Additional guidance for devices using Secure Boot to address CVE-2023-24932

BobD · May 10, 2023

I installed this update on two of my machines today. On one of the machines I went all the way and applied the fixes as suggested in the link KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932 - Microsoft Support. I assumed that doing this would prevent booting from a Win 11 boot USB built in 2022. I plugged the USB in and restarted the PC and it booted from the USB. My assumption is that I have stuffed up the implementation but I copied and pasted the commands rather than keying them. I fail to see how I could have stuffed it as I followed all of the instructions (timed reboots etc.). Any thoughts?

The above might now be an academic question as I have followed Microsft's advice and cleaned all of my USB devices of the Win 11 installer prior to today. I still do have some ISOs of Win 11 on my hard drives somewhere as well as my Macrium backups which eventually will become unusable.

The other question I have is that I am running a Hyper-V VM booting Win 10 32 bit . I have only done the update, not the Revocations on this machine. Will this VM be affected when the Revocations are done as in the link or when Microsoft eventually forces the Revocations as it indicates?

Edit
Just to add a bit of confusion, I created another Win 11 boot USB just now and the files in it are all dated 2022/09/25 and I can't boot from it.

hsehestedt · May 10, 2023

BobD said:
I installed this update on two of my machines today. On one of the machines I went all the way and applied the fixes as suggested in the link KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932 - Microsoft Support. I assumed that doing this would prevent booting from a Win 11 boot USB built in 2022. I plugged the USB in and restarted the PC and it booted from the USB. My assumption is that I have stuffed up the implementation but I copied and pasted the commands rather than keying them. I fail to see how I could have stuffed it as I followed all of the instructions (timed reboots etc.). Any thoughts?

The above might now be an academic question as I have followed Microsft's advice and cleaned all of my USB devices of the Win 11 installer prior to today. I still do have some ISOs of Win 11 on my hard drives somewhere as well as my Macrium backups which eventually will become unusable.

The other question I have is that I am running a Hyper-V VM booting Win 10 32 bit . I have only done the update, not the Revocations on this machine. Will this VM be affected when the Revocations are done as in the link or when Microsoft eventually forces the Revocations as it indicates?

Edit
Just to add a bit of confusion, I created another Win 11 boot USB just now and the files in it are all dated 2022/09/25 and I can't boot from it.

I'm taking a slow, methodical approach to this

.

First, I applied the May 9 updates to all my systems already.

Second, I noticed that the Windows media downloadable from Microsoft has not been updated yet. It's way back on build 525. But that's okay. I applied the updates to my media, so in theory, all my installation media should include all the May 9 updates now. It at least shows the correct build numbers.

Tomorrow, I'm going to interrupt my normal incremental backup schedules on all my systems and perform a full backup since previous backups will no longer work once the mitigations are in place.

Then, I'm going to take a test machine and do a clean install of Windows with the May 9 updates in place and go through the remaining steps. I'll test to if I can successfully boot with media prior to May 9 and with May 9 updated media. That also prove that my updated media is good.

Looks like tomorrow (actually, later today) will be a long day

I wonder how this will affect WinRE / WinPE boot media for products like Macrium Reflect.

Bottom line is that it looks like this is something not to trifle with, but to proceed very carefully.

BobD · May 10, 2023

I read the link KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932 - Microsoft Support a bit further and it indicates that if the update is successful there will be an event-id of 1035 posted to the SYSTEM log. I eventually found it so the implementation was successful. I might not have done the sequence of rebooting correctly which could have been the reason that booting a 2022 Win 11 build still worked but it certainly doesn't now.

With the new win 11 boot usb that I created this afternoon, I used the Media Creation Tool and it might not have been updated yet.

thecaretaker · May 10, 2023

I'm a novice. Reading this scares the hell out of me. I honestly don't understand what it is asking everyone to do.

I use Macrium Reflect 8.1 with the Windows boot manager with Macrium on a spare internal SSD drive and the backups on another. I also have the rescue media on a USB drive.

Are they saying Macrium boot media will not work unless I do something? What have I got to do? Panic.... :boom:

hsehestedt · May 10, 2023

thecaretaker said:
I'm a novice. Reading this scares the hell out of me. I honestly don't understand what it is asking everyone to do.

I use Macrium Reflect 8.1 with the Windows boot manager with Macrium on a spare internal SSD drive and the backups on another. I also have the rescue media on a USB drive.

Are they saying Macrium boot media will not work unless I do something? What have I got to do? Panic....

Yeah - I would hold back for a little while on this. I would wait for some of us crazy people who insist on trying this early to work through this before you try to do this. Those of us playing with this will be sure to post updates on how we are doing and any lessons learned along the way

I did some testing since my first post and here's where I am now:

1) I applied the May 9 updates to a test laptop.

2) I applied the revocations as instructed in the Microsoft KB.

3) I checked the event log to make sure that it was applied successfully.

4) At this point I got myself into a bit of a pickle. The system boots Windows just fine. But I cannot get anything else to boot. New Windows boot media (in this case a thumb drive) with the May 9 updates applied will not boot. Macrium Reflect boot media created after the May 9 updates were installed will not boot. Creating a Win PE boot using the latest available Win PE for the ADK will not boot.

Fortunately, this was easy to work around by simply disabling Secure Boot in the BIOS.

But here are a few notes:

First, the article notes that a new Safe OS update will become available. I suspect that is needed in order to make boot media work even if the May 9 updates are applied to it. I suspect that this is because the safe OS update is not available yet.

The KB contains the following statement:

"If you use a bootable disk image (ISO), a CD-ROM, or DVD media, update the media by following the instructions here."

Note that the "here" is in bold in KB but it is not a clickable link. Again, my guess is that the instructions will likely require that the Safe OS update be applied to the boot media, but it is not available yet.

In the same KB Microsoft notes that updated Windows media will be available through all the normal channels. However, when I go to the media creation tool it is still offering the old build 22621.525 of Windows 11 so that has clearly not been updated yet.

But, this is typical. Microsoft has done this a number of times in the past. We'll just have to wait for all the bits to get updated.

In the meantime, I have a laptop that has the revocations applied, I just have to keep Secure Boot disabled until I can create functional media.

To summarize, here is what we need:

1) We need a Safe OS update from Microsoft. Since the Safe OS applies to Windows RE it is my guess that once we get this we will be able to create boot media such as a Macrium boot disk based upon Win RE. This should also allow Windows boot media to work.

2) We also need an updated Windows ADK and Win PE add-on for the ADK. That will allow the creation of boot media based upon Win PE such as Macrium Reflect boot media. NOTE: There are 2 options for Reflect - media based on Win RE or Win PE can be built.

If anyone wants to correct me here, feel free to reach out and smack me

. Some of what I'm saying here is speculation, but it's good, educated, speculation

.

hsehestedt · May 10, 2023

Some helpful links and tips regarding this:

Some helpful links:

1) The ADK can be found here. Monitor this page for an updated version of the ADK and the Win PE add-on.

Download and install the Windows ADK

Instructions on how to download and install the Windows ADK

learn.microsoft.com

2) To determine when a new build of Win 11 is available on the media creation tool, do this:

Visit this page:

Download Windows 11

Select "Download Now" under the "Create Windows 11 Installation Media" section.

Choose to open the media creation tool.

On the first screen, accept the license agreement by clicking "Accept".

When you get to the second screen, open File Explorer and open the file C:\$Windows.~WS\Sources\products.xml in Notepad. Note: This location may not be visible unless you choose to show hidden folders and files.

Here is a small portion of that file:

<MCT>
<Catalogs>
<Catalog version="2.0">
<PublishedMedia id="" release="">
<Files>
<File id="">
<FileName>22621.525.220925-0207.ni_release_svc_refresh_CLIENTCHINA_RET_x64FRE_zh-cn.esd</FileName>
<LanguageCode>zh-cn</LanguageCode>
<Language>Chinese (Simplified, China)</Language>

Ignore the language. That section repeats with a different language listed in each section. Note that the build is 22621.525. You are looking for that build to become 22621.1702 or higher. If it is still 22621.525, you can close the file and exit out of the media creation tool. No need to download it until it gets updated. Feel free to delete C:\$Windows.~WS if you wish.

Haydon · May 10, 2023

My goodness, I need some reassurance. If I do nothing (like the masses) then I have the infamous vulnerability, but my Macrium backups and restores still work until Paramount issues an update and we'll see then, is that correct?

Mitch · May 10, 2023

Hi, I'm new to Macrium Reflect and have done backups and created USB Rescue Media. Reading the MS guidance for this issue/plan, which is very technical, I'm not clear what the implications are.
Will Macrium backups still work as well as Rescue Media and if not, from what timescale? Would a program update from Macrium be needed to image the disc and create rescue media or once the MS fix is in place would Macrium still work as before? I would be grateful for opinions.
Thanks,
Mitch.

BobD · May 10, 2023

hsehestedt said:
<FileName>22621.525.220925-0207.ni_release_svc_refresh_CLIENTCHINA_RET_x64FRE_zh-cn.esd</FileName>
<LanguageCode>zh-cn</LanguageCode>
<Language>Chinese (Simplified, China)</Language>

You are looking for that build to become 22621.1702 or higher.

I got 22621.1702 this morning (0630 Eastern Australia) and built a Win 11 installer USB. I tried it in my laptop and it booted into the installer. I'll try it out on my older laptop later and fully install Win 11.

BobD · May 10, 2023

Haydon said:
My goodness, I need some reassurance. If I do nothing (like the masses) then I have the infamous vulnerability, but my Macrium backups and restores still work until Paramount issues an update and we'll see then, is that correct?

Read the link KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932 - Microsoft Support . Doing nothing will eventually get all of this fix fully installed. This will take a few months. I'm sure that Macrium and others affected will adjust their products so that they continue to work and the majority of us will not know what has happened. However, old Macrium backups for your bootable drive (C:) will not work eventually. Macrium backups for non bootable drives should not need changing. Again, read the link and ask questions if you need.

Bree · May 10, 2023

hsehestedt said:
Note that the build is 22621.525. You are looking for that build to become 22621.1702 or higher. If it is still 22621.525, you can close the file and exit out of the media creation tool. No need to download it until it gets updated.

It has been updated. The MCT's products.xml now shows build 22621.1702.

<Catalog version="2.0">
<PublishedMedia id="" release="">
<Files>
<File id="">
<FileName>22621.1702.230505-1222.ni_release_svc_refresh_CLIENTCHINA_RET_x64FRE_zh-cn.esd</FileName>

BobD · May 10, 2023

As I said earlier (post #10) I have now made an updated Win 11 installer usb at 22621.1702 and installed Windows with it. I then applied the Revocations. The SYSTEM event 1035 indicated a successful application of the Revocations. The PC could boot into the installer usb made today and would not boot the installer made yesterday.

hsehestedt · May 10, 2023

Bree said:
It has been updated. The MCT's products.xml now shows build 22621.1702.

<Catalog version="2.0">
<PublishedMedia id="" release="">
<Files>
<File id="">
<FileName>22621.1702.230505-1222.ni_release_svc_refresh_CLIENTCHINA_RET_x64FRE_zh-cn.esd</FileName>

Nice! Thanks for the heads up!

Bree · May 10, 2023

hsehestedt said:
Nice! Thanks for the heads up!

The secure boot changes for CVE-2023-24932 are also present in Windows 10. The MCT for W10 has also been updated to its May 9th build.

hsehestedt · May 10, 2023

Interesting. I get the new build offered EXCEPT when I choose the option to download an ISO. Then it is still the old build.

Bree · May 10, 2023

hsehestedt said:
Interesting. I get the new build offered EXCEPT when I choose the option to download an ISO. Then it is still the old build.

Downloading the ISO directly may still get an older ISO, but building one with the MCT gets the latest build for both W11 and W10.

hsehestedt · May 11, 2023

Now I just need an update for the Win PE add-on for the ADK. I have my own program that I wrote that does same of the same things that programs like Rufus and Ventoy do, but I build on Win PE so I need the new bits

glasskuter · May 11, 2023

hsehestedt said:
f anyone wants to correct me here, feel free to reach out and smack me

I wouldn't dare as all this is as clear as mud to me. I'm no novice and the entire MS article is a lot of gobbly-gook to me.

Is this saying that if secure boot is on, one has to manually apply the revocations for the extra protections of the CVE to go into effect to protect the user from BlackLotus bootkit? Is it saying if the revocations ARE NOT manually applied, no harm-no foul. Booting from any external media will continue to work if one turns off secure boot?

Is this saying that if I manually apply the revocations to a secure boot system that there is no going back? Seems to me this will create a nightmare situation for repair shops who won't know if the revocations have been applied or not.

Is this saying that if secure boot is turned off, the CVE has no effect on the system?

Seems to me the CVE can cause as much trouble as BlackLotus.

I'm totally lost here and feel like a complete newbie. Until someone can explain all this in simpleton terms, my secure boot is off and will stay off. I'll take my chances that BlackLotus won't pick me as a victim.

hsehestedt · May 11, 2023

Yeah, I must admit that the Microsoft article is not very clear.

So, there are multiple parts to unwrap here.

There will apparently be 3 phases of mitigations. For now, Microsoft has supplied phase 1. This involves updating your system(s) with the May 9 security updates first.

Then, make sure you have updated media, because anything before 1702 will no longer be bootable after the next step. Also, any image backups should have a new full backup performed before applying the revocations.

The next step is to run the commands that place a revocation list on the UEFI partition and make a registry change in Windows.

Next, the system is rebooted, a verification that the revocations were properly applied is performed, and after waiting at least 5 minutes, a second reboot is performed.

At this point, boot media based on anything earlier than 1702 will no longer boot.

Microsoft will later (I think they said in July) roll out further updates, and finally these updates will be enforced first quarter of 2024 (or possibly even sooner).

In my testing, I used one laptop to try this on. Sure enough, after the revocations are applied, nothing before build 1702 would boot from a thumb drive. However, all I had to do was disable secure boot.

To understanding, the whole issue is that this malware makes use of other security flaws to get admin access to the system, then modifies critical boot files to root kit your computer, giving it access at a very low level before the OS is even loaded. The whole idea is that want secure boot enabled to prevent anything from being able to modify the critical boot files and UEFI itself. This fix makes sure that only trusted, signed software can alter those critical items when secure boot is enabled.

However, in order for this malware to get installed on your system, someone still needs either physical access to your system or admin access over the network. So, I wouldn't panic too much about this. Take your time until everything becomes clear.

Thursday's seem to be a day where Microsoft releases new files often. So my hope is that maybe we get lucky and get some more crumbs thrown to us later today. In the meantime, I'm in a holding pattern pending further testing and more info.