Microsoft is warning that users may see a 0x800f0922 error when trying to install Windows KB5012170 Secure Boot security update on currently supported operating systems for consumers and the enterprise-class Server version.
The problem does not affect the cumulative security updates, monthly rollups, or security-only updates that Microsoft made available on August 9.
Bootloader issues
Error 0x800f0922 is related strictly to KB5012170, a security update for the Secure Boot DBX (Forbidden Signature Database), a repository that holds revoked signatures for Unified Extensible Firmware Interface (UEFI) bootloaders.
A UEFI bootloader runs immediately after turning on the system and is responsible for launching the UEFI environment with the Secure Boot feature that allows only trusted code to be executed when starting the Windows booting process.
Last week, security researchers from Eclypsium disclosed vulnerabilities in three signed third-party bootloaders that could be exploited to bypass the Secure Boot feature and infect the system with malicious code that is difficult to detect and remove.
The three packages are:
- New Horizon Datasys Inc: CVE-2022-34302 (bypass Secure Boot via custom installer)
- CryptoPro Secure Disk: CVE-2022-34303 (bypass Secure Boot via UEFI Shell execution)
- Eurosoft (UK) Ltd: CVE-2022-34301 (bypass Secure Boot via UEFI Shell execution)
Microsoft has addressed the issue by adding the signatures of the bootloaders above to the Secure Boot DBX so that vulnerable UEFI modules can no longer load.
On systems that start with one of the three now revoked bootloaders, Microsoft says that the KB5012170 update will generate error 0x800f0922 since a bootloader is essential for Windows to launch with Secure Boot.
Microsoft lists the following affected platforms:
- Client: Windows 11, version 21H2; Windows 10, version 21H2; Windows 10, version 21H1; Windows 10, version 20H2; Windows 10 Enterprise LTSC 2019; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise 2015 LTSB; Windows 8.1
- Server: Windows Server 2022; Windows Server, version 20H2; Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Bootloader update removes error 0x800f0922
Microsoft notes that mitigating the issue is possible by updating the UEFI version to the latest version from the vendor.
Researchers at Eclypsium recommend organizations check if the bootloaders on their systems are vulnerable before trying to update the DBX revocation list.
Bootloaders are typically stored in the EFI System Partition, which can be mounted on both Windows and Linux to inspect their version and learn if they are vulnerable or not.
The researchers warn that updating the DBX revocation list on systems with vulnerable bootloaders, where this is possible, will lead to device boot failure.
Updating DBX is recommended only after making sure that the device is running a non-vulnerable bootloader version from the vendor.