boot loader. It also relates to the earlier advisory ADV200011, which covered security feature bypass in GRUB.
Why might a device enter BitLocker Recovery after installing this update?
Because the DBX update modifies measured boot components, the TPM platform configuration registers (PCRs) can change. If BitLocker is configured to use PCR7 for validation, the change in measured values may trigger BitLocker Recovery. Suspending BitLocker before the update, or installing the relevant SSU released March 14, 2023 or later, addresses this behavior.
Does this update affect systems without Secure Boot enabled?
The update applies specifically to devices that have UEFI-based firmware capable of running with Secure Boot enabled. The DBX changes are written into the UEFI firmware's signature database. On devices without UEFI Secure Boot, the DBX is not present, so the practical effect of the update is limited to UEFI Secure Boot environments.




![Find Exchange Server Version with PowerShell [2025]](/_next/image?url=https%3A%2F%2Fwww.navanem.com%2Fapi%2Fmedia%2Ffile%2Fexchange-build-number-cover.jpg&w=3840&q=75)




