KB4535680 (Security Update for Secure Boot DBX: January 12, 2021) improves Secure Boot DBX on several Windows versions. Applicable operating systems are Windows Server 2012/R2/2016/2019 64-bit, Windows 8.1 64-bit, and Windows 10 1067/1803/1809/1909 64-bit. The key change is that “Windows devices using UEFI-based firmware can run with Secure Boot enabled.” Secure Boot DBX is a feature that prevents malicious UEFI modules from being loaded, and this update adds a module to successfully exploit the vulnerability and blocks malicious attackers who run untrusted software by bypassing Secure Boot.
According to the patch description, “If you enable Windows Defender Credential Guard, the device will restart twice.” However, I found that this patch affects the integrity of virtual machines on servers using Hyper-V. In my case, when I restarted the host server twice, the virtual machine was in the save state.
When a Hyper-V host server is patched, it is common for virtual machines underneath it to keep its original work. When the Hyper-V host restarts, the virtual machine returns to its original operating state. The system temporarily shuts down the Hyper-V management server, restarts the host machine, and restarts the virtual machine from there. I usually keep the virtual machine running when I restart the host server. But this time, when the Hyper-V host was restarted, the virtual machine did not return to its original operating conditions. I had to restart the Hyper-V host three times, and then turn it off completely and then turn it back on again.
If you’ve installed this update on your Hyper-V server, you’ll need to manually turn off the virtual machine first. Only in this way will the virtual machine remain in a stable condition before installing the patch.
In fact, the DBX update also caused problems on HP systems that did not have the latest BIOS update installed, even with the February 2020 update.
If so, what should a server administrator do? First of all, companies that use tools like WSUS should carefully evaluate KB4535680 before installing it on Hyper-V servers. If you feel you need to install it because of security practices, first turn off the virtual machine manually before installing it.
If you are a regular user of Windows 10, updating the BIOS is very important. If it was a few years ago, I would install the patch on systems that have never updated the BIOS after purchase, but now, be sure to download the latest BIOS update from the PC manufacturer’s website before installing the Windows 10 feature update. If you are still using Windows 10 1909, please hide the update with the Wushowhide tool. Windows 2004 and later versions include this tool by default.
In conclusion, if you don’t have a definite need for this update, we recommend that you skip it. In my opinion, the risk to the virtual machine is greater than the risk of an attack. If you need to install it, please do it very carefully. [email protected]
Source: ITWorld Korea by www.itworld.co.kr.
*The article has been translated based on the content of ITWorld Korea by www.itworld.co.kr. If there is any problem regarding the content, copyright, please leave a report below the article. We will try to process as quickly as possible to protect the rights of the author. Thank you very much!
*We just want readers to access information more quickly and easily with other multilingual content, instead of information only available in a certain language.
*We always respect the copyright of the content of the author and always include the original link of the source article.If the author disagrees, just leave the report below the article, the article will be edited or deleted at the request of the author. Thanks very much! Best regards!