On patch Tuesday, Microsoft is rolling out an update to fix an issue in Secure boot vulnerability CVE-2020-0689. KB4535680 is the Security patch that adds the signatures of the known vulnerable UEFI modules to the DBX to address the vulnerability.

You can receive the patch as usual through the automatic update moreover from Microsoft update catalog. The devices will not need to be restarted to complete the installation.

KB4535680 for Windows 10 will Fix UEFI Secure Boot Vulnerability

The update will support the following versions –

  • Windows 10 v1909 x64-bit
  • Windows 10 v1809 x64-bit
  • Windows 10 v1803 x64-bit
  • Windows 10 v1607 x64-bit
  • Windows Server 2019 x64-bit
  • Windows Server 2016 x64-bit
  • Windows 8.1 x64-bit
  • Windows Server 2012 R2 x64-bit
  • Windows Server 2012 x64-bit

Security patch improves the Secure Boot DBX for the supported Windows versions.

Key changes

Windows devices that have UEFI based firmware are able to run with Secure Boot enabled. The Secure Boot Forbidden Signature Database (DBX) prevents UEFI modules from loading. This update adds modules to the DBX.

A vulnerability that has the capability of bypassing security features lives in the secure boot. An intruder who successfully exploited the vulnerability might bypass secure boot and load untrusted software.

This security patch addresses the vulnerability by adding the signatures of the known vulnerable UEFI modules to the DBX.

Known IssuesIssueWorkaroundSome original equipment manufacturer (OEM) firmware might not allow for the installation of this update.To resolve this issue, contact your firmware OEM.If BitLocker Group Policy Configure TPM platform validation profile for native UEFI firmware configurations is enabled and PCR7 is selected by policy, it may result in the BitLocker recovery key being required on some devices where PCR7 binding is not possible.

To view the PCR7 binding status, run the Microsoft System Information (Msinfo32.exe) tool with administrative permissions.

Important Changing from the default platform validation profile affects the security and manageability of your device. BitLocker’s sensitivity to platform modifications (malicious or authorized) is increased or decreased, depending on inclusion or exclusion (respectively) of the PCRs. Specifically, setting this policy with PCR7 omitted, will override the Allow Secure Boot for integrity validation Group Policy. This prevents BitLocker from using Secure Boot for platform or Boot Configuration Data (BCD) integrity validation. Setting this policy may result in BitLocker recovery when the firmware is updated. If you set this policy to include PCR0, you must suspend BitLocker before you apply firmware updates.

We recommend not to configure this policy, but to let Windows select the PCR profile for the best combination of security and usability based on the available hardware on each device.To workaround this issue, do one of the following based on credential guard configuration before you deploy this update:

·         On a device that does not have Credential Gard enabled, run following command from an Administrator command prompt to suspend BitLocker for 1 reboot cycle:

Manage-bde –Protectors –Disable C: -RebootCount 1

Then, restart the device to resume the BitLocker protection.

Note Do not enable BitLocker protection without additionally restarting the device as it would result in BitLocker recovery.

·         On a device that has Credential Guard enabled, there may be multiple restarts during the update that require BitLocker to be suspended. Run the following command from an Administrator command prompt to suspend BitLocker for 3 restart cycles.

Manage-bde –Protectors –Disable C: -RebootCount 3

This update is expected to restart the system two times. Restart the device once again to resume the BitLocker protection.

Note Do not enable BitLocker protection without additionally restarting as it would result in BitLocker recovery.How to download KB4535680 and install on the Supported Windows version1] Through Windows update

  • Click the Search icon, type update, and hit Enter.
  • Select – Check for updates.
  • 2] From Microsoft update catalog

  • Go to KB4535680 direct download link – https://www.catalog.update.microsoft.com/Search.aspx?q=KB4535680
  • Download the correct file and install by double-clicking on the same.
  • One more today’s update – KB4598242 for Windows 10 20H2 and 2004 Released