When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

KB5028312, KB5028314: Microsoft releases Windows 11 Dynamic SafeOS update for Secure Boot

Windows Update for Windows 11

Yesterday, Microsoft released its Patch Tuesday updates for Windows 10 (KB5028166) and Windows 11(KB5028185). The company, on its health dashboard website, made an accompanying announcement to explain that it has deployed its second phase hardening against the BlackLotus UEFI bootkit security flaw. A guidance post was also published by Microsoft to help users.

This hardening was delivered via its newest SafeOS Dynamic Update packages for WinRE (Windows Recovery Environment) and brings easier automated deployment of Secure Boot DBX revocation files.

The Secure Boot Forbidden Signature Database or Secure Boot DBX from Microsoft is basically a block-list for blacklisted UEFI executables that were found to be dangerous. (Microsoft also revoked several WHQL-signed drivers that were actually malware with the latest Patch Tuesday).

The support articles for the new KB5028312 and KB5028314 updates say:

KB5028312: Setup Dynamic Update for Windows 11, version 21H2: July 11, 2023

Summary

This update makes improvements to Setup binaries or any files that Setup uses for feature updates in Windows 11, version 21H2.

KB5028314: Setup Dynamic Update for Windows 11, version 22H2: July 11, 2023

Summary

This update makes improvements to Setup binaries or any files that Setup uses for feature updates in Windows 11, version 22H2.

In a Techcommunity blog post about Windows 10 Dynamic Updates, Microsoft explained Dynamic Updates in more detail regarding its various components and uses. These packages include fixes to Setup.exe binaries, SafeOS updates for Windows Recovery Environment, and more:

As soon as a Windows 10 feature update initiates, whether from media or a Windows Update service-connected environment, Dynamic Update is one of the first steps invoked. Windows 10 Setup reaches out to an Internet-facing URL hosted by Microsoft to fetch Dynamic Update content, then applies those updates to your OS installation media.

Content acquired includes:

  • Setup Updates: Fixes to Setup binaries or any files that Setup uses for feature updates.
  • Safe OS Updates: Fixes for the "safe OS" that are used to update Windows recovery environment (WinRE).
  • Servicing Stack Updates: Fixes that are necessary to address the Windows 10 servicing stack issue and thus required to complete the feature update.
  • Latest Cumulative Update: Installs the latest cumulative quality update.
  • Driver Updates: Latest version of applicable drivers that have already been published by manufacturers into Windows Update and specifically targeted for Dynamic Update.

In addition to these updates, Dynamic Update will preserve Language Pack (LP) and Features on Demand (FODs) content during the upgrade process. These are not updates to LPs and FODs, but reacquisition to ensure the user has these elements present with the update completes.

These Dynamic updates were automatically downloaded with Windows 11 July Patch Tuesday updates. You can also download them manually by visiting the Microsoft Update Catalog website (KB5028312 / KB5028314). Windows 10 also got its Dynamic update under KB5028311 which you can find here.

Report a problem with article
The Apple logo on a black background surrounded by grey and red rings
Next Article

Apple re-issues security patch for iOS, macOS to fix Safari exploit

Windows 10 update
Previous Article

KB5028311: Microsoft released critical Windows 10 Dynamic SafeOS update for Secure Boot

Join the conversation!

Login or Sign Up to read and post a comment.

5 Comments - Add comment