|
There are isolated problems with current patches, but they are well-known and documented on this site. |
Security update for Secure Boot DBX can be skipped (KB4535680) Just a heads up – this will be in the Plus newsletter later on this weekend but due to
[See the full post at: Security update for Secure Boot DBX can be skipped (KB4535680)]
Susan Bradley Patch Lady/Prudent patcher
Susan, does your VM host machine (that took KB4535680) have Bitlocker enabled and used for any of the partitions where the VM images are stored?
Did that machine use UEFI Secure Boot or legacy boot mode?
~ Group "Weekend" ~
As we have no need for HyperV (disabled in services) no issues encountered in Win8.1 Pro x64 on three devices (mixture of legacy and UEFI/ no bitlocker activated).
kb4535680 was offered via WU post SMQR kb4598285 and weighed around 90kb.
No nuclear ‘weopons’ or state secrets, yet 🙂
Who tests this stuff???
I think it was tested, and they know it breaks things, beause the KB article tells you how to avoid the problems. Which is not a whole lot of use after the fact.
It took me some time to figure out that I should not have a problem with it, because while it tells you which policy items to check, it is far from complete in describing where to look.
At any rate, it has led me to do a full system image even before I read this on AskWoody, just in case. (I’m guilty of not doing this very often for the affected PC – it’s more or less a backup for my secondary system, and happens to be the only one with 8.1.)
In my not so humble opinion I think the issue is that it’s tested all by itself and not via WU or WSUS and thus not with the interaction of the OTHER updates. It may have been fine all by itself, but with the other main update it’s barfing.
Susan Bradley Patch Lady/Prudent patcher
It may have been fine all by itself, but with the other main update it’s barfing.
Very likely true. I’ve gone ahead and applied it, on its own, and encountered no problem, but there again, my system didn’t meet the criteria for breakage. (Not that I 100% trusted the KB notes to be correct.)
Windows update is perfectly capable of applying fixes in the right order, one by one if necessary, but they just didn’t bother with this one.
(FWIW I’m still holding off applying the rest of this month’s patches. Just wanted to get this one behind me while I have a fresh system image.)
Did anyone notice that KB4535680 ( https://support.microsoft.com/en-us/help/4535680/security-update-for-secure-boot-dbx ) looks like essentially the same as the 2020-02 secure boot update KB4524244 ( https://support.microsoft.com/en-us/help/4524244/security-update-for-windows-10-february-11-2020 ) that was pulled before? The timestamps and file sizes for Dbxupdate.bin, etc. for e.g. 1809 and 1903/9 match in those articles. The notable differences in the articles are: only for x64 (no 32-bit version) and no update for EOL (1703/1709) versions. The server 2012/windows 8.1 updates are also merged into the same article as win10 (previously it was a separate KB).
Unless the newer servicing stack fixes something or BIOS/UEFI updates were installed, it would seem that people that had issues with the February 2020 version would be likely to have the same issues again.
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
