Microsoft warns Secure Boot update might fail to install
Microsoft has warned users trying to install the Windows KB5012170 Secure Boot security update that they might receive a 0x800f0922 error.
“When attempting to install KB5012170, it might fail to install, and you might receive an error 0x800f0922,” Microsoft said.
“This issue can be mitigated on some devices by updating the UEFI bios to the latest version before attempting to install KB5012170.”
Microsoft noted that this error only affects the security update for the Secure Boot Forbidden Signature Database (DBX) and excludes the latest cumulative security updates, monthly rollups, or security-only updates released on 9 August.
The error message is directly related to a disclosure from Eclypsium security researchers on 12 August, warning users against three Microsoft-approved Unified Extensible Firmware Interface (UEFI) bootloaders with critical security flaws.
The bootloader vulnerabilities could let attackers execute malicious code before a computer’s operating system loads.
The three bootloaders and associated security vulnerabilities were disclosed as follows:
- Eurosoft (UK) Ltd — CVE-2022-34301
- New Horizon Datasys Inc — CVE-2022-34302
- CryptoPro Secure Disk for BitLocker — CVE-2022-34303
Eclypsium researchers said that mitigating the vulnerabilities requires that original equipment manufacturers or operating system vendors update the Secure Boot DBX.
Microsoft implemented these steps by updating the Secure Boot DBX with the KB5012170 patch.
However, just as Eclypsium explained, updating the DBX on systems with the affected bootloaders before users could install a non-vulnerable bootloader version has led to some devices failing to start up.