Advertisement

Beware: Using UUPDump for Windows 20H2 might lock down Secure Boot

It has come to our knowledge that using a third-party service that generates ISO images might brick your device. For some computers with Secure Boot enabled, using the ISO images generated by third-party service, UUPDump.nl for upgrading from an older Windows version will damage and lock the UEFI firmware. Recovering it will require advanced skills from the user.

The issue was found and further investigated by @imbushuo. He managed to figure out that after using UUPDump.nl ISOs the device may start reporting an unsigned secure boot policy error.

Advertisеment

Affected devices are known to be Desktops. While the upgrade is broken, the clean install appears to be safe.

Due to a bug in ISOs compiled with the UUPDump service, the platform in it is set to Surface Hub.

Variable NV+BS '77FA9ABD-0359-4D32-BD60-28F4E78F784B:SecureBootPlatformID' DataSize = 0x16
00000000: 57 00 69 00 6E 00 64 00-6F 00 77 00 73 00 20 00 *W.i.n.d.o.w.s. .*
00000010: 48 00 75 00 62 00 *H.u.b.*

If you tried to upgrade the device with such an ISO image, and now having the issues, here's a quick fix provided by the author.

dmpstore -d SkuSiPolicyVersion -guid 77FA9ABD-0359-4D32-BD60-28F4E78F784B
dmpstore -d SkuSiPolicyUpdateSigners -guid 77FA9ABD-0359-4D32-BD60-28F4E78F784B
dmpstore -d SecureBootAntiRollbackVersion -guid 77FA9ABD-0359-4D32-BD60-28F4E78F784B
dmpstore -d CurrentPolicy -guid 77FA9ABD-0359-4D32-BD60-28F4E78F784B
dmpstore -d Kernel_DriverSiStatus -guid 77FA9ABD-0359-4D32-BD60-28F4E78F784B
dmpstore -d Kernel_ATPSiStatus -guid 77FA9ABD-0359-4D32-BD60-28F4E78F784B
dmpstore -d Kernel_WinSiStatus -guid 77FA9ABD-0359-4D32-BD60-28F4E78F784B
dmpstore -d Kernel_SkuSiStatus -guid 77FA9ABD-0359-4D32-BD60-28F4E78F784B
dmpstore -d Kernel_SiStatus -guid 77FA9ABD-0359-4D32-BD60-28F4E78F784B
dmpstore -d VsmLocalKey2 -guid 77FA9ABD-0359-4D32-BD60-28F4E78F784B
dmpstore -d RevocationList -guid 77FA9ABD-0359-4D32-BD60-28F4E78F784B
dmpstore -d BootDebugPolicyApplied -guid 77FA9ABD-0359-4D32-BD60-28F4E78F784B
dmpstore -d CurrentActivePolicy -guid 77FA9ABD-0359-4D32-BD60-28F4E78F784B
dmpstore -d BootingDeviceTypeInfo -guid 77FA9ABD-0359-4D32-BD60-28F4E78F784B
dmpstore -d WindowsBootChainSvn -guid 77FA9ABD-0359-4D32-BD60-28F4E78F784B
dmpstore -d SecureBootPlatformID -guid 77FA9ABD-0359-4D32-BD60-28F4E78F784B
dmpstore -d UnlockID -guid EAEC226F-C9A3-477A-A826-DDC716CDC0E3
dmpstore -d UnlockIDCopy -guid EAEC226F-C9A3-477A-A826-DDC716CDC0E3

Then reset TPM, replace WinSiPolicy.p7b with the desktop 19041 one

Note: Run the above commands from the UEFI shell. dmpstore -d is its built-in command that removes NVRAM variables.

The author says that while UUPDump does not follow CompDB, it might be an issue with the files that Microsoft ships via its channels, too, so both the service and the company could be guilty in this very case.

Well, you can avoid such issues by using official ISO images. Luckily, those are already available for download.

Download Windows 10 Version 20H2 ISO Images

Thanks to Roman for tipping me.

 

Support us

Winaero greatly relies on your support. You can help the site keep bringing you interesting and useful content and software by using these options:

If you like this article, please share it using the buttons below. It won't take a lot from you, but it will help us grow. Thanks for your support!

Advertisеment

Author: Sergey Tkachenko

Sergey Tkachenko is a software developer who started Winaero back in 2011. On this blog, Sergey is writing about everything connected to Microsoft, Windows and popular software. Follow him on Telegram, Twitter, and YouTube.

Leave a Reply

Your email address will not be published.

css.php
Using Telegram? Subscribe to the blog channel!
Hello. Add your message here.