Share via

Can Windows Updates Add DBX Keys to Secure Boot Key Management?

JamesBacon 0 Reputation points
2023-11-16T04:57:56.5133333+00:00

hi, I have Secure Boot enabled on both my Windows 10 Asus PC and Windows 11 MSI laptop; within 'Key Management', I always see these amounts of keys next to each key type, and their setting, which are all factory settings;

PK- 1 key (Default)

KEK- 3 keys (Default) on Asus | 1 key (Default) on MSI

DB- 10 keys (Default)

DBX- 77 keys (Default)

now I don't know much about the other key types but I do know that DBX is supposed to be a blacklist and filters (?) out, or blocks, malicious code that attempts to execute

I updated both of my devices to the latest Cumulative Update as well as the newest version of the Windows Malicious Software Removal Tool. today I don't remember seeing anything different when I went into my Asus Bios after the update but I also wasn't very focused on the keys at the time

I've gone into both my Asus PC and MSI Laptop's Bios just now and both of them have changed the DBX key settings

instead of having 77 keys and set to Default, DBX was had 270 keys and was set to "Mixed" instead. I reset the keys on both devices and they both returned to their normal values of 77 (Default), but I'm really confused

can 'larger' Windows Updates add more DBX keys when Secure Boot is enabled, after the update is fully installed? I only recently just enabled Secure Boot on my PC and I've never gone to Bios on my laptop until now so I have nothing to compare to

edit: I updated my laptop to 23H2 and this did not change the DBX keys in the Bios, they are still set to 77; so could the Malicious Software Removal Tool update have caused this??

Windows for business | Windows Client for IT Pros | User experience | Other
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

    Comments have been turned off. Learn more

  2. Wesley Li 11,720 Reputation points
    2024-01-10T08:49:36.22+00:00

    Hello

    Microsoft published 🔃 Security Update Guide - Loading - Microsoft that describes a new vulnerability that’s related to Secure Boot. Devices that trust the Microsoft third-party Unified Extensible Firmware Interface (UEFI) Certificate Authority (CA) in their Secure Boot configuration may be susceptible to an attacker who has administrative privileges or physical access to the device. Yes, update will made change to the Secure Boot DBX.

    In brief, Secure Boot works by placing the root of trust in firmware. While other implementations are possible, in practice the chain of trust is achieved via x509 certificates. A root CA is embedded in firmware such that it can then validate the signed bootloader, the signed bootloader can then validate the signed kernel or signed 2nd stage boot loader, and so on. Various key databases are used to provide flexibility and maintain strong security:

    • DBX ( 'forbidden signature database' or 'signature database blacklist'): contains a set of explicitly untrusted keys and binary hashes. Any application or driver signed by these keys or matching these hashes will be blocked from execution.

     

    Best Regards,

    Wesley Li

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.