Windows 10/11: Installation of KB5012170 fails with 0x800f0922 error – enjoypclife.net

On August 12th, Microsoft announced that the installation of KB5012170, which was delivered to Windows 10/11, etc. via Windows Update on August 9th, 2022, failed to install, and an error 0x800f0922 was displayed. did.

KB5012170 is a security update for Secure Boot DBX, and this bug does not affect the latest Cumulative Security Updates, Monthly Rollups, and Security Only Updates released on August 9, 2022.

However, if KB5012170 fails to install and the 0x800f0922 error occurs, dealing with it is somewhat troublesome.

First, get the latest UEFI BIOS from the device manufacturer beforehand, update it, and then install KB5012170, which may help. Also, it seems that BitLocker settings may affect it.

If it is difficult to deal with, let’s wait for Microsoft or the device manufacturer to deal with it. Also, even if KB5012170 has been successfully applied, UEFI BIOS settings may change after applying. If in doubt, double check your BIOS settings.

KB5012170: Security Update Summary for Secure Boot DBX

This security update, KB5012170, hardens Secure Boot DBX on supported Windows versions. Here are the main changes:

Windows devices with Unified Extensible Firmware Interface (UEFI)-based firmware can run with Secure Boot enabled. The Secure Boot Forbidden Signature Database (DBX) prevents loading of UEFI modules. This update adds modules to DBX.

A security feature bypass vulnerability exists in Secure Boot. An attacker who successfully exploited this vulnerability could bypass Secure Boot and load untrusted software.

The security update addresses the vulnerability by adding known vulnerable UEFI module signatures to DBX.

For more information about this security vulnerability, please refer to the following advisory:

For more information about this security vulnerability, please refer to the following resources:

Bug summary

When attempting to install KB5012170, the installation may fail with error 0x800f0922.

This issue only affects the Security Update for Secure Boot DBX ( KB5012170 ) and does not affect the latest Cumulative Security Updates, Monthly Rollups, and Security Only Updates released on August 9, 2022 .

Affected platforms

Affected platforms are:

  • Client:Windows 11, version 21H2; Windows 10, version 21H2; Windows 10, version 21H1; Windows 10, version 20H2; Windows 10 Enterprise LTSC 2019; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise 2015 LTSB; Windows 8.1
  • Server:Windows Server 2022; Windows Server, version 20H2; Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012

Known Issues/Bug Workarounds

Known issues and workarounds for KB5012170 are listed below.

Known bug ①

Some original equipment manufacturer (OEM) firmware may not allow this update to be installed. Please contact your firmware OEM to resolve this issue.

On some devices, updating the UEFI BIOS to the latest version before attempting to install KB5012170 can mitigate this issue.

Known bug ②

If you configure the TPM Platform Validation Profile for BitLocker Group Policy Native UEFI Firmware Configuration and PCR7 is selected in the policy, updates may fail to install.

To view the PCR7 binding status, run the Microsoft System Information (Msinfo32.exe) tool with administrator privileges.

To work around this issue, do one of the following before deploying this update:

■ On devices that do not have Credential Guard enabled, run the following command from an administrator command prompt to suspend BitLocker for a single reboot cycle.

Manage-bde –Protectors –Disable C: -RebootCount 1

Then deploy the update and restart the device to resume BitLocker protection.

■ On devices with Credential Guard enabled, run the following command from an administrator command prompt to suspend BitLocker for two restart cycles.

Manage-bde –Protectors –Disable C: -RebootCount 3

Then deploy the update and restart the device to resume BitLocker protection.

Please see the following page for details.

Microsoft’s response status

Microsoft is currently investigating this bug and will provide an update in an upcoming release.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Never miss any important news. Subscribe to our newsletter.