KB5012170 is many issues to many Home windows customers. First, it’s a patch that both installs with no issues or results in a blue display of demise (BSOD). It can be an indicator we’ve got an issue getting up to date drivers on our methods. It might probably show how customers don’t sustain with Bios updates. And it reveals that some OEMs allow Bitlocker on the methods they promote (not essentially in a great way).

Briefly, it’s a problematic patch that simply retains rearing its head.

Also called “Safety Replace for Safe Boot DBX,” KB5012170 was launched earlier this yr and makes enhancements to the Safe Boot Forbidden Signature Database (DBX).  Home windows units which have Unified Extensible Firmware Interface (UEFI)-based firmware have Safe Boot enabled. It ensures solely trusted software program will be loaded and executed on in the course of the boot course of by utilizing cryptographic signatures to confirm the integrity of the method and the software program being loaded.

Safe Boot is usually used with different safety measures, comparable to trusted platform modules (TPMs) and bootloaders that help key administration. It’s supposed to guard towards malware and different kinds of unauthorized software program that would compromise safety.

Usually applied in machine firmware, Safe Boot will be configured to permit the loading of solely trusted software program signed with a trusted key; untrusted software program is prevented from working.

That mentioned, there’s a safety characteristic bypass in Safe Boot; it particularly provides signatures of identified weak UEFI modules to the DBX. The vulnerability is known as “Gap within the boot” and may very well be used to bypass the Safe Boot. (Word: for any assault to happen, the attacker would want admin privileges or bodily entry.)

That is the place KB5012170 comes into the image.

On enterprise computer systems, or authorities computer systems, or methods in danger for a focused assault, that is the type of patch you’d need put in. However on house computer systems or methods that aren’t managed or up to date repeatedly with driver and firmware updates, it may do extra hurt than good. Documented unintended effects embody BSODs and Error 0x800f0922, and until you block the replace it’ll try to put in once more. One consumer in a Reddit publish famous he “wanted to restart my laptop and an replace was pending restart to finish set up. I restarted and my laptop failed to begin. I bought a BSOD with the error 0xc000021a.” It seems that is occurring on older computer systems with settings modified to disable driver enforcement.

At this level, for house customers, one of the best factor to do is to make use of one of many instruments highlighted at Blockapatch.com to dam KB5012170 proactively. The advantages don’t outweigh the dangers.

There’s a second facet impact arising from this replace. Workstations with Bitlocker enabled could set off a request for a Bitlocker restoration key. This generally is a downside for client and residential customers with methods which have Bitlocker mechanically enabled. In the event you have no idea the place your Bitlocker restoration key’s saved, you may need to reinstall Home windows from scratch.  (To find out when you’ve got Bitlocker enabled, click on on File Explorer and right-mouse click on in your C drive. In the event you see the choice to show OFF Bitlocker, ensure you know the place your Bitlocker restoration key’s saved. In the event you arrange your laptop with a Microsoft account, will probably be saved there. In the event you’re uncertain the place your Bitlocker restoration key’s positioned, both reset or disable it.)

For enterprise patchers, the unintended effects needs to be weighed towards the dangers of not putting in KB5012170. I’ve not seen many enterprise BSOD stories, although I’ve seen stories of methods demanding a Bitlocker restoration key when deploying this replace. Thus, earlier than deploying it, overview your methods to make sure that their firmware is updated.

Traditionally in enterprise settings, you put in firmware updates upon deployment and by no means overview them once more. However with Home windows 10 and Home windows 11, you may now not be protected doing that. Guarantee that you’ve a course of in place to stock and consider firmware and replace accordingly. Firmware needs to be reviewed a minimum of every year. Now that Microsoft has moved Characteristic releases to an annual launch cadence, use that schedule to incorporate overview and updating of firmware, video drivers, audio drivers and different key {hardware} drivers that work together with the system.

Since KB5012170 (or one thing prefer it) will in all probability pop up once more, guarantee your system is ready for it by both proactively blocking it or conserving your firmware and drivers updated. That’s the easiest way to keep away from issues down the highway.