software update

I’m not ready to give an all-clear to the security patches released Jan. 12, and I want to warn you about one specific update that is affecting HyperV servers and some consumer level workstations.  

KB4535680, also known as Security update for Secure Boot DBX: January 12, 2021, makes improvements to Secure Boot DBX for a number of supported Windows versions. These include Windows Server 2012 x64-bit; Windows Server 2012 R2 x64-bit; Windows 8.1 x64-bit; Windows Server 2016 x64-bit; Windows Server 2019 x64-bit; Windows 10, version 1607 x64-bit; Windows 10; version 1803 x64-bit; Windows 10, version 1809 x64-bit; and Windows 10, version 1909 x64-bit. Key changes affect “Windows devices that [have] Unified Extensible Firmware Interface (UEFI) based firmware that can run with Secure Boot enabled.” The Secure Boot Forbidden Signature Database (DBX) prevents malicious UEFI modules from loading; this update adds additional modules to block malicious attackers who could successfully exploit the vulnerability, bypass secure boot, and load untrusted software.

The patch description notes that, “If you have Windows Defender Credential Guard (Virtual Secure Mode) enabled, your device will restart two times.” While that doesn’t sound like much of a known issue, I found that having a server with HyperV enabled affected the integrity of my virtual machines. In my case, rebooting the host server twice triggered the virtual machines to go into a saved state

Typically, when you patch a HyperV host server, it’s normal to let the underlying hosted virtual machines “do their thing.” When the HyperV host reboots, the virtual machine can be set by default to come back online; the system will temporarily pause the Hyper V Management server, reboot the host machine, and upon reboot restart the virtual machines.  It’s normal for me to leave my virtual machines running while I reboot the host server.  In this case, when the HyperV host rebooted, the virtual machines did not go back into operational condition. I had to reboot the HyperV host a third time, fully shutting it down then manually turning it back on to get my virtual machines back up and running.

If you install this update on HyperV servers, plan on manually shutting down the virtual machine first.  This ensures that the virtual machines will be in a stable condition – and stopped – before the patch is installed.

Historically speaking, these DBX updates have not been well behaved — even on consumer-based machines. Past updates triggered issues in HP systems that did not have the latest BIOS updates installed. In a document posted in February 2020, HP detailed the problem. (Both HP and Microsoft note that “if the latest supported BIOS is not installed on the system, then Windows 2004 installation, Windows 2004 Update, or the KB4524244 or KB4535680 update may be blocked for installation or download.”)

Copyright © 2021 IDG Communications, Inc.

Source link


Please enter your comment!
Please enter your name here