Did you manually update your Secure Boot Keys ?

cheaterslick · May 26, 2025

Marcus Vinicus said:
Bitlocker is mentioned in the post from MS below. See under the Plan the deployment section and go to # 5.

Revoking vulnerable Windows boot managers | Windows IT Pro blog

Learn about the measures Microsoft is taking to help keep you safe from the If you're worried about the BlackLotus UEFI bootkit vulnerability (CVE-2023-24932).

techcommunity.microsoft.com

I fear bitlocker kicking in more (without my permission) than I do any BlackLotus threat.

~

PS: I did run those commands, rebooted and they ended up "true", but I expect the vast majority of people out there won't do this...

garlin · May 26, 2025

For most users, the process will work fine. It's the small percentage of cases where something goes wrong, and your UEFI stops working correctly. MS doesn't have a pre-check script to predict those cases yet.

cheaterslick · May 26, 2025

garlin said:
For most users, the process will work fine.

Oh I'm sure it does. The problem is will they be aware of or remember to run these commands.

Unless it's an issue people in general don't have to worry about. Those that have secure boot enabled.

garlin said:
It's the small percentage of cases where something goes wrong, and your UEFI stops working correctly. MS doesn't have a pre-check script to predict those cases yet.

I have secure boot enabled. I have bitlocker turned off. And I do periodically check it to make sure it hasn't been slipped back on.

garlin · May 26, 2025

The original plan was for Windows Update to completely automate this process. It would check the UEFI state, and do a series of multiple reboots to push out the changes. The problem is the risk of bricking your PC is very high if not rigorously tested.

"Bricking" for the most part isn't permanent, because you can disable Secure Boot. But MS is looking at millions of PC's that may belong to inexperienced home users, and would appear as the End of the World to them. The number of support calls would be disastrous if not tested in a slow rollout.

XxXxX · May 26, 2025

i have just done the update via PowerShell and the result came back as 'true'
the system only rebooted as normal not twice.

best of luck, Steve ..

suatcini54 · May 27, 2025

Hi.

I just checked if my Hyper-V VM has the updated Secure Boot Key Certificate release 2023, it didn't. The verification command returned a FALSE value.

I ran the commands and rebooted twice. After that the verification command returned a TRUE value.

So MS Hyper-V VM doesn't have the updated certificate. Hyper-V VM has Windows 11 Pro build 26100.4061.

timofort · May 27, 2025

Strange ... mine is already true, without modification, same VM, same W11 build on host and guest.

suatcini54 · May 27, 2025

timofort said:
Strange ... mine is already true, without modification, same VM, same W11 build on host and guest.

My host machine has build 26200.5600. But my PC comprises of incompatible and partly compatible hardware/software. CPU: incompatible, TPM1.2: partly compatible and Secure Boot: compatible. Could this be the reason ??

suatcini54 · May 27, 2025

garlin said:
The original plan was for Windows Update to completely automate this process. It would check the UEFI state, and do a series of multiple reboots to push out the changes. The problem is the risk of bricking your PC is very high if not rigorously tested.

"Bricking" for the most part isn't permanent, because you can disable Secure Boot. But MS is looking at millions of PC's that may belong to inexperienced home users, and would appear as the End of the World to them. The number of support calls would be disastrous if not tested in a slow rollout.

Thanks for the warning. I applied the certificate changes in my machine before I posted the procedure here and the result was positive. My machine is 10 years old with an incompatible CPU and partly compatible TPM spec.1.2. But your warning is very important. So people should think more than twice before proceeding further. But there are more to this as @cheaterslick pointed out in his post #21 above. Changes must also be seen in EFI system partition as well.

suatcini54 · May 27, 2025

Hi again.

Please see this article for how to check the certificate changes in EFI system partition: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932 - Microsoft Support

Dark Knight · May 27, 2025

Ok , I ran both commands separately as admin and rebooted twice as stated in the first post , after rebooting twice this is what I got in response , anyone care to explain what this may mean? ......

garlin · May 27, 2025

Dark Knight said:
Ok , I ran both commands separately as admin and rebooted twice as stated in the first post , after rebooting twice this is what I got in response , anyone care to explain what this may mean? ......

View attachment 135152

Secure Boot is enabled?

Dark Knight · May 27, 2025

garlin said:
Secure Boot is enabled?

I was just getting ready to answer my own question ... lol
After further investigation , yes , secure boot is not enabled. That would be the reason for the response given from Powershell

garlin · May 27, 2025

suatcini54 said:
Hi.

I just checked if my Hyper-V VM has the updated Secure Boot Key Certificate release 2023, it didn't. The verification command returned a FALSE value.

View attachment 135144

I ran the commands and rebooted twice. After that the verification command returned a TRUE value.

View attachment 135145

So MS Hyper-V VM doesn't have the updated certificate. Hyper-V VM has Windows 11 Pro build 26100.4061.

DB/DBX certificates are stored in UEFI (and not inside Windows). Hyper-V is reading from the underlying HW.

suatcini54 · May 27, 2025

garlin said:
DB/DBX certificates are stored in UEFI (and not inside Windows). Hyper-V is reading from the underlying HW.

O.K. Before running the powershell commands, I checked and got a FALSE value returned as the screenshot shows. After running the powershell commands, rebooting twice and verifying the CA certificate update, I got a TRUE value returned. How did this occur ? Host machine was already updated one day ago. Moreover, host machine has add-on TPM spec.1.2. Hyper-V has software TPM spec.2.0.

Besides, I updated the secure boot certificate in EFI sistem partition (part of Windows installation). I did not yet update UEFI firmware certificate. I will attempt to update the UEFI firmware certificate later because I have another Windows 11 installation on the same computer (dual-boot) and, if the other Windows does not have the updated secure boot certificate, I render it unbootable, which means if UEFI firmware certificate is newer than Windows certificate, it is said that Windows cannot boot.

Please refer to: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932 - Microsoft Support

cheaterslick · May 27, 2025

garlin said:
But MS is looking at millions of PC's that may belong to inexperienced home users, and would appear as the End of the World to them. The number of support calls would be disastrous if not tested in a slow rollout.

Oh I can see the lawsuits, galore. A primo field day for the lawyers. Worldwide panic.

starchase · May 27, 2025

Here is a "Stupid Question", does this involve both Windows 11 and Windows 10? I know W10 is losing support in Oct. but people will still be using it. Or does it involve any system capable of Secure Boot? I thought my ASUS system (My Computers, system 2) had Secure Boot enabled but I just scoured the UEFI BIOS and see nothing on ANY page that mentions it nor any associated entity. Is there a way to check for Secure Boot not involving the BIOS?

garlin · May 27, 2025

suatcini54 said:
O.K. Before running the powershell commands, I checked and got a FALSE value returned as the screenshot shows. After running the powershell commands, rebooting twice and verifying the CA certificate update, I got a TRUE value returned. How did this occur ? Host machine was already updated one day ago. Moreover, host machine has add-on TPM spec.1.2. Hyper-V has software TPM spec.2.0.

Besides, I updated the secure boot certificate in EFI sistem partition (part of Windows installation). I did not yet update UEFI firmware certificate. I will attempt to update the UEFI firmware certificate later because I have another Windows 11 installation on the same computer (dual-boot) and, if the other Windows does not have the updated secure boot certificate, I render it unbootable, which means if UEFI firmware certificate is newer than Windows certificate, it is said that Windows cannot boot.

Please refer to: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932 - Microsoft Support

Run this PowerShell script as Admin:

Code:

powershell -nop -ep bypass -f Check_EFIBootFile.ps1

The script will report which CA certificates have been added to the DB & DBX lists, and which boot file you currently have installed for the system drive.

UPDATE 2025-09-14:
1. Fixed a few bugs related to the pathname of EFI files
2. Added reporting for KEK certs
3. Replaced the registry check of AvailableUpdates with WindowsUEFICA2023Capable (which is more informative)
4. Added scanning of boot file and boot manager files on mounted DVD or USB drives with Windows install media

garlin · May 27, 2025

starchase said:
Here is a "Stupid Question", does this involve both Windows 11 and Windows 10? I know W10 is losing support in Oct. but people will still be using it. Or does it involve any system capable of Secure Boot? I thought my ASUS system (My Computers, system 2) had Secure Boot enabled but I just scoured the UEFI BIOS and see nothing on ANY page that mentions it nor any associated entity. Is there a way to check for Secure Boot not involving the BIOS?

The steps to protect W10 systems are identical to W11, the newer boot files are already available from the current Monthly Updates.

Because W10 22H2 will enter End-of-Life for consumer Windows on Oct. 2025, it's not clear whether MS will force an update before then, or expect users to perform the mitigation as a voluntary procedure.

The script posted above will report what certificates are present in the DB (allowed) and DBX (banned) lists.

Ideally, you will have both CA 2011 & CA 2023 as added (both boot files allowed), and DBX may or may not have CA 2011 banned. Not banning CA 2011 doesn't impact Windows, as long as you have both certificates for DB. It just means your system is still vulnerable to an UEFI attack.

starchase · May 27, 2025

garlin said:
powershell -nop -ep bypass -f Check_EFIBootFile.ps1

running the script results in:
The argument 'Check_EFIBootFile.ps1' to the -File parameter does not exist. Provide the path to an existing '.ps1' file as an argument to the -File parameter.

And running Check EFIBootFile.ps1 results in a display that disappears too fast to hit Ctrl-A then CTLR-C

Did you manually update your Secure Boot Keys ?

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Just a Computer User

My Computers

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computers

Well-known member

Attachments

My Computer

Well-known member

My Computer

Well-known member

My Computers

Similar threads