When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

KB5028311: Microsoft released critical Windows 10 Dynamic SafeOS update for Secure Boot

Windows 10 update

Yesterday, Microsoft released its Patch Tuesday updates for Windows 10 (KB5028166) and Windows 11(KB5028185). The company, on its health dashboard website, made an accompanying announcement to explain that it has deployed its second phase hardening against the BlackLotus UEFI bootkit security flaw. A guidance post was also published by Microsoft to help users.

This hardening was delivered via its newest SafeOS Dynamic Update packages for WinRE (Windows Recovery Environment) and brings easier automated deployment of Secure Boot DBX revocation files. The Secure Boot Forbidden Signature Database or Secure Boot DBX from Microsoft is basically a block list for blacklisted UEFI executables that were found to be dangerous. (Microsoft also revoked several WHQL-signed drivers that were actually malware with the latest Patch Tuesday).

The support articles for the new KB5028311 update says:

KB5028311: Setup Dynamic Update for Windows 10, version 20H2, 21H2, and 22H2: July 11, 2023

Summary

This update makes improvements to Setup binaries or any files that Setup uses for feature updates in Windows 10, version 20H2, 21H2, and 22H2.

In a Techcommunity blog post about Windows 10 Dynamic Updates, Microsoft explained Dynamic Updates in more detail regarding its various components and uses. These packages include fixes to Setup.exe binaries, SafeOS updates for Windows Recovery Environment, and more:

As soon as a Windows 10 feature update initiates, whether from media or a Windows Update service-connected environment, Dynamic Update is one of the first steps invoked. Windows 10 Setup reaches out to an Internet-facing URL hosted by Microsoft to fetch Dynamic Update content, then applies those updates to your OS installation media.

Content acquired includes:

  • Setup Updates: Fixes to Setup binaries or any files that Setup uses for feature updates.
  • Safe OS Updates: Fixes for the "safe OS" that are used to update Windows recovery environment (WinRE).
  • Servicing Stack Updates: Fixes that are necessary to address the Windows 10 servicing stack issue and thus required to complete the feature update.
  • Latest Cumulative Update: Installs the latest cumulative quality update.
  • Driver Updates: Latest version of applicable drivers that have already been published by manufacturers into Windows Update and specifically targeted for Dynamic Update.

In addition to these updates, Dynamic Update will preserve Language Pack (LP) and Features on Demand (FODs) content during the upgrade process. These are not updates to LPs and FODs, but reacquisition to ensure the user has these elements present with the update completes.

This Dynamic update was automatically downloaded with Windows 10 July Patch Tuesday updates. You can also download it manually by visiting the Microsoft Update Catalog website. Windows 11 versions 22H2 and 21H2 also got their Dynamic updates under KB5028312 and KB5028314 which you can find here.

Report a problem with article
Windows Update for Windows 11
Next Article

KB5028312, KB5028314: Microsoft releases Windows 11 Dynamic SafeOS update for Secure Boot

Google NotebookLM
Previous Article

Google is now signing up users to test its AI-based NotebookLM tool