Additional guidance for devices using Secure Boot to address CVE-2023-24932

Bree said:

That's the most important part, it means they can boot on a PC that has the revocations applied in order to do a clean install. The '2nd stage' stuff would get applied as soon as Windows checks for updates, so not so important to have them in the ISO.

Click to expand...

Which makes sense, but there will soon be ISOs containing 23H2 builds that DO have the July stuff included. In fact you can get them from UUP Dump already (22621.2070 is available which includes the July 2nd stage stuff)

Here's what worked for me... Revocations and fixing the Macrium bootable Rescue Media...

@Ghot, you had expressed a desire to have a single program that can perform all the mitigation processes for this issue. Well, here it is. Nothing flashy or fancy, and I plan further enhancements, but so far it is working in my tests.

Some notes:

This is not a signed program. As a result, there is always a possibility that some antivirus scanner has a hissy fit. To be on the safe side, you may want to put it in a folder by itself and create an AV exclusion.

Speaking of AV exclusions, this program runs the Microsoft DISM utility which itself sometimes has difficulties with AV software. If you are using Microsoft Defender, this program will automatically create an AV exception for its working folder, and then clear it when done. Let me know if you have any difficulties with other AV scanners. I don't expect so, but I thought it worth mentioning since I could not test that scenario.

The program will use C:\PE_Update_Project for its working directory, but I'll change that later to allow the user to select a location.

If you have the Windows ADK by itself or both the ADK and Win PE add-on, this program currently expects them to be in the default locations. I plan to allow for other locations in the future.

In addition, this current version is designed to only be used with the US English version of Windows because I hard code a reference to that version in the code. I believe that this would only affect the option to update a locally installed copy of the Windows PE add-on and that other options should work, but I have not tested this.

Did you know that you can apply the revocations and perform these mitigations on a Windows 11 Hyper-V installation? Yeah, neither did I, but it worked like a charm . So, if you simply want to experiment, that might be a good place for it.

Don't trust this program? Source is included so you can see what it is doing. I'm using a very simple BASIC based language (QB64PE). The source file with the extension .bas is a plain text file. You can simply view it in Notepad.

Any feedback is welcome, in fact, encouraged!

Again, look for some further refinements in the future.

hsehestedt said:

VirustotalThe program will use

Click to expand...

This is the spot where I said to myself: "This is for a younger, more energetic person.

On a side note... I completely trust your stuff.


Lastly... I already did the revocations and rebuilt the Macrium bootable Rescue Media...


...and then I made a backup.



But don't give up on this project. Come the 1st quarter of 2024... when MS forces this stuff... you're gonna be a hero. ^^
You need to end with this...

One file, that says: Revocations Fix-all.exe (or similar)
Then people double click on it... and poof, they're all done.


The secret sauce, is the "no thinking involved" for the end user. ^^



P.S. I scanned your .exe with Bitdefender... and, no skull and crossbones appeared.
Even Virustotal ...gave it 100% clean.





Yep.... you earned it...

Understood. I was just playing and thought I'd give this a whirl. Boredom can make a person do strange things although I was only bored because I didn't feel like starting any larger project yet.

hsehestedt said:

Boredom can make a person do strange things

Click to expand...

Got that right. There was almost an 1/8" of dust in my case...
So I fired up the compressor, and did my once every 2 year dusting of my computer, the other day.

I bought this case in 2009. Cooler Master ATCS 840.
The reason I still use it... it's 100% aluminum, and the entire motherboard tray comes out the back.
Review with pics...

Thanks Bree..

hsehestedt said:

I was wrong.

Back when KB5022303 first came out, I'm pretty sure that there was no reference to WinRE. Now, it's like, "oh, by the way, there is a Safe OS Dynamic Update available to update WinRE" (obviously not a direct quote, me being punchy and annoyed with myself for not keeping up).

Another part of the problem was that WinRE just worked for me because I am already in the habit of updating WinRE with every new update as soon as it is released.

You see, I wrote myself a program that updates EVERYTHING including the install.wim, winRE, WinPE, and even the parts of a Windows distribution not contained in any image. So, for me, WinRE just worked.

So, thanks to all of you for this discussion making me revisit the topic and re-read everything. @Bree - your info was a big part of getting me to realize I had something wrong in my thick skull.

I'm going to write up some very detailed notes mainly to help me keep all of this straight in my own head. If it's not down in writing I will get confused as I have already demonstrated. I'll be happy to share if anyone is interested when I am done.

Just a brief summary with no details:

Issue 1: KB5022303 and CVE-2022-41099 are related to the WinRE issue on deployed devices.

Issue 2: KB5025885 and CVE-2023-24932 are related to the Black Lotus issue. We now know that not only is WinPE affected by this, but so is WinRE.

How on earth does your average home PC user who sees the PC as an appliance deal with this stuff?

Click to expand...

Good @hsehestedt

In the quoted text you mention you update WinRe as soon as it is available. Could you share how or provide a link.

I know this is an 11 forum but as this topic impacts both can I ask a 10 question. Earlier in this thread it was mentioned that you need Win 11, 22621.1702 at a minimum as this is the point where the media has the revocation changes applied. Would anyone know what level you need for Windows 10.

One last question, how does one check the level number of their recovery partition, which is where I assume Macrium get its code for the USB rescue media when we tell it to build with the Win XX RE option.

Excellent thread. Thanks to all with special mention to hsehestedt !!

Caledon Ken said:

Good @hsehestedt

In the quoted text you mention you update WinRe as soon as it is available. Could you share how or provide a link.

I know this is an 11 forum but as this topic impacts both can I ask a 10 question. Earlier in this thread it was mentioned that you need Win 11, 22621.1702 at a minimum as this is the point where the media has the revocation changes applied. Would anyone know what level you need for Windows 10.

One last question, how does one check the level number of their recovery partition, which is where I assume Macrium get its code for the USB rescue media when we tell it to build with the Win XX RE option.

Excellent thread. Thanks to all with special mention to hsehestedt !!

Click to expand...

I'm not in front of my primary system at the moment, so I'll need to respond back again later when I am.

As for Windows 10 builds, I assume that we are talking about the 22H2 release. The May 9th release was one of these:

19042.2965
19044.2965
or
19045.2965

The important thing is that the last 4 digits be 2965 or higher.

@hsehestedt It's been a while (and it's creeping closer to MS first phase of automatically applying revocations) so I want to revisit this. You seem to know and understand it better than anyone here.
Another dumb question. If one wants to use secure boot but DOES NOT want the revocations, is there any way in the world to prevent MS from automatically applying them except to turn off secure boot?
Since these revocations are stored in a part of UEFI bios, call me paranoid and old school but I do not want anyone, including MS, messing with my bios except me. If I have to keep secure boot off to prevent that, so be it, but had rather keep it on if possible.

glasskuter said:

@hsehestedt It's been a while (and it's creeping closer to MS first phase of automatically applying revocations) so I want to revisit this. You seem to know and understand it better than anyone here.
Another dumb question. If one wants to use secure boot but DOES NOT want the revocations, is there any way in the world to prevent MS from automatically applying them except to turn off secure boot?
Since these revocations are stored in a part of UEFI bios, call me paranoid and old school but I do not want anyone, including MS, messing with my bios except me. If I have to keep secure boot off to prevent that, so be it, but had rather keep it on if possible.

Click to expand...

1. You "want" the revocations.
2. The registry patch just turns them on. They already came with the July 2023 update.


Scroll down to "Deployment Guidelines", here...


To rebuild the Macrium bootable media, scroll down to: "Create New Macrium Reflect Rescue Media", here...



This is about as simple as it gets.
The only hard part is that once you turn the revocations ON, you then have to rebuild any bootable media you may have.

I think that ghot is spot on here. That said, I am far from any sort of authority on the topic in part because I simply don't know what the next step that Microsoft will take to enforce this will be. I'm merely another user who maybe got a little too interested in this topic for his own good . It is for that same reason that I simply do not know whether we will be able to prevent those updates later. The fact that Microsoft calls it "enforcement "makes me thing that you will get this update whether you like it or not .

Bear in mind that your UEFI firmware already has a revocation list - it's simply that some additional revocations need to be added so this not anything that fundamentally changes the operation of your BIOS.

So, the good news for now is that even if you do apply the revocations, the impact should be minimal because the new version of Windows PE (released in September) has the mitigations already built in. So, hopefully, software that relies upon Windows PE will be updated to be able to make use of the updated version.

The irony is that I am just having to deal with this today. I have a support case open with a company that makes a product similar to Macrium Reflect. I needed to create a rescue disk to do some testing for them, but their software is not yet capable of using the new version of Windows PE so I have to update their media by patching Windows PE after I create it.

We will get there! For now, there may still be times where it's a little bit of a pain in the neck to deal with but at least for now, this is all still voluntary.

@Ghot yeah I got that. I've created new Macrium boot media with new WinPE and the recovery media boots with secure boot on. However, I have not applied the revocations manually so I do not know if this new recovery media will boot once MS applies them. I am assuming it will.

hsehestedt said:

Bear in mind that your UEFI firmware already has a revocation list

Click to expand...

Yeah, got that, too. I was under the impression because of the way Black Lotus works, that these NEW revocations (when applied) would be written to a separate area within the UEFI bios, separate and apart from those that are already there. Aside from being a bios mother hen, I guess I wrongly thought to prevent any loss of function for a number of bootable usbs I use occasionally....a couple of Linux distros, a KYHI boot disk, Hiren's, Minitool, etc... also a couple of old VMWare VMs I moved to this machine just yesterday...that I would be better off leaving secure boot off.

So what you are saying is MS will apply the revocations whether I have secure boot on or not. It's only if I have secure boot on that would prevent any of my other bootable media from working. Yes? No? Maybe?
Sorry I am so hard headed (or maybe it's empty-headed) about this. It just won't sink in. When I get like this, I feel like it might be time to cash in and take to my rocking chair.

glasskuter said:

So what you are saying is MS will apply the revocations whether I have secure boot on or not. It's only if I have secure boot on that would prevent any of my other bootable media from working. Yes? No? Maybe?

Click to expand...

That's a bit hard to answer. The MS directions say to disable Secure Boot, and then use the reg patch to enable the revocations. Then... re-enable Secure Boot.
In my case that didn't work. I had to leave Secure Boot enabled, to get the reg patch to enable the revocations.

The only way to tell if the revocations are enabled, is that you'll see two specific Event IDs.

When I finally got the revocations enabled... it broke my Macrium bootable media.
I remade the Macrium bootable media (the Win PE type), and everything worked again.




These are the two Event IDs, and more info...

glasskuter said:

It's only if I have secure boot on that would prevent any of my other bootable media from working.

Click to expand...

Precisely. Put another way, if you apply the revocations and then have difficulty from some Windows PE based media, you will find that it works if you disable secure boot.

The only reason that I say this with such assuredness is that I tried it to be sure