Windows server 2019 VM update failed KB5012170 - Error 0x800f0922

[hiew]

I'm trying to get Windows Server 2019 as a fresh Virtual Machine installation on TrueNAS-SCALE-22.02.4.

Everything is working as intended up until I do a full update, KB5012170 fails and gives Error 0x800f0922. Luckily it seems as though this is something that can generally be ignored, without having to worry about missing other security updates, however I would like to ensure that it is indeed secure before committing to TrueNAS.

The patch KB5012170 is an update for secure boot DBX.

KB5012170: Security update for Secure Boot DBX - Microsoft Support

support.microsoft.com

Now I'll be completely honest, I don't know much of what to do from here to resolve this issue. Some other users have manually updated the DBX keys as per the links below, however I don't know where to go about changing them on TrueNAS.

Does anyone have a potential solution?

Can't install KB5012170 in ed2k-ovmf in Qemu · tianocore edk2 · Discussion #3221

Hi, I've Windows 11 virtualized and this update can't be install with this UEFI config in QEMU-KVM, think it's caused by actual UEFI firmware. In real machine no probs, in VMWare (UEFI) no probs. T...

github.com

KB5012170 fails to install on Win11 host

Hi, as the title says, this update gets to 20% and then fails with error 0x800f0922. The update itself does something UEFI related (https://support.microsoft.com/en-us/topic/kb5012170-security-update-for-secure-boot-dbx-august-9-2022-72ff5eed-25b4-47c7-be28-c42bd211bb15). Update installs without...

forum.proxmox.com

 

[JohnnyD]

Did you ever solve this issue?

 

[ChaosBlades]

We are waiting on Microsoft to fix it.

Windows 11, version 21H2 known issues and notifications

View announcements and review known issues and fixes for Windows 11, version 21H2

learn.microsoft.com

Status	Originating update	History
Confirmed	OS Build 22000.850 KB5012170 2022-08-09	Last updated: 2022-12-14, 16:12 PT Opened: 2022-08-12, 17:08 PT

When attempting to install KB5012170, it might fail to install, and you might receive an error 0x800f0922.

Note: This issue only affects the Security update for Secure Boot DBX ( KB5012170) and does not affect the latest cumulative security updates, monthly rollups, or security only updates.

Workaround: This issue can be mitigated on some devices by updating the UEFI bios to the latest version before attempting to install KB5012170.

Next steps: We are presently investigating and will provide an update in an upcoming release.

Proxmox also had this issue but they can resolve it by setting the EFI Disk to have Pre-Enrolled Keys enabled. I don't see any kind of option for that in SCALE.

KB5012170 fails to install on Win11 host

Hi, as the title says, this update gets to 20% and then fails with error 0x800f0922. The update itself does something UEFI related (https://support.microsoft.com/en-us/topic/kb5012170-security-update-for-secure-boot-dbx-august-9-2022-72ff5eed-25b4-47c7-be28-c42bd211bb15). Update installs without...

forum.proxmox.com

Looks like if you switch from UEFI to Legacy BIOS this will also resolve the issue.

 

[JohnnyD]

I don't think M$ are going to fix this now, its an August 2022 patch, we need another solution

 

[ChaosBlades]

This issue is still listed under the latest 22H2 known issues list. Microsoft just takes forever to fix some things. Besides it is a Secure Boot security update. If you are not using Secure Boot which it isn't enabled by default on the SCALE virtual UEFI. Then it does not matter, you just get an annoying error message in Windows update. As the issue lists this only affects Secure Boot it does not affect any other security patch or update.

Windows 11, version 22H2 known issues and notifications

View announcements and review known issues and fixes for Windows 11, version 22H2

learn.microsoft.com

• Windows devices that has Unified Extensible Firmware Interface (UEFI) based firmware can run with Secure Boot enabled. The Secure Boot Forbidden Signature Database (DBX) prevents UEFI modules from loading. This update adds modules to the DBX.
  
  A security feature bypass vulnerability exists in secure boot. An attacker who successfully exploited the vulnerability might bypass secure boot and load untrusted software.
  
  This security update addresses the vulnerability by adding the signatures of the known vulnerable UEFI modules to the DBX.

 

[ChaosBlades]

You could just Hide the update if it really bothers you.

How to show or hide updates on Windows 11 - Pureinfotech

To show or hide updates on Windows 11, use the troubleshooter tool or PowerShell with the PSWindowsUpdate module. Here's how.

pureinfotech.com

 

[JohnnyD]

Thats not quite right, it affects 3 of my windows machines, as it tries to reinstall that patch on every update, the update fails, so it goes through two reboot/uninstalling updates issue every time, on a server, thats not very good and takes a long time, its not just an annoying message, its downtime on a server.

 

[JohnnyD]

You can't hide the update on a server as far as I am aware?

 

[ChaosBlades]

On standard Windows 11 (not Server) it just gets to "Installing - 99%" then it just reverts to "Failed". I don't get any reboot or uninstalling message.

I am seeing how to articles say it works on server but I don't have anything to test. I downloaded the .diagcab from MajorGeeks and just successfully removed the update with it on my system. Your browser might say it can't be downloaded because it might be harmful. You just need to tell it to keep the file in the context menu.

Download wushowhide - MajorGeeks

wushowhide is a troubleshooting app from Microsoft that allows you to show or hide Windows Updates. wushowhide is no longer available from Microsoft. See our video tutorial for more information.

www.majorgeeks.com

 

[JohnnyD]

On standard Windows 11 (not Server) it just gets to "Installing - 99%" then it just reverts to "Failed". I don't get any reboot or uninstalling message.

I am seeing how to articles say it works on server but I don't have anything to test. I downloaded the .diagcab from MajorGeeks and just successfully removed the update with it on my system. Your browser might say it can't be downloaded because it might be harmful. You just need to tell it to keep the file in the context menu.

Download wushowhide - MajorGeeks

wushowhide is a troubleshooting app from Microsoft that allows you to show or hide Windows Updates. wushowhide is no longer available from Microsoft. See our video tutorial for more information.

www.majorgeeks.com

That does indeed allow me to hide that update on a server, have done one so far, and now doing the second, but its looking good, thank you so much, I have googled over the last 3 months for a resolution, and i did not come across this one, or maybe was reluctant to install on a server not knowing its reputation. Thank you once again.

 

[JohnnyD]

And it worked OK on the second machine, TY