[German]A brief note/question for administrators in the business environment who run Windows 10 clients with Bitlocker enabled. Do you experience increased Bitlocker recovery after installing secure boot security update KB4535680 from Jan. 2021? Microsoft's recommendation is not to install the security update for the time being until a fix is available.
What is security update KB4535680 for?
I had mentioned security update KB4535680 (Security update for Secure Boot DBX: January 12, 2021) in the blog post Windows Security Update KB4535680 for Secure Boot (DBX). It is a security update for Secure Boot (DBX), which can be used by Windows on UEFI machines. Security update KB4535680 is available for the following Windows versions when installed on UEFI hardware.
- Windows Server 2012 x64-bit
- Windows Server 2012 R2 x64-bit
- Windows 8.1 x64-bit
- Windows Server 2016 x64-bit
- Windows Server 2019 x64-bit
- Windows 10, version 1607 x64-bit
- Windows 10, version 1803 x64-bit
- Windows 10, version 1809 x64-bit
- Windows 10, version 1909 x64-bit
Windows 7 or 32-bit Windows versions are not supported. The background to update KB4535680: Windows devices with UEFI (Unified Extensible Firmware Interface)-based firmware can operate with Secure Boot enabled. The Secure Boot Forbidden Signature Database (DBX) prevents the loading of UEFI modules.
The reason for this update: A vulnerability has been found that allows security features in Secure Boot to be bypassed. An attacker who successfully exploited this vulnerability could bypass Secure Boot and load untrusted software. Details about this vulnerability can be found in CVE-2020-0689 | Microsoft Secure Boot Security Feature Bypass Vulnerability.
Within the blog post Windows Secure Boot (DBX) Update KB4535680 offered on BIOS Systems I had addressed the question why this update is also offered on BIOS systems, but was satisfied with the explanation that the update is installed there, but not loaded.
Update KB4535680 may trigger a Bitlocker Recovery
Dieter Haimann raises the question on Twitter whether other users also increasingly notice a Bitlocker recovery after installing the update KB4535680? He has run into the issues with various machines and asks for viable solutions if thousands of devices are affected.
Other users respond to this question in a tweet. What about you guys, are there any issues detected? Thanks to Karl for the tip.
HP devices affected
Microsoft has listed a specific scenario in the "Known issues" where this recovery key request occurs at boot. There they wrote:
If BitLocker Group Policy Configure TPM platform validation profile for native UEFI firmware configurations is enabled and PCR7 is selected by policy, it may result in the BitLocker recovery key being required on some devices where PCR7 binding is not possible.
To view the PCR7 binding status, run the Microsoft System Information (Msinfo32.exe) tool with administrative permissions. Microsoft describes a workaround (suspend BitLocker für 1 reboot cycle using the administrators console on affected systems. But in the thread with the above tweet is the note that someone is facing the issue on 400 older devices with HP BIOS/UEFI chips. Further feedback paints the picture that the problem is more prevalent on older HP devices. Currently, Microsoft's recommendation (so I gather from the tweets) is to block the update to SCCM etc. for distribution until a solution is found.
PCR7 is a systematic HPE ProLiant issue, support case rejected as "by design" (extra HPE certificate required by HPE…)