|
Patch reliability is unclear, but widespread attacks make patching prudent. Go ahead and patch, but watch out for potential problems. |
ISSUE 20.21.1 • 2023-05-23 By Susan Bradley Deploy May updates — and nothing but the updates. I’m lowering the MS-DEFCON level to 4 to encourage you t
[See the full post at: MS-DEFCON 4: Skip those Secure Boot scripts]
Susan Bradley Patch Lady/Prudent patcher
… my msinfo32 doesn’t match what you say is safe. Does this my computer doesn’t support a secure boot? If not, is there anyway to make my PC safe without buying a new one?
Hi blueboy714:
According to your post # 2561265 when you open a Run dialog box (Windows key + R) and enter msinfo32 you see that “BIOS Mode” is UEFI and “Secure Boot State” is OFF.
When “BIOS Mode” is UEFI and “Secure Boot State” is OFF that means Secure Boot is either disabled or not available. My Dell Inspiron 5584 uses the UEFI platform and Secure Boot was disabled by default when it shipped from the factory (see image below), but secure boot can be enabled / disabled on my Dell laptop from the Secure Boot section of my BIOS settings (i.e., if I re-boot and tap the F2 key as soon as my Dell logo appears to enter my BIOS settings). You have an ASUS TUF Z390 motherboard so I believe that restarting your computer and tapping the F2 key during the POST test (i.e., before Windows is loaded) should also open the BIOS settings on your computer, but if you have problems see the ASUS support article [Notebook/Desktop/AIO] How to Enter the BIOS Configuration for an alternate method.
The KB5012170 Security Update for Secure Boot DBX mentioned by CynicalSnail in post # 2561260 was installed on my Win 10 Pro v22H2 OS by Windows Update during my August 2022 Patch Tuesday updates and did not cause any issues. However, note that BitLocker Disk Encryption (which is not available on your Win 10 Home v22H2 OS) is disabled on my Win 10 Pro machine, which means that I didn’t have to worry that installation of KB5012170 would disrupt my boot process and ask me to enter a BitLocker recovery key to proceed with the boot-up like it did for many Win 10 and Win 11 Pro users – see the 16-Aug-2022 BleepingComputer article Windows KB5012170 Update Causing BitLocker Recovery Screens, Boot Issues for more information. As far as I know, KB5012170 would not change whether Secure Boot was enabled / disabled on your computer – the release notes <here> only state that “This security update addresses the vulnerability by adding the signatures of the known vulnerable UEFI modules to the DBX” (where DXB is the Secure Boot Forbidden Signature Database). The three bootloader bypass vulnerabilities patched for Secure Boot by KB5012170 are listed at the bottom of those release notes.
————-
Dell Inspiron 5584 * 64-bit Win 10 Pro v22H2 build 19045.2965 * Firefox v113.0.1 * Microsoft Defender v4.18.2304.8-1.1.20300.3 * Malwarebytes Premium v4.5.29.268-1.0.2022-1.0.69620 * Macrium Reflect Free v8.0.7279 * Dell Inspiron 5583/5584 BIOS v1.22.1
Did read the article. Did not feel it particularly clear.
I updated this morning as per Susan. Along with whatever else I got, this popped up in the event viewer as a Warning. I don’t know which update contained it. There were two packages: Security Update for Microsoft Windows (KB 5026361) and Servicing Stack 10.0.19041.2905.
Forgot the question. Anyone know what this is and if it matters?
HP Pavilion Desktop TP01-0050 – 64 bit
Windows 10 Home Version 22H2
OS build 19045.5608
Windows Defender and Windows Firewall
Microsoft Office Home and Business 2019
-Version 2502(Build 18526.20168 C2R)
For that matter, I am not even sure when or how the scripts to be avoided are offered up???
The scripts will install as part of patch Tuesday sometime in the future.
For now the scripts are to be run manually, if a user wants to run them.
Microsoft has quietly posted “V2” Windows 11 22H2 ISO downloads with build 22621.1702 (KB5023672 update integrated) on the Windows 11 download page today May 23:
https://www.microsoft.com/software-download/windows11
instead of downloading something like “Win11_22H2_English_x64.iso” or “Win11_22H2_English_x64v1.iso”, it will recently download Win11_22H2_English_x64v2.iso.
gonna wait and see if patch lady Susan will recommend Win11 users whether to upgrade to the 22H2 version or not. MS will be releasing a 23H2 version (for Win11) sometime in the 2nd half of 2023
Compared to the posts and replies already in this thread, I have a very minor and not very important observation, and “gripe” I suppose.
With Patch Lady Defcon 4 blessing to go ahead and install May updates,
after installing the May 2023-05 KB5026361 Cumulative Update for Win10 64 bit version 22H2 – I found the Taskbar Search icon has grown to an unattractive size that I do not like. An internet search found a Microsoft answers topic with others complaining about the larger search icon, but no instructions or advice on how to restore the original smaller size icon. Do other AskWoody participants like the new larger size? And does anyone know how to restore the older smaller size without having to remove this current May 2023 update? I know about hiding the Windows Search completely by right clicking the Taskbar, and using other Search programs like voidtools Everything or NirSoft SearchMyFiles, but I like the smaller icon unobtrusively sitting down by the Start Menu, and I do not have a problem with Microsoft Windows Search, it works ok for me.
– Just wondering… constantly it seems… after Windows Updates… Sigh…
Windows 10 Search Icon suddenly increased in size on new install
I’ve already installed them to no ill effects. Note the red in my signature line.
YMMV
While we may simplify life for the time being by not running those manual scripts relating to Secure Boot, Microsoft will eventually force-feed them to us via Windows Updates. (Forced-fed, at any rate, to those who don’t use tools to control the monthly patches.)
Assuming I understand the situation correctly, this change will render unbootable any live CD or live USB drive that we may have been using for troubleshooting or experimental purposes. It will also render unbootable the rescue CDs from backup programs such as Macrium Reflect that we use when the boot drive fails and we need to restore an image from a backup to a replacement drive.
When the Secure Boot patch gets forced through, will we need to create new rescue media–and will that alone be sufficient, or will we need to get an up-to-date version of the backup software in order to create new rescue media?
Additions and clarifications are welcome!
Assuming I understand the situation correctly, this change will render unbootable any live CD or live USB drive that we may have been using for troubleshooting or experimental purposes. It will also render unbootable the rescue CDs from backup programs such as Macrium Reflect that we use when the boot drive fails and we need to restore an image from a backup to a replacement drive.
I’ve already installed them to no ill effects. Note the red in my signature line.
In my experience, you don’t understand the situation correctly.
As for booting other devices, I went into UEFI Settings and turned off Secure Boot (in my case, disabling the TPM) and booted TeraByte’s BootIt UEFI partitioning tool via USB without issue. I then rebooted, went back into UEFI Settings, re-enabled the TPM, and booted back into Windows.
When the Secure Boot patch gets forced through, will we need to create new rescue media–and will that alone be sufficient, or will we need to get an up-to-date version of the backup software in order to create new rescue media?
In my case, no, that is unnecessary. My boot USB’s work by disabling Secure Boot. Recreating boot media after running the scripts still requires disabling Secure Boot before they will boot. Susan advises that the scripts not be run. Microsoft advises that the scripts will be run by Windows Update in the coming months.
In either case, my red signature line still applys.
Assuming I understand the situation correctly, this change will render unbootable any live CD or live USB drive that we may have been using for troubleshooting or experimental purposes. It will also render unbootable the rescue CDs from backup programs such as Macrium Reflect that we use when the boot drive fails and we need to restore an image from a backup to a replacement drive.
To my knowledge your fears are not necessary. I myself have used from the beginning activated SecuredBoot and the Uefi startpartition(s). All the boot_dvd’s and usb_thumbdrives work just fine with Macrium Reflect and Acronis and O&O AOmei EaseUS diskimagingsoftware. Booting is done by using the keycombinastion to call for the PC’s BootMenu. So restoring Windows and Linux-Mint works just fine. Mind you to check it all before to rely on it.
To my knowledge, work and relations in computer security the SecuredBoot and UefiBoot are essential for security. That’s why this hardly traceable malware installed/implemented by using these stolen ∅Day’s is *such a big deal*
My boot USB’s work by disabling Secure Boot. Recreating boot media after running the scripts still requires disabling Secure Boot before they will boot.
So the bottom line is that the old boot media will still work, but if we use such media (whether old or new), we will have to add the steps of first turning off Secure Boot, then turning it back on. Is that right?
New question: After Microsoft force-feeds these scripts onto customers’ PCs, will it be possible for us to simply do without Secure Boot? That would be one way to simplify matters.
So the bottom line is that the old boot media will still work, but if we use such media (whether old or new), we will have to add the steps of first turning off Secure Boot, then turning it back on. Is that right?
In my experience, yes it is.
New question: After Microsoft force-feeds these scripts onto customers’ PCs, will it be possible for us to simply do without Secure Boot? That would be one way to simplify matters.
Susan advises that Secure Boot isn’t particularly necessary for consumers, however, I prefer to use it. I use TeraByte’s Image For Windows, and I am unfamiliar with any other drive imaging software. Image For Windows has a utility for incorporating it into the Windows Recovery Environment. Then just go to Settings > Windows Update > Advanced options > Recovery > Advanced startup > Restart now, and the Recovery Environment, including Image For Windows, boots without issue, no finagling with settings in UEFI. That’s my preferred method.
I have the USB recovery media (also created with IFW’s utility) in the event of Windows getting pooched and not allowing Advanced startup, or of drive failure, which could include one’s Windows Recovery Environment if it’s located in the standard Windows position, a small partition after the Windows partition. I have mine on a separate SSD in its own 1GB partition, but I’m also a belt and suspenders kind of guy.
I didn’t have any issues updating Win 10 22H2 per Susan, but it took a really long time, over half an hour after the download before my computer rebooted. Lots of nail-biting until then. Thank you Susan, for all your helpful tips.
I have Windows 10 22H2 and secure boot is on with UEFI bios mode. I have so far blocked the update KB 4012170 and the May updates. My question is, when MS decides to trigger the forced script installs that messes with the bios. If I have the setting in my bios refering to UEFI capsule updates disabled will that stop the updated scripts from running? And would that impact my original install media created in 2017? If I created new install media will it not install if I do not have these forced updates in my bios?
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
Notifications
