Additional guidance for devices using Secure Boot to address CVE-2023-24932

neves · Jul 15, 2023

Scott said:
Media Creation Tool was updated shortly after the "revecations" came out. It's the only media I can boot to without turning off Secure Boot with revocations applied.

While checking the official page and seeing that it shows Download Windows 11 (Current release: Windows 11 2022 Update l Version 22H2) - i thought it's still the old/unchanged MCT. Downloaded it just now and indeed - was changed/modified on 5 Mai 2023:

That's good to know (just in case).

Steve C · Jul 16, 2023

HRPuffnstuff said:
Honestly the user side of implementation is pretty easy which is why I did it to my machines when it first became available. You can copy and paste the instructions into the command console and be done with it. Works the same with both Intel and AMD pc's.

The procedure is not pretty easier to most users who are clueless how computers work and won't even know this issue exists.

milkturnipsbage · Jul 24, 2023

I don’t get it.

I did the revocations on a completely new install.
Installed updates, rebooted.
Open CMD as administrator, paste:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x30 /f

Reboot.

Wait 5 minutes, reboot again.

I then go to event viewer to verify that the revocations have been applied successfully but I only see event id: 1035.
No Kernel message at all with event id: 276.
Anybody else?

According to Microsoft: ”Event ID 276 will be logged when the boot manager loads the SKUSIPolicy.p7b successfully.”

DBX gets applied correctly but why am I missing this entry?

sucicf1 · Jul 26, 2023

hello @Yeahoww. In the ms article it says that it is a kernel boot event. I think that you don't see it because as here Get started with Setup and Boot Event Collection it says it needs another collector pc to see that. Maybe I am wrong but if it is in one pc setup normally it isn't visible. By me the situation is the same in one pc setup it isn't visible.

milkturnipsbage · Jul 27, 2023

sucicf1 said:
hello @Yeahoww. In the ms article it says that it is a kernel boot event. I think that you don't see it because as here Get started with Setup and Boot Event Collection it says it needs another collector pc to see that. Maybe I am wrong but if it is in one pc setup normally it isn't visible. By me the situation is the same in one pc setup it isn't visible.

I see, thank you @sucicf1! This gives me something more to research.

It's weird that the Microsoft instructions fail to mention that under the section of actually verifying that the fix has been applied correctly.
And even more weird is that I can see alot of other Kernel-Boot Events in the Event Viewer.
I will give your link a read and try it myself.

Also, thank you for verifying that Event ID 276 is missing for you aswell!

milkturnipsbage · Jul 27, 2023

sucicf1 said:
hello @Yeahoww. In the ms article it says that it is a kernel boot event. I think that you don't see it because as here Get started with Setup and Boot Event Collection it says it needs another collector pc to see that. Maybe I am wrong but if it is in one pc setup normally it isn't visible. By me the situation is the same in one pc setup it isn't visible.

I found it!
The 276 Event ID does not appear under System. (I assumed it would since 1035 Dbx and other Kernel-Boot events shows up there).

You have to go to Microsoft - Windows - Kernel-Boot\Operational to find the 276 Event ID.
Hope this helps!

sucicf1 · Jul 27, 2023

@Yeahoww you are right, i found it too. Thank you. For others in event viewer go to: Application and services > Microsoft > Windows > Kernel-boot > Operational

hsehestedt · Jul 27, 2023

The patching of Windows itself is easy. I think that the hard part for the average user is having to patch any media based upon Windows PE. For example, after applying the revocations, you may find that your Macrium Reflect recovery media based upon Windows PE no longer boots if you have secure boot enabled.

BobD · Jul 27, 2023

hsehestedt said:
The patching of Windows itself is easy. I think that the hard part for the average user is having to patch any media based upon Windows PE. For example, after applying the revocations, you may find that your Macrium Reflect recovery media based upon Windows PE no longer boots if you have secure boot enabled.

I'm just looking into the media now. I have done the revocations on my two laptops back in May. As you say, if I need to deal with them I can turn off Secure Boot for the small period when installing or restoring. I haven't done my desktop yet. I'm waiting until I have got updated media. I just downloaded some ISOs (W10 and W11) and also built a couple of USB keys a couple of days back. I'm trying to work out if they have been updated yet.

hsehestedt · Jul 28, 2023

BobD said:
I'm just looking into the media now. I have done the revocations on my two laptops back in May. As you say, if I need to deal with them I can turn off Secure Boot for the small period when installing or restoring. I haven't done my desktop yet. I'm waiting until I have got updated media. I just downloaded some ISOs (W10 and W11) and also built a couple of USB keys a couple of days back. I'm trying to work out if they have been updated yet.

@BobD, if it helps at all, I posted batch files that you can use to update your Windows PE based boot disks. You can find those batch files here:

Latest on the BlackLotus Bootkit Mitigations - Includes Instructions and Batch Files

EDIT: Updated May 2, 2024. Along with the April 9, 2024 Windows updates, Microsoft has completely revised the procedures for the BlackLotus UEFI Bootkit mitigations. The new procedures no longer work on my primary desktop. You will find the new procedures in the article for KB5025885 linked to...

www.elevenforum.com

If you prefer to do this manually so that you have full control over the process, here is a manual procedure. Please note that I tested these steps using the US English version of Windows 11.

Revised July 27, 2023

Please see Microsoft KB5025885

This document contains 3 procedures:

OPTION 1: How to Update the Windows PE Add-on to Address the BlackLotus UEFI Bootkit Mitigation
OPTION 2: Apply Updates to Existing WinPE Media
OPTION 3: Apply revocations to the local machine

NOTE: Microsoft suggests updating your Windows PE based media first before you apply the revocations on your machine to ensure that your media is ready to go before you update your PC. For this reason I have listed the procedure for updating the local machine last as option #3.

OPTION 1: How to Update the Windows PE Add-on to Address the BlackLotus UEFI Bootkit Mitigation
==================================================================

Just to clarify, this option is for updating a local Windows PE installation on your PC. In other words, if you have installed the Windows ADK and the Windows PE add-on for the ADK, this option will update that Windows PE installation. If you want to update bootable media that uses Windows PE, for example, a Macrium Reflect boot disk using Windows PE and NOT Windows RE, then follow the steps for Option 2 instead.

IMPORTANT: Before you perform this procedure, you should make sure that you first have the July 11, 2023 Patch Tuesday updates (or newer) applied to Windows.

Since the goal of this procedure is to update the Windows PE add-on, it is assumed that you already have Win PE installed. If not, please install the Windows ADK and the WinPE add-on. When installing the ADK, you will have the option to install a number of components. The only item needed is the "Deployment tools" option.

After installing the ADK, install the Win PE add-on.

On your Windows drive (assumed to be C:), create folders for this project using these commands:

md c:\Project
md c:\Project\Mount
md c:\Project\LCU
md c:\Project\SSU
md c:\Project\temp

IMPORTANT: The DISM command will often fail when dismounting an image if antivirus software interferes with it. I strongly suggest doing one of the following:

1) Disable real time antivirus scanning until you have finished this procedure.

2) Create an antivirus exception for c:\Project and all files and folders contained therein until you have finished this procedure.

From the Microsoft Update Catalog, download the Latest Cumulative Update. Here is a sample search term to find the LCU for Windows 11 22H2 as of July 2023. Include the quotes as shown:

"Windows 11" version 22H2 2023-07

Make sure to download the x64 version of the update and not the arm64-based update. In addition, you should download the version of the update that is NOT described as a dynamic update. It's possible that the dynamic update may work, but I did not test with it.

After downloading, right-click the update file, select properties, check the "Unblock" box and then click on OK.

Place that file in the c:\Project\LCU folder.

Start the "Deployment and Imaging Tools Environment" as an administrator. You can find this by going to Start > All apps > Windows Kits.

Run all of the following commands from that command prompt.

You will get a command prompt with a very long path shown. Run the command below (include the quotes):

cd "..\Windows Preinstallation Environment\amd64"

Mount Windows PE with this command:

DISM /Mount-Image /ImageFile:"en-us\winpe.wim" /index:1 /MountDir:"C:\Project\Mount"

The Latest Cumulative Update (LCU) may possibly also contain an SSU (Servicing Stack Update). Run the following to extract the SSU if one is present. If an SSU is not present, no worries, this won't harm anything:

expand "C:\Project\LCU\*.MSU" /f:"SSU*.cab" "C:\Project\SSU"

Check the SSU folder to see if a file is present. If a file is present, run the following command. If no file is present, skip that command and move on to the next item. This command will apply the SSU:

DISM /Add-Package /Image:"C:\Project\Mount" /PackagePath="C:\Project\SSU"

Apply The LCU with this command:

DISM /Add-Package /Image:"C:\Project\Mount" /PackagePath="C:\Project\LCU"

Lock the updates:

DISM /Cleanup-Image /Image:"C:\Project\Mount" /StartComponentCleanup /Resetbase /ScratchDir:C:\Project\temp

Copy boot files back to the Win PE add-on installation with these two commands:

Xcopy "C:\Project\Mount\Windows\Boot\EFI\bootmgr.efi" "Media\bootmgr.efi" /Y /-I
Xcopy "C:\Project\Mount\Windows\Boot\EFI\bootmgfw.efi" "Media\EFI\Boot\bootx64.efi" /Y /-I

Unmount the Win PE image and commit the changes:

DISM /Unmount-Image /MountDir:"C:\Project\Mount" /Commit

Export the image from the winpe.wim file. Exporting will shrink the file because the old versions of files within that WIM that were updated will not be exported. To export, run this command:

DISM /Export-Image /Bootable /SourceImageFile:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim" /SourceIndex:1 /DestinationImageFile:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim.new"

DEL "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim"

REN "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim" winpe.wim

This concludes the process. Any images or media that you now create that uses the Windows PE add-on will now have updated Windows PE files.

Option 2: Apply Updates to Existing WinPE Media
================================

IMPORTANT: Before you perform this procedure, you should make sure that you first have the July 11, 2023 Path Tuesday updates (or newer) applied to Windows.

IMPORTANT: The copy of Windows PE that you are updating should be of the same version as the updates being applied. My suggestion is that you regenerate the Windows PE based media using your current version of Windows before you proceed.

This procedure requires tools from the Windows ADK. If you do not already have the ADK installed, please install it now. When installing the ADK, you will have the option to install a number of components. The only item needed is the "Deployment tools" option.

On your Windows drive (assumed to be C:), create folders for this project using these commands:

md c:\Project
md c:\Project\Mount
md c:\Project\LCU
md c:\Project\SSU
md c:\Project\temp
md c:\Project\WinPE
md c:\Project\WinPE_NEW

Start by copying boot.wim from your media to C:\Project\WinPE. This file should be in a \Sources folder.

IMPORTANT: The DISM command will often fail when dismounting an image if antivirus software interferes with it. I strongly suggest doing one of the following:

1) Disable real time antivirus scanning until you have finished this procedure.
2) Create an antivirus exception for c:\Project and all files and folders contained therein until you have finished this procedure.

From the Microsoft Update Catalog, download the Latest Cumulative Update. Here is a sample search term to find the LCU for Windows 11 22H2 as of May 2023. Include the quotes as shown:

"Windows 11" version 22H2 2023-05

Make sure to download the x64 version of the update and not the arm64-based update.

After downloading, right-click the update file, select properties, check the "Unblock" box and then click on OK.

Place that file in the c:\Project\LCU folder.

Start the "Deployment and Imaging Tools Environment" as an administrator. You can find this by going to Start > All apps > Windows Kits. Run all of the following commands from that command prompt.

You will get a command prompt with a very long path shown. Run the command below. This will shorten that annoyingly long path and make it easier to see what you are doing:

CD\

Mount Windows PE:
DISM /Mount-Image /ImageFile:"c:\Project\WinPE\boot.wim" /index:1 /MountDir:"C:\Project\Mount"

The Latest Cumulative Update (LCU) may possibly also contain an SSU (Servicing Stack Update). Run the following to extract the SSU if one is present. If an SSU is not present, no worries, this won't harm anything:

expand "C:\Project\LCU\*.MSU" /f:"SSU*.cab" "C:\Project\SSU"

Check the SSU folder to see if a file is present. If a file is present, run the following command to apply the SSU, if not, skip that command:

DISM /Add-Package /Image:"C:\Project\Mount" /PackagePath="C:\Project\SSU"

Apply The LCU:

DISM /Add-Package /Image:"C:\Project\Mount" /PackagePath="C:\Project\LCU"

DISM /Cleanup-Image /Image:"C:\Project\Mount" /StartComponentCleanup

DISM /Unmount-Image /MountDir:"C:\Project\Mount" /Commit

DISM /Export-Image /Bootable /SourceImageFile:"C:\Project\WinPE\boot.wim" /SourceIndex:1 /DestinationImageFile:"C:\Project\WinPE_New\boot.wim"

Copy the boot.wim from c:\Project\WinPE_New to your media, replacing the boot.wim in the \Sources folder. If you like, you can first make a backup of the original boot.wim file by copying it to another location just in case there is a problem with the newly updated file.

This concludes the process of updating the boot.wim (Windows PE) on existing media.

OPTION 3: Apply Revocation to the Local Machine
=================================

Note that this option only needs to be performed one single time. Once this is applied to the computer, it will be permanent. We list this option last for the following reasons:

A) Options 1 and 2 may need to be run multiple times, for example, when new Windows PE based media is created or if Windows PE is reinstalled before Microsoft releases a new version with fixes built in.

B) You really want to update your Windows PE based bootable media FIRST since performing this step will render Windows PE media that is not patched unbootable if you run secure boot and this step has already been performed.

This procedure is very simple:

1) Make sure that the July 2023 or later Windows updates have been installed and the system has been rebooted.

2) Run this command from an elevated command prompt:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x30 /f

After applying the above registry change, reboot the system. After the first reboot, wait a minimum of five minutes and then reboot a second time.

After the second reboot, check your System Event Log. You should find an event 1035 with the text "Secure Boot DBX update applied successfully".

MiguelAngel11 · Jul 28, 2023

Yeahoww said:
I found it!
The 276 Event ID does not appear under System. (I assumed it would since 1035 Dbx and other Kernel-Boot events shows up there).

You have to go to Microsoft - Windows - Kernel-Boot\Operational to find the 276 Event ID.
Hope this helps!

Reading your post also found the event 276. So thanks a lot to all you who posted here

BobD · Jul 28, 2023

hsehestedt said:
your Windows PE based boot disks

I understand this will include Macrium recovery. Does it include a Windows 11 (or 10 ) ISO or bootable Win 11 USB key?

BobD said:
I just downloaded some ISOs (W10 and W11) and also built a couple of USB keys a couple of days back. I'm trying to work out if they have been updated yet.

@hsehestedt
I'm trying to digest what you offered / suggested and it may not happen because I would be way out of my comfort zone.
Thanks for posting it but at the moment I need more info.

I had to have a google session to find out what Windows RE and PE are. It also turns out that I might not have Windows RE as I don't have a "funny" partition following my C: partition. Not sure if it was ever there or . . . That drive has been cloned in the past and that partition may have been omitted. It seems that if I don't have Windows RE then the easiest way might be to re-install Win 11.

The immediate question is will I be able to boot from my USB key which was recently created by the Media Creation Tool 11. How can I determine this? Will these changes to Windows 11 in May and July prevent this?

hsehestedt · Jul 28, 2023

BobD said:
I understand this will include Macrium recovery. Does it include a Windows 11 (or 10 ) ISO or bootable Win 11 USB key?

Yes, this issue would affect older Windows ISO images of bootable keys. By "older" I mean anything pre May 9, 2023. My suggestion would be to simply download a new Windows ISO image or create new media from the Microsoft Media Creation web site. The latest versions that they have posted are updated so that they are not affected by this issue.

As for other bootable media (and this would even include older Windows boot media), bear in mind that you can still boot from these if you disable Secure Boot in your BIOS. I have noticed that some systems make it very easy to disable secure boot, while on other systems it's not so simple so this might be something that you simply want to figure out sometime when you have a chance to do so. I figure it's better to do that in advance, so you don't have to struggle with it in an emergency such as if you need to boot a recovery disk to restore a backup to your computer.

Bear in mind that you can always simply test it - just try to boot from that media to see if it works. For example, with a Windows installation key, you could just boot and see if it gets to the first static screen (the first screen where setup pauses to ask you for information). If you get there, you are good and you can simply reboot at that point.

There is no need to panic or go too far down this rabbit hole. For the average user, I would simply suggest trying any bootable media. If it won't boot, try disabling secure boot, then try again. Presumably, when Microsoft goes to the final stage of this process, they will have something in place to make this easier for everyone.

xrms3 · Jul 31, 2023

@hsehestedt
I couldn't let this pass by without saying thanks for your efforts in providing exemplary instructions here and elsewhere, and also the 2 batch files for updating the ADK and custom media. Having too much spare time yesterday I did both updates using the batch files and the revocation and everything went like clockwork.
I had to change my Reflect rescue media from WinRE to WinPE. When I did that, I noticed that Reflect also has an option to nominate a custom WinPE image instead of downloading one - so having also updated the ADK itself I tried the updated wim from there and that worked as well - at least to the extent that it booted up and launched Reflect.
Thanks again; a terrific effort.
Bob

hsehestedt · Jul 31, 2023

xrms3 said:
@hsehestedt
I couldn't let this pass by without saying thanks for your efforts in providing exemplary instructions here and elsewhere, and also the 2 batch files for updating the ADK and custom media. Having too much spare time yesterday I did both updates using the batch files and the revocation and everything went like clockwork.
I had to change my Reflect rescue media from WinRE to WinPE. When I did that, I noticed that Reflect also has an option to nominate a custom WinPE image instead of downloading one - so having also updated the ADK itself I tried the updated wim from there and that worked as well - at least to the extent that it booted up and launched Reflect.
Thanks again; a terrific effort.
Bob

Wow, I really appreciate the comments. You've made day. Thank you so much for taking the time to post your comments. I put a good deal of work into this but I fully realize that this is something that not a lot of people are currently dealing with this. I figured that I was mainly doing this for an audience of one (me), but it makes me feel good to know that it helped someone else.

Thanks again - I really am grateful for the comments!

xrms3 · Jul 31, 2023

To be honest I wasn't intending to futz about with this stuff at all. I'm sure MS, Macrium etc will get it sorted out eventually. MS are already trying things out with WinRE and I presume the ADK will get updated too. But your instructions were so clear in helping to pull everything together that I dived in. After all one can always disable Secure Boot if all else fails. Thanks again.
Bob

Bree · Jul 31, 2023

hsehestedt said:
I fully realize that this is something that not a lot of people are currently dealing with this. I figured that I was mainly doing this for an audience of one (me)....

No, you have me in the audience too. I have not yet applied the deprecations to any of my machines, but have been an avid follower of your efforts in order to be prepared for what may come. I have even bookmaked your posts....

Ghot · Jul 31, 2023

hsehestedt said:
I figured that I was mainly doing this for an audience of one (me)

I too have been following your "work".
At night I dream of a one-click solution.

hsehestedt · Jul 31, 2023

I hope to get to that eventually. I have a whole bunch of little projects on my plate but at the moment I'm obsessed with trying to figure out one specific problem. Just got a new laptop that has a Dolby Vision certified display but for the life of me I cannot get Dolby Vision working. I'm wasting hours and hours trying to figure out why

Bree · Jul 31, 2023

hsehestedt said:
I fully realize that this is something that not a lot of people are currently dealing with this.....

You have prompted me to look deeper. I have applied the revocations to one of my lesser used machines. a Dell E7440. This is a Win10 machine, but the revocation updates apply equally to 10 and 11, so makes no difference. The Event Log shows event ID 1035, Secure Boot Dbx update applied successfully.

Sure enough, with secure boot enabled I can now no longer boot from older Windows install USB's, only the latest ones for Windows 10 or Windows 11.

The interesting thing was trying to boot my Macrium recovery USBs. I have two functionally identical WinRE-based ones, each made by Reflect Home on two different Win11 PCs. For one its boot.wim was built on 27th April, so pre-dates any of the revocation updates.

The other was built on a PC updated to Win11 22621.1992, but I have not applied the revocations to this one.

However,KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932 - Microsoft Support says that for the Second Deployment Phase:

Updates for Windows released on or after July 11, 2023 which adds the following:

Allow easier, automated deployment of the revocation files (Code Integrity Boot policy and Secure Boot disallow list (DBX)).
New Event Log events will be available to report whether revocation deployment was successful or not.
SafeOS dynamic update package for Window Recovery Environment (WinRE).

I was counting on that last one, the update for WinRE, to let me build WinRE Macrium rescue media that would boot with Secure Boot enabled on a machine with the revocations applied.

As expected I cannot boot from the older one, with Secure Boot enabled it doesn't even appear as an option in the F12 one-time boot menu. It can only boot if I turn off Secure Boot.

As hoped for, the newly built Reflect Recovery USB boots perfectly normally with Secure Boot enabled.

So Macrium rescue media is a non-issue after all. All you have to do is rebuild it with Windows RE as its base wim on a system that has been updated to the 11 July CU or later. Note that it is not necessary to apply the revocations, it is sufficient that the PC has had the 11 July update (or later).

The only catch is that if you have already built the Boot Menu, then you'll have to force a wim rebuild so that it will use the now updated Win RE. To do that, open the Rescue Media Builder and hold down the Ctrl key, the Build button will become a drop-down menu.