Microsoft had recently released the Windows KB5012170 ‘Security update for Secure Boot DBX’ to address vulnerabilities found in various UEFI (Unified Extensible Firmware Interface) bootloaders.
Secure Boot is a security feature that protects the boot process of the system. However, bootloaders have vulnerabilities that could be exploited by threat actors to bypass Secure Boot protection and execute infected code when the operating system starts.
To fix these vulnerabilities, Microsoft added the signatures of the known vulnerable UEFI modules to UEFI Revocation List, also known as the Secure Boot Forbidden Signature Database (DBX), thus avoiding them from being used with Secure Boot.
The Redmond giant has already acknowledged in its known issues that some original equipment manufacturer (OEM) firmware might not allow the update to be installed or it might fail to install with certain BitLocker Group Policy configurations or throw up a ‘0x800f0922’ error if the device does not have a valid bootloader.
Microsoft says you can fix the ‘0x800f0922’ error by installing the latest version of UEFI firmware, if available.
Besides the ‘0x800f0922’ error, several users have complained that the Windows KB5012170 update for Secure Boot is reportedly causing BitLocker recovery screens, slow boot times, and more for its users after installation of the update.
As first reported by The Register, some Windows users reported that after installing the Windows KB5012170 update, the BitLocker Recovery screen is displayed when the computer starts. For the unversed, BitLocker is the Windows feature that protects disks with encryption.
Many reports on Microsoft Forums, Reddit, and Twitter also complained about experiencing the same problem.
To unlock the drive, Windows 11 is asking customers to enter the recovery key on the BitLocker recovery screen. Thankfully, the bug does not affect the stored data, which means individual users can retrieve the key from their Microsoft account, while enterprises can retrieve the recovery key from the Active Directory Users and Computers.
In addition to the BitLocker recovery problems, some users (via Bleeping Computer) have encountered other problems, such as slow booting times or changing of disk configurations from RAID to AHCI in the UEFI settings.
“I have Windows 10 21H1 and after I downloaded the update last week I noticed the boot time change to VERY long,” wrote one user of Bleeping Computer.
“Can confirm that. Whats worse, the update changed my RAID mode to AHCI, so I had to manually put that back on approx 10 devices, that ran into BSOD. All of them. Almost brand new Latitudes 5320 and all behaved the same. You can see, if the update changed your RAID mode too,” wrote another user.
As of now, there is no fix available and the only solution is to install the latest version of UEFI, if available. If the latest firmware update is not available, the only workaround is to remove patch KB5012170 until Microsoft releases a fix.