Monday, 25 January 2021

Latest Windows update KB4535680 blocks agFM Secure Boot!

You can Secure UEFI64-boot to agFM on the E2B USB drive because it uses the Kaspersky bootx64.efi signed grub2 shim file. This boot file originated from Kaspersky and was signed by Microsoft as being 'Secure'. However, it contained a loophole which allowed us (via some clever programming) to load unsigned modules and hence an unsigned version of grub2 (e.g. grubfm or agFM or Ventoy, etc.).

A year or so ago, Microsoft released a KB Update which added a 'blacklist' entry into the UEFI BIOS non-volatile RAM of the Windows system UEFI firmware. This is called the DBx (or dbx) list and it can usually be found in your UEFI BIOS settings.

The DBx list was specifically intended for this purpose - to blacklist boot files which Microsoft had signed as 'Secure' but later turn out to be not as 'secure' as they thought!

The update provided by Microsoft immediately caused a lot of issues on certain Secure Boot OEM systems which also used this same EFI boot file (Lenovo?, HP?) and thus the update prevented them from booting after it was installed! Microsoft quickly withdrew the Windows Update and left their victims to try to rescue their secure but unbootable systems.

Now it seems Microsoft have tried again (KB4535680 2021-01-12) but the new Windows update is only applied to certain systems (and probably only those that boot via UEFI and have GPT partitions on the boot disk):

  • Windows Server 2012 x64-bit
  • Windows Server 2012 R2 x64-bit
  • Windows 8.1 x64-bit
  • Windows Server 2016 x64-bit
  • Windows Server 2019 x64-bit
  • Windows 10, version 1607 x64-bit
  • Windows 10, version 1803 x64-bit
  • Windows 10, version 1809 x64-bit
  • Windows 10, version 1909 x64-bit

On a Dell system, you may now see this message when you UEFI boot to agFM from your E2B USB drive:

Other BIOSes may produce other messages (e.g. Invalid signature, etc.)


This means that you may now find that some systems will no longer boot to agFM unless you disable Secure Boot on those systems or you clear the DBx list using the UEFI BIOS setup menu.

Simply removing KB4535680 may not remove the Kasperksy hash from the DBx list - you may need to go into your BIOS to clear the DBx list.

We can still convert signed EFI payloads such as Windows ISOs, Red Hat, some Ubuntu and Fedora ISOs, to .imgPTN23 files and switch in the images.

Well, it seems the lid of Pandora's box has been closed and the honeymoon is over...

P.S. Linux Mint ISOs contain the mokutil  utility.  The command  mokutil -D -X  may delete the DBx list? (untested).


  1. So, its not possible to resolve this issue? Can u update bootx64 efi?

    1. No, efi file must be signed by Microsoft and they will never do this because it can boot or load unsigned code.

    2. There is a way.. i saw itps tool pack technology.

      i learn how they did.
      They make bootx64.efi to boot windows boot manager and adds their menu via bcd.

      im still working on it.

      i want to load bootx64.efi then ventoyx64.efi via windows boot manager.
      can u tell me how to do that via bcd?

      here is example

      i dont want to add code in bootx64.efi because its blocked on latest laptop.

      so booting offcial bootx64.efi then windows boot manager then other efi is possible.
      also we can skip windows bootmanger metro menu via bcd with timeout 0.

      i just want to know how to boot ventoyefix64 file via windowsbootmanger with bcd.
      WITHOUT Patching BOOTX64.efi

      here is example

    3. I tested ITPS on latest laptops.. Yes IT WORKS.........!!!!!!!!!!!!!


    4. Which unsigned EFI files have you been able to Secure Boot to?

    5. Steve. Listen carefully bro,

      Check ITPS TOOLS PACK.

      their project run @ secure boot too. On latest machines without block error.

      I learned that how they did it.

      They didn't patched BOOTX64.efi file

      They boot it as official efi but now they created custom wim loader menus on metro boot loader.
      They just changed bcd.
      However it works as pure efi machines/laptops.

      So here is a way.

      I want to know to how to run windows boot manager entry first and then edit bcd to load custom efi file or grub.cfg via metro boot loader.
      Setting timeout 0.
      Please reply.

    6. The problem is that we need run an unsigned version of grub2 from a Secure Boot. It is easy to run various wim files from a secure boot via Boot Manager. When you Secure Boot to Boot manager, it will not allow you to run an unsigned payload.