The security patch released on January 12th is difficult to judge. Rather, Secure Boot Forbidden Signature Database (DBX) updates cause problems on Hyper-V servers and some end-user workstations.
KB4535680 (Security Update for Secure Boot DBX: January 12, 2021) improves Secure Boot DBX on several versions of Windows. Applicable operating systems are Windows Server 2012/R2/2016/2019 64-bit, Windows 8.1 64-bit, Windows 10 1067/1803/1809/1909 64-bit. The key change is that "Windows devices using UEFI-based firmware can run with Secure Boot enabled." Secure Boot DBX is a feature that prevents malicious UEFI modules from being loaded, and this update adds a module to successfully exploit the vulnerability and blocks malicious attackers who run untrusted software by bypassing Secure Boot.
According to the patch description, "If you enable Windows Defender Credential Guard, the device will restart twice." However, I found that this patch affects the integrity of virtual machines on servers using Hyper-V. In my case, when I restarted the host server twice, the virtual machine was in the save state.
When a Hyper-V host server is patched, it is common for virtual machines underneath it to keep its original work. When the Hyper-V host restarts, the virtual machine returns to its original operating state. The system temporarily stops the Hyper-V management server, restarts the host machine, and restarts the virtual machine from there. I usually keep the virtual machine running when I restart the host server. But this time, when the Hyper-V host was restarted, the virtual machine did not return to its original operating conditions. I had to restart the Hyper-V host three times, and then turn it off completely and then turn it back on again.
If you have installed this update on your Hyper-V server, you will first need to manually turn off the virtual machine. Only in this way will the virtual machine remain in a stable condition before the patch is installed.
In fact, the DBX update has also caused problems on HP systems that did not have the latest BIOS update installed, even the February 2020 update.
If so, what should a server administrator do? First of all, companies that use tools like WSUS should carefully evaluate KB4535680 before installing it on Hyper-V servers. If you feel you need to install it because of security practices, first turn off the virtual machine manually before installing it.
If you are a regular user of Windows 10, updating the BIOS is very important. If it was a few years ago, I would install the patch on systems that have never updated the BIOS after purchase, but now, be sure to download the latest BIOS update from the PC manufacturer's website before installing the Windows 10 feature update. If you are still using Windows 10 1909, please hide the update with the Wushowhide tool. Windows 2004 and later versions include this tool by default.
In conclusion, if you don't have a definite need for this update, I recommend skipping it. In my opinion, the risk to the virtual machine is greater than the risk of an attack. If you need to install it, please do it very carefully.
0 Comments