KB5012170: Windows update error 0x800f0922, UEFI Bios update may resolve it
Microsoft released cumulative updates for all supported versions of Windows on the August 2022 Patch Day. The company did release a second security update for Windows at the day to address issues in Secure Boot DBX.
Installation of the second update may throw the error 0x800f0922 and the update fails to install as a consequence.
Microsoft describes the issue on the known issues and notifications support page for supported operating systems, e.g., for Windows 11 and Windows 10.
When attempting to install KB5012170, it might fail to install, and you might receive an error 0x800f0922.
The issue is unrelated to the installation of the cumulative updates for Windows, which Microsoft released on the same day.
Microsoft suggests that administrators may be able to resolve the issue by updating the UEFI bios of the system to the latest version before installing KB5012170. Whether that is possible depends on the installed version of the UEFI bios, and whether an update is available.
The company is investigating the issue currently and plans to "provide an update in an upcoming release".
Secure Boot DBX update
A support page for the Secure Boot DBX update has additional information. The update has been released for several supported client and server versions of the Windows operating system, including Windows 8.1, Windows 10 and Windows 11.
The update improves Secure Boot DBX in Windows:
This security update makes improvements to Secure Boot DBX for the supported Windows versions listed in the "Applies to" section.
Windows devices with UEFI based firmware support Secure Boot. Secure Boot is a security feature that protects the boot process of the system. The Secure Boot Forbidden Signature Database (DBX) database "prevents UEFI modules from loading". Microsoft confirms that the KB5012170 update adds modules to DBX.
The update addresses a security feature bypass vulnerability in secure boot by updating the DBX with information about the signatures of the known vulnerable UEFI modules. An attacker could exploit the issue to bypass secure boot and load untrusted software.
An advisory page on Microsoft's website provides additional information on the issue. According to Microsoft, the security issue was found in the GRUB bootloader, which is commonly used by Linux.
To exploit this vulnerability, an attacker would need to have administrative privileges or physical access on a system where Secure Boot is configured to trust the Microsoft Unified Extensible Firmware Interface (UEFI) Certificate Authority (CA).
The attacker could install an affected GRUB and run arbitrary boot code on the target device. After successfully exploiting this vulnerability, the attacker could disable further code integrity checks thereby allowing arbitrary executables and drivers to be loaded onto the target device.
Most Windows devices are not in immediate danger judging from the description.
KB5012170 is provided via Windows Update, other update management systems, and as a direct download on the Microsoft Update Catalog website.
Now You: did you install the KB5012170 update on your devices?
KB5012170: Windows update error 0x800f0922
Going on 5 months, still won’t update.
I tried to get help online from Microsoft. A waste of time, The agents are in a different country & their instructions are too completed for my 85 year old brain? If i didn’t respond quickly enough they disconnected me from chat. No bedside manor!!!!!
I did not install the update, could I just ignore the update for now or not to install it at all in our environment?
With Windows 10 Build 19044.1889 or 19044.1947 KB5012170 installed fine on one MSI GT70-0NC Laptop on 8/14/2022.
But when W.U. tried the same update on a DELL XPS 8700 (with UEFI and Secure Boot) it froze the computer at 96% installing and there was no way out other than powering off the machine.
When it tried again after rebooting it failed solid with error 0x800f0900 at every retry.
I could reproduce the same hang/freeze also using the kb5012170 .msu downloaded from the MS catalog.
Also, after the failed update, sfc /scannow finds some corrupted files that cannot be corrected.
Same issue with DISM restore health.
Note that the same scans did not find any issues or corrupted files before that specific update.
There is definitely something screwed up with KB5012170 and/or it is not compatible with the Dell XPS 8700 which already has the latest BIOS and Firmware.
MS needs to fix the problem and they should pull the update until the problem is fixed properly, or at least make that update optional so that it can be held back until it is fixed.
In this Dell XPS 8700 this problem is quite a disaster because, after kb5012170 fails, it screws up all the other updates that need to be installed and makes the machine unusable.
more problems found with the KB5012170 update, Martin:
https://www.bleepingcomputer.com/news/microsoft/windows-kb5012170-update-causing-bitlocker-recovery-screens-boot-issues/
causes some systems to boot into BitLocker recovery mode
This update broke my dual boot installation, with following message error:
“Secure Boot Violation – Invalid signature detected. Check Secure Boot Policy in Setup”
And, when I try boot my Ubuntu Mate 20.04 installation with GRUB, fails with message below:
error: /boot/vmlinuz-5.15.0–46-generic has invalid signature.
error: you need to load the kernel first.
Press any key to continue…
Yes, installed. No problems other than ongoing network issues I’m experiencing still (documented in your article “Rufus: Microsoft is blocking Windows ISO downloads”).
I wouldn’t be able to obtain a UEFI update in any event because Acer tells me my machine doesn’t exist (!) even though I gave them all the info they asked me for at the time. I think I was sold a pup because msinfo32 reports the GPU to only have 1GB RAM while is states on the label that it should be 2GB. About 6 weeks after I bought it in 2014 they went out of business. They were called Dixons.
I had no problem installing KB 5012170 just before 15:00 EDT on 2022-08-09. I currently run just Windows 10 Home (x64) Version 21H2 (build 19044.1889), without Linux.
I get this error but i have an old BIOS (not UEFI). So i guess the update is useless for me anyway.