KB5012170 means a lot to many Windows users. First, it's a patch that installs with no issues or leads to a blue screen of death (BSOD). It can also be an indicator that we are having trouble getting updated drivers on our systems. This can show how users are not keeping up with Bios updates. And it shows that some OEMs are enabling Bitlocker on the systems they sell (not necessarily in a good way).
In short, it's a problematic patch that keeps showing up.
Also known as the "Security Update for Secure Boot DBX", KB5012170 was released earlier this year and brings improvements to the Secure Boot (DBX) prohibited signature database. Windows devices with Unified Extensible Firmware Interface (UEFI)-based firmware have Secure Boot enabled. Ensures that only trusted software can be loaded and run during the boot process by using cryptographic signatures to verify the integrity of the process and the software being loaded.
Secure Boot is often used with other security measures, such as Trusted Platform Modules (TPMs) and boot loaders that support key management. It is supposed to protect against malware and other types of unauthorized software that could compromise security.
Typically implemented in the device firmware, Secure Boot can be configured to allow loading only trusted software signed with a trusted key; unapproved software cannot run.
That being said, there is a security feature bypass in Secure Boot; specifically adds signatures of known vulnerable UEFI modules to the DBX. The vulnerability is called "Boot Hole" and could be used to bypass Secure Boot. (Note: For an attack to occur, the attacker would need administrative privileges or physical access.)
This is where KB5012170 comes into play.
On business computers, government computers, or systems at risk of targeted attacks, this is the type of patch you'd want to install. But on personal computers or systems that aren't regularly maintained or updated with driver and firmware updates, it can do more harm than good. Documented side effects include BSOD and error 0x800f0922 and unless you block the update it will try to install again. One user in a Reddit post noted that "I needed to restart my computer and an update was waiting for a reboot to complete the install. I rebooted and my computer failed to start. I had a BSOD with error 0xc000021a, seems to happen on older computers with setups Modified to disable driver enforcement.
At this point, for home users, the best thing to do is use one of the featured tools on Blockapatch.com to proactively block KB5012170. The benefits do not outweigh the risks.
There is a second side effect resulting from this update. Bitlocker-enabled workstations can trigger a Bitlocker recovery key prompt. This can be a problem for individuals and people with systems that have Bitlocker automatically enabled. If you don't know where your Bitlocker recovery key is stored, you may need to reinstall Windows from scratch. (To determine if Bitlocker is enabled, click File Explorer and right-click your C drive. If you see the option to disable Bitlocker, make sure you know where your Bitlocker recovery key is stored (if you configured your computer with a Microsoft account, it will be stored there. If you don't know where your Bitlocker recovery key is, please reset or disable it.)
For professional patches, the side effects must be weighed against the risks of not installing KB5012170. I haven't seen many reports of corporate BSODs, although I have seen reports of systems requiring a Bitlocker recovery key when deploying this update. So before you deploy, check your systems to make sure your firmware is up to date.
Historically, in commercial environments, you install firmware updates on deployment and never check back. But with Windows 10 and Windows 11, you can no longer be safe by doing this. Make sure you have a process in place to inventory and test firmware and update accordingly. The firmware should be checked at least once a year. Now that Microsoft has moved feature releases to an annual release cadence, use this schedule to include reviewing and updating firmware, video drivers, audio drivers, and other key hardware drivers that interact with the system.
Since KB5012170 (or something similar) is likely to appear again, make sure your system is prepared for it by proactively blocking it or keeping your firmware and drivers up to date. This is the best way to avoid problems in the future.
Copyright © 2022 IDG Communications, Inc.