August 08/2022 Patch KB5012170 Update for Secure Boot DBX problem 0x800f0922

Problem: You can't install August 2022 Update KB5012170 on some systems under certain condition where Secure Boot is enbled and not latest BIOS/UEFI Firmware . You will receive an Error 0x800f0922

Error: Package KB5015730 failed to be changed to the Installed state. Status: 0x800f0922.

The patch does a revert

System which is not affected

The updates fixes some secure boot problems as example:

CVE-2022-34301 | Eurosoft Boot Loader Bypass

CVE-2022-34302 | New Horizon Data Systems Inc Boot Loader Bypass

CVE-2022-34303 | Crypto Pro Boot Loader Bypass

Microsoft main link:

KB5012170: Security update for Secure Boot DBX: August 9, 2022 (microsoft.com)

https://support.microsoft.com/en-us/topic/kb5012170-security-update-for-secure-boot-dbx-august-9-2022-72ff5eed-25b4-47c7-be28-c42bd211bb15

What does the KB describe:

Describes the problem that certain firmware/Bios and GPO Settings should not patch KB5012170. The KB is very hard to dunerstand. We try to help a little. Please keep in mind that you can't update firmware without checking compatiblity on Laptops for docking station and maybe other things. In enterprise you can't can't just update laptop firmware over night and hope all is fine like microsoft thinks they can do with their M365/Azure solution and Autopolit clients. ;-)

So what does that mean if you don't have a post doc in IT?

Check if yout are affected with and have PCR7 active

You can find out the status of your UEFI / PCR7 / Bitlocker Setup with MSINFO32.exe (Elevated) or/and by running a DOS or PS command.

Some sample dumps and how to find out:

Affected product which has PCR7 mode shown:

Dell computer Precision 5530, Windows 10 21H2

msinfo32.exe commandline

shows:

Sicherer Startzustand    Ein    

PCR7-Konfiguration    Gebunden

DOS: manage-bde -protectors -get c:

Shows:

Automate checking client for PCR7:

You may use a) Your software Deployment b) PSEXEC from systernals c) Do not use GPO to deploy software if you are not 100% fireproof with scripting

With psexec:

PsExec - Windows Sysinternals | Microsoft Docs

Auotmate the msinfo32.exe with psexec

psexec -s \\computer001 C:\windows\system32\msinfo32.exe /nfo c:\edv\00_report\computer.txt /report c:\edv\00_report\computer_re.txt

Description of Microsoft System Information (Msinfo32.exe) Tool

Other samples not affected:

An HP Elitedesk 800 G3 (Older) with a NON UEFI BIOS

Binding not possible becauee older machine and NOT UEFI BIOS (Legacy used) because of better Deployment OS reasons.

DOS: manage-bde -protectors -get c:

PS:

Msinfo32.exe

Some newer Home system from HP Elitedesk with UEFI no Bitlocker GO or Bitlocker active (Out of the box enduser system)

BINDING POSSIBLE

manage-bde -protectors -get c:

Below you see under PCR7 that you did NOT run msinfo32 under "Administrative/Elevated" it says "Elevation required to view".

Here is msinfo32.exe with run as admin, PCR7 would be possible but is not activated

You can see in this specfic machine where PCR7 "Binding Possible" is shown there is not Bitlocker. That's why withou the Fimrware Update which was offered by HP this was the patch has installed.

Solution

1. Check that you have the latest Bios/Firmware
2. Check if you have PCR7 enabled like mentioned above

If not possible > as example because your docking station is not comaptible with latest firmware

Some further links and infos regarding the path:

ADV200011 - Security Update Guide - Microsoft - Microsoft Guidance for Addressing Security Feature Bypass in GRUB

Troubleshoot the TPM (Windows) - Windows security | Microsoft Docs

R730xd, BitLocker, Secure Boot, PCR7 issue - Dell Community

If you don't connect MDT on Server 2016 to an SQL Database it will use SQL Server Compact to store information

You see in MONITOR. You ONLY access the Info from the Compact Edition with SQL Management Studio 2008R2

And NOT the newer Version I have read somewhere. With the SQL Management Studio 2008R2 we

Can open the SDF database from C:\Program Files\Microsoft Deployment Toolkit\Monitor\MDT_Monitor.sdf

You can also access through API Web:

http://localhost:9801/MDTMonitorData

http://localhost:9801/MDTMonitorData/Computers

http://localhost:9801/MDTMonitorData/ComputerIdentities

It's written that they keep the information in there for 3 days. So this is only a temporary solution until the client runs.

C:\Program Files\Microsoft Deployment Toolkit\Monitor\MDT_Monitor.sdf

To see or view data itself you could use:

https://www.linqpad.net/

To date there are two Social MSDN Threads where people and very und-happy and Microsoft DOES not think it's important

to mention the Problem on their KB Article under Problems. This has just come into our timeline range where

we rollout and MDT/WDS Server for medium sized customer who has no Enterprise Agreement and thus no SCCM.

Manage over 15 WSUS servers for SBS to Enterprise but has no info in that direction. (Not mentioned on MS/TechNet or Ask Woody which we mostly consult for good info)

Problem during PXE Boot:

Windows failed to start a recent hardware or software change might be the cause.

"Status 0xc0000001"

support.microsoft.com/de-ch/help/4489881/windows-8-1-update-kb4489881

Here is how to fix it:

Uncheck under TFTP the option Enable Variable Window Extension

Reboot the WDS/MDT Server or restart the WDS Service.

Fortigate Application Filter Certificate wrong/missing Entry sample for an important laptop driver (W10 Deployment fails because of signed Driver Revocation Lookup)

OR HOW a missing small ENTRY I a FORTIGATE FIREWALL IPS/APP filter can ruin your Windows 10 OS-Deployment work.

Reason: Missing entry in Fortigate Application Filter "ROOT.CERTIFICATE.URL" and "OCSP" source of failing deployment

Windows 10 Deployment with commercial Deployment Products (This includes HP client hardware, Microsoft SCCM, Landesk or Ivanti Frontrange).

During the Unattend phase the driver for MASS storage or NIC does a Certificate Revocation Lookup. However the as sample mentioned

URL pki.infineon.com (Hardware Driver URL, CRL FQDN) is missing in Fortiguard definitions. Thus the Fortigate does block the access to WAN. Since this is an early setup phase of W10, group Policy or special GPO do not pull at that moment.

Fortigate has already missed several PKI URL the last few months confirmed by ticket resulting in large trouble and delay on client and Server OS of customers who route their Client or Server traffic through Web proxy and because of security do not want to route computer account proxy traffic standard to the proxy.

Why this is so important. Why this is generating a lot of work and trouble for OS-Deployment teams.

The normal way in larger companies is that all outgoing traffic from client VLAN goes to Firewall which it blocks. All Web/Application/Socks traffic that should go outside goes to a Proxy, Web filter.

Because in early phase of Deployment those options are not set already and normally not needed. However if the driver is older than the Expiration of the Code Signing Certificate W7/W10 will check

The Certificate Revocation list from WAN/Internet. If that fails it may refuse to integrate the driver in Windows PE or early Windows Setup phase. If example this is a driver which

handels NIC (network) or mass Storage driver (Disk) they deployment can't run through this early process.

Workaround:

URL we need open in our sample: pki.infineon.com which prevents a complete Enterprise Deployment system to fail

Sample from Fortigate for other Certs they missed:

F-SBID( --name "Root.Certificate.URL_Custom"; --protocol tcp; --app_cat 17; --service HTTP; --flow from_client; --pcre "/(crl\.microsoft\.com|\.omniroot\.com|\.verisign\.com|\.symcb\.com|\.symcd\.com|\.verisign\.ne t|\.geotrust\.com|\.entrust\.net|\.public- trust\.com|\.globalsign\.|\.digicert\.com|crl\.startcom\.|crl\.cnnic\.cn|crl\.identrust\.com|crl\.thaw te\.com|crlsl\.wosign\.com|www\.d\-trust\.net)/"; --context host; --weight 15; )

In our case:

F-SBID( --name "Root.Certificate.pki.infineon.com"; --protocol tcp; --app_cat 17; --service HTTP; -- flow from_client; --pcre "/(pki\.infineon\.com)/"; --context host; --weight 15; )

Please also see:

Butsch.ch | The certificate is invalid for exchange server usage Exchange 2010 SAN/UC

https://www.butsch.ch/post/The-certificate-is-invalid-for-exchange-server-usage-Exchange-2010-SANUC

So you understand that this is a problem which persists over all firewall producers:

https://support.symantec.com/en_US/article.HOWTO9584.html

Symantec: About the Install Readiness Check for Certificate Revocation List access

https://success.trendmicro.com/solution/1058226

TEND MICRO: After upgrading OfficeScan, users complained that the server started to rename all files in the OfficeClient Directory to "_invalid".
Below is a sample list of files in the D:\app\Trend Micro\OfficeScan\PCCSRV\Admin directory:

Checkpoint:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk108202

If there is no Internet connection, then CRL fetch and intermediate CA fetch will fail (this will be logged). The inspection will take place; however, URL-based or Category-based bypassing will not work.

Note: The CRL verifications are performed in the background asynchronously while matching the security policy (this mimics the behavior of the major web browsers).

Untrusted certificates and lack of CRLs can be configured as reasons to drop the connection

Mcafee:
https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/25000/PD25504/en_US/epo_530_pg_0-00_en-us.pdf

Internet Explorer, Group Policy, Gruppenrichtlinien, IE11 GPO Settings, PROXY Explained F5-F8

1. IE11 has to be installed so you see the IE10 Option
2. There is not IE11 Option > That's ok > Choose IE10 it will work fir IE11
3. You are on a SRV 2012 R2 or W8 to see this option or W7 with installed updated
4. You did try it always fails or you get too MUCH Gpo settings from the GUI Mode.

    

This is what we talk about and seems to make confusions. People set if with it and at the end did with HKCU keys.

You can configure the options with F5, F6, F7 and F8 keys from the GUI. Only choose the options you want to change.

ALL RED > Will not be touched (Like GPO Settings DEFAULT)

ALL GREEN > Will be touched or changed (Like GPO setting ENABLE/DISABLE) depending on the GUI if you have a checkbox selected or not.

GREEN = Stuff you want to change

RED = LEAVE IT at it is

Some sample settings

If you go back one step on the GPO Console and do an F5 / Refresh

You should only see the option which you marked GREEN with F7 or F8

Lets make a sample (That i don't want touched)

See forgot two things and not clear how to select under security

Back in GPO Console one step, Update F5, Refresh

The above mentioned is RED THUS Gone / Not touched

We recommend to enable a check if you DO Registry KEYS or such Settings with GPO and not deployment.

Make sure you have a WMI Filter to also capture IE11

Check out I11 LINKS:

http://www.butsch.ch/post/IE11-IEAK-11-Setup-9-PRE-Deployment-Patches-2b-1-Hotfix.aspx

http://www.butsch.ch/post/Internet-Explorer-911-GPO-old-IE9-not-visible-WMI-checks.aspx

http://www.butsch.ch/post/IE11-Umsetzen-Unternehmensmodus-Enterprise-Mode.aspx

Intel(R) Ethernet Connection I217-LM Deployment problems

HP Zbook, Probook 650G1 (See below for full range info)

OS Deployment problems with Intel NIC i217-V (I217V) under Windows 7 64BIT and different Deployment Software Like Frontrange-Enteo, SCCM, Symantec and also with Windows Deployment.

Main problem is that the Windows PE 3.X that most Deployment solutions use accepts a less DEVICEID (A shorter). Also the NIC somehow seems to have timing problems and just behaves different than others during unattended setup.

Your Windows PE will work with any driver DeviceID:

PCI\VEN_8086&DEV_153B

But the Windows 7 Setup that your Deployment does need is more specific driver and checks behind that base DeviceID:

PCI\VEN_8086&DEV_153B&SUBSYS_00008086 (Sample)

06.09.2013, 12.8.33.9427 < GEHT NICHT
06.06.2014, 12.11.77.2 < GEHT NICHT
31.07.2014, 12.12.50.7205 (REV: A PASS: 4) < GEHT von HP Carepaq, sp68420

Check! VERSION: 12.12.50.7205 REV: A PASS: 4

ftp://ftp.hp.com/pub/softpaq/sp68001-68500/sp68420.html

Screenshot shows Driver 12.8.33 from original HP factory setup W7 64BIT which DOES not work for Deployment.

The HP Factory NIC Setup shows following Device-ID (W7 64BIT) which does not work for deployment

Errors your will see in c:\windows\panther with wrong driver (No NIC in OS phase / Not Windows PE)

You need the INF file with the three DeviceID:

%E153BNC.DeviceDesc% = E153B.6.1.1, PCI\VEN_8086&DEV_153B

%E153BNC.DeviceDesc% = E153B.6.1.1, PCI\VEN_8086&DEV_153B&SUBSYS_00008086

%E153BNC.DeviceDesc% = E153B.6.1.1, PCI\VEN_8086&DEV_153B&SUBSYS_00011179

Links:

http://www.symantec.com/connect/forums/ghost-loop

https://downloadcenter.intel.com/search?keyword=Intel%28R%29+Ethernet+Connection+I217-V

http://serverfault.com/questions/649507/mdt-deployment-issue-driver-not-loading-i217-lm-on-mdt

https://communities.intel.com/thread/43218

http://forum.enteo.com/showthread.php?t=15396&page=2

ftp://ftp.hp.com/pub/softpaq/sp68001-68500/sp68420.html

Here is the correct syntax and a working example under Windows PE 3.X 32BIT boot media:

Biosconfigutlity.exe /cspwd:"youroldbiospassword" /cspws:"yournewbiospassword"

And an example to renew the existing BIOS password and write new BIOS Setting in one command:

BiosConfigUtility.exe /cspwd:"youroldbiospassword" /nspwd:"yournewbiospassword" /set:"%cd:~0,3%bios\6300\settings\6300.txt"

• %cd:~0,3% = Current Drive letter your batch is on
• bios\6300\settings\6300.txt (The config file with the new bios settings in some file Directory structure bios\modelltype\settings\modelltypeconfigfile.txt (Just an example)
• Yes, you have to mention the "-chars (Quotation marks)
•  "IF" you provider a existing password (cspwd), AND it does not match, it will be overseen and the NEW password written (cspws)
• The exact syntax and ORDER of the options have to be followed

Make sure you don't mess UP with this tool. On certain newer laptops if you mess UP the BIOS password you "Can't" reset it with a jumper. There are two way (Send device to HP or buy a unlock key from russia for USD50). A cutomer from us has tried and did not understand the tool correct.

 If you don't want plain text passwords in your scripts you may have to use "HPQPswd.exe" which makes a password.BIN file from your entrys with the password encrypted.

OS-Deployment Time:

HP 6560 all Major super OS-Deployment fail!

With our Deployment system Storage and nic driver intergation is very easy! ;-)

A short look in google show you that all those new fancy OS-Deployments did work a few months. But

now with new hardware and new Nic and mass stroage drivers they (as allways) fail and people have problems.

All the regualr non-deployemtn people who took OS Deployment for easy and thought they can do it theirself have problems.

The HP 5660 seems to fail with. Fails mean you will have to integrate a NIC and Mass Driver into the PE and maybe the WIndows 

XP SP3 silent setup if you still run Windows XP.

Even Windows 7 seems to have problems with the RIS. Back to the roots and hiring expensive Deployment people ;-)

·         WDS Windows Deployment

·         SCCM/SMS

·         Acronis 

·         Symantec Ghost und Deployment Suites wie Altiris