Earlier this year, Microsoft rolled out an update to Secure Boot in Windows systems. It's at best a mixed blessing that can do more harm than good for many users. Credit: Zoljo / Getty Images KB5012170 is many things to many Windows users. First, it’s a patch that either installs with no problems or leads to a blue screen of death (BSOD). It can also be an indicator we have a problem getting updated drivers on our systems. It can demonstrate how users don’t keep up with Bios updates. And it shows that some OEMs enable Bitlocker on the systems they sell (not necessarily in a good way). In short, it’s a problematic patch that just keeps rearing its head. Also known as “Security Update for Secure Boot DBX,” KB5012170 was released earlier this year and makes improvements to the Secure Boot Forbidden Signature Database (DBX). Windows devices that have Unified Extensible Firmware Interface (UEFI)-based firmware have Secure Boot enabled. It ensures only trusted software can be loaded and executed on during the boot process by using cryptographic signatures to verify the integrity of the process and the software being loaded. Secure Boot is often used with other security measures, such as trusted platform modules (TPMs) and bootloaders that support key management. It’s supposed to protect against malware and other types of unauthorized software that could compromise security. Typically implemented in device firmware, Secure Boot can be configured to allow the loading of only trusted software signed with a trusted key; untrusted software is prevented from running. That said, there is a security feature bypass in Secure Boot; it specifically adds signatures of known vulnerable UEFI modules to the DBX. The vulnerability is called “Hole in the boot” and could be used to bypass the Secure Boot. (Note: for any attack to occur, the attacker would need admin privileges or physical access.) This is where KB5012170 comes into the picture. On business computers, or government computers, or systems at risk for a targeted attack, this is the sort of patch you’d want installed. But on home computers or systems that are not managed or updated regularly with driver and firmware updates, it can do more harm than good. Documented side effects include BSODs and Error 0x800f0922, and unless you block the update it will attempt to install again. One user in a Reddit post noted he “needed to restart my computer and an update was pending restart to complete installation. I restarted and my computer failed to start. I got a BSOD with the error 0xc000021a.” It appears this is occurring on older computers with settings changed to disable driver enforcement. At this point, for home users, the best thing to do is to use one of the tools highlighted at Blockapatch.com to block KB5012170 proactively. The benefits do not outweigh the risks. There is a second side effect arising from this update. Workstations with Bitlocker enabled may trigger a request for a Bitlocker recovery key. This can be a problem for consumer and home users with systems that have Bitlocker automatically enabled. If you do not know where your Bitlocker recovery key is stored, you might have to reinstall Windows from scratch. (To determine if you have Bitlocker enabled, click on File Explorer and right-mouse click on your C drive. If you see the option to turn OFF Bitlocker, make sure you know where your Bitlocker recovery key is stored. If you set up your computer with a Microsoft account, it will be stored there. If you’re unsure where your Bitlocker recovery key is located, either reset or disable it.) For business patchers, the side effects should be weighed against the risks of not installing KB5012170. I’ve not seen many business BSOD reports, though I have seen reports of systems demanding a Bitlocker recovery key when deploying this update. Thus, before deploying it, review your systems to ensure that their firmware is up to date. Historically in business settings, you install firmware updates upon deployment and never review them again. But with Windows 10 and Windows 11, you can no longer be safe doing that. Ensure that you have a process in place to inventory and evaluate firmware and update accordingly. Firmware should be reviewed at least once a year. Now that Microsoft has moved Feature releases to an annual release cadence, use that schedule to include review and updating of firmware, video drivers, audio drivers and other key hardware drivers that interact with the system. Since KB5012170 (or something like it) will probably pop up again, ensure your system is prepared for it by either proactively blocking it or keeping your firmware and drivers up to date. That’s the best way to avoid problems down the road. Related content opinion For tech users, change is good It’s increasingly important to avoid platform lock-in, whether you’re a dedicated Windows user, an Apple fan, or prefer Android —because with technology, change is a constant. By Susan Bradley Jul 17, 2023 5 mins Small and Medium Business Technology Industry Apple opinion Of cut cables and the sad state of tech support One of life’s lessons is that tech support never seems to improve, no matter whether it’s a phone company that cut your fiber cable or Microsoft rolling out, then reversing, changes in Windows 11. Something’s got to give. By Susan Bradley Jul 05, 2023 5 mins Technology Industry IT Management opinion With one June Patch Tuesday update, Microsoft falls short This month's updates for Windows include one fix that requires extra steps to deploy. But you’ll need to do some sleuthing to get the full story. By Susan Bradley Jun 20, 2023 5 mins Small and Medium Business Microsoft Windows opinion The good and bad about Windows 11 The latest version of Windows has seen a slow uptake since it arrived in 2021, but it’s not a bad operating system. By Susan Bradley Jun 12, 2023 5 mins Small and Medium Business Microsoft Windows 11 Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe