2/17/2020 update: KB4524244 has been removed from the Windows Update catalog and will not be re-offered (more info in the release notes). For customers who already installed KB4524244 or any other OEM or Windows update that changes your Secure Boot configuration, the guidance below still applies.
Users of the Host Guardian Service (HGS) for shielded VMs or SQL Server Always Encrypted with Secure Enclaves should be aware that the February 2020 Security Update (KB4524244) for Windows 10 and Windows Server may cause your guarded hosts or SQL Servers to fail attestation. You won't want to get caught by this in production, so read on to learn more about the update, how to prepare for the change, and best practice guidance for handling updates in production environments.
The February 2020 security update "addresses an issue in which a third-party Unified Extensible Firmware Interface (UEFI) boot manager might expose UEFI-enabled computers to a security vulnerability." It does this by updating your Secure Boot configuration to block the vulnerable boot manager. While updates to the Secure Boot configuration are rare, they are important to protect the integrity of the pre-OS boot process.
You normally wouldn't even notice that the Secure Boot configuration has been updated, but it's one of many measurements HGS analyzes when a machine attests in TPM mode. HGS compares the machine's current Secure Boot configuration (measured by the TPM) with the list of trusted baselines registered on HGS. Baselines captured before the February 2020 security update is installed will have the old Secure Boot configuration in them, so when an updated machine tries to attest, HGS will notice the discrepancy and flag the machine as unhealthy. This is the intended behavior, since a change to the Secure Boot configuration could indicate someone is trying to allow other, potentially compromised, boot managers to run on your computer. In the case of KB4524244, however, the updated Secure Boot configuration helps improve your security, so you'll want to capture a new baseline that includes the new configuration and register it as a trusted baseline with HGS.
The changes included in KB4524244 will only affect attestation if all the following apply to your environment:
The best indication that your attestation failure is a result of the Secure Boot configuration update is if your AttestationSubstatus = SecureBootSettings. You can get this information by running Get-HgsClientConfiguration on the machine attesting with HGS. If this cmdlet returns other substatus values, check out our troubleshooting guide for more information.
PS C:\> Get-HgsClientConfiguration
IsHostGuarded : False
Mode : HostGuardianService
KeyProtectionServerUrl : https://hgs.contoso.com/KeyProtection
AttestationServerUrl : https://hgs.contoso.com/Attestation
AttestationOperationMode : Tpm
AttestationStatus : InsecureHostConfiguration
AttestationSubstatus : SecureBootSettings
Microsoft recommends installing the February 2020 security update on all of your machines. To ensure a smooth rollout and avoid downtime for your shielded VMs or SQL Servers, it's recommended to apply the update and configure HGS in the following order:
TPM attestation with HGS provides strong assurances about the security of your servers. It's recommended that you always test any software or hardware updates in an isolated, pre-production environment before rolling the changes out to all machines. This will help you catch any changes that cause attestation to fail and give you time to prepare new baseline or code integrity policies to trust those changes.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.