Windows KB5012170 Secure Boot DBX update may fail with 0x800f0922 error

Installing Windows KB5012170 update may generate error 0x800f0922

Microsoft is warning that users may see a 0x800f0922 error when trying to install Windows KB5012170 Secure Boot security update on currently supported operating systems for consumers and the enterprise-class Server version.

The problem does not affect the cumulative security updates, monthly rollups, or security-only updates that Microsoft made available on August 9.

Bootloader issues

Error 0x800f0922 is related strictly to KB5012170, a security update for the Secure Boot DBX (Forbidden Signature Database), a repository that holds revoked signatures for Unified Extensible Firmware Interface (UEFI) bootloaders.

A UEFI bootloader runs immediately after turning on the system and is responsible for launching the UEFI environment with the Secure Boot feature that allows only trusted code to be executed when starting the Windows booting process.

Last week, security researchers from Eclypsium disclosed vulnerabilities in three signed third-party bootloaders that could be exploited to bypass the Secure Boot feature and infect the system with malicious code that is difficult to detect and remove.

The three packages are:

  • New Horizon Datasys Inc: CVE-2022-34302 (bypass Secure Boot via custom installer)
  • CryptoPro Secure Disk: CVE-2022-34303 (bypass Secure Boot via UEFI Shell execution)
  • Eurosoft (UK) Ltd: CVE-2022-34301 (bypass Secure Boot via UEFI Shell execution)

Microsoft has addressed the issue by adding the signatures of the bootloaders above to the Secure Boot DBX so that vulnerable UEFI modules can no longer load.

On systems that start with one of the three now revoked bootloaders, Microsoft says that the KB5012170 update will generate error 0x800f0922 since a bootloader is essential for Windows to launch with Secure Boot.

Microsoft lists the following affected platforms:

  • Client: Windows 11, version 21H2; Windows 10, version 21H2; Windows 10, version 21H1; Windows 10, version 20H2; Windows 10 Enterprise LTSC 2019; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise 2015 LTSB; Windows 8.1
  • Server: Windows Server 2022; Windows Server, version 20H2; Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012

Bootloader update removes error 0x800f0922

Microsoft notes that mitigating the issue is possible by updating the UEFI version to the latest version from the vendor.

Researchers at Eclypsium recommend organizations check if the bootloaders on their systems are vulnerable before trying to update the DBX revocation list.

Bootloaders are typically stored in the EFI System Partition, which can be mounted on both Windows and Linux to inspect their version and learn if they are vulnerable or not.

The researchers warn that updating the DBX revocation list on systems with vulnerable bootloaders, where this is possible, will lead to device boot failure.

Updating DBX is recommended only after making sure that the device is running a non-vulnerable bootloader version from the vendor.


  • wackoinWaco Photo wackoinWaco – 2 days ago

    I have Windows 10 21H1 and after I downloaded the update last week I noticed the boot
    time change to VERY long, even now. Does that mean that I need to download an updated UEFI from the vendor (Asus)? And then update the DBX revocation list?

  • BH0 Photo BH0 – 1 day ago

    Can confirm that. Whats worse, the update changed my RAID mode to AHCI, so I had to manually put that back on approx 10 devices, that ran into BSOD. All of them. Almost brand new Latitudes 5320 and all behaved the same. You can see, if the update changed your RAID mode too.
    I hate those idiotic updates. Burn in hell whoever came with the thought of “patch tuesday”

  • wackoinWaco Photo wackoinWaco – 4 hours ago

    Well as I see it, the best techs have left MS for greener pastures. Those FNG can’t
    do it right the first time. Job security.
    “Skilled labor isn’t cheap and cheap labor isn’t skilled”

  • Malwarebytes Anti-Malware Logo

    Malwarebytes Anti-Malware

    Version: 4.5.12 4M+ Downloads

  • Everything Desktop Search Logo

    Everything Desktop Search

    Version: 21,117 Downloads

  • Zemana AntiLogger Free Logo

    Zemana AntiLogger Free

    Version: 50,950 Downloads

  • Zemana AntiMalware Logo

    Zemana AntiMalware

    Version: NA 302,331 Downloads

  • Windows Repair (All In One) Logo

    Windows Repair (All In One)

    Version: 4.13.0 2M+ Downloads


Related posts

VMware fixes three critical auth bypass bugs in remote access tool

Sarah Henriquez

Vodafone Italy discloses data breach after reseller hacked

Sarah Henriquez

Brave Search launches AI-powered summarizer in search results

Sarah Henriquez

Leave a Comment