Windows Boot Manager revocations for Secure Boot changes - CVE-2023-24932

Buddywh · May 14, 2023

I'm on Win 11 Ver 22H2 build 22621.1702

I was reading about this and became a bit concerned by how involved it seems to be. But am also left unsure just whether I should do anything or just wait for the changes to roll out, and if I should do something exactly what and when.

The whole topic is covered here, in this link.

As a home user I don't think I'm significantly threatened by the security threat it's fixing, that since it requires physical access to the computer or a level of remote access I think I would have to grant someone. But the fix, as related, sounds like it can go pretty bad if done incorrectly. So, a few questions:

Am I correct in assuming I'm not significantly threatened as a home user with my desktop computer physically secure in my basement?

Will the three updates MS will roll out (I presume in regular updates) to fix this, the last coming sometime in 2024, do the complete fix for me without my involvement?

If there's a 'yes' for both the above questions I think I should then simply ignore this and pretend I never read about it.

Is it wise, or under what conditions would it be wise, for me to go through the steps aimed at fixing the problem which are laid out in the above linked article sooner?

Honestly, it looks like something meant for IT professionals in support of a managed environment they tend to but it does say in the article that this is appropriate for home users too.

And as a BTW: I do not maintain bootable media in the form of recovery disks or system images. I prefer user file backups with File History and, should the windows installation crash completely, simply do a clean install of Windows using freshly created media made by the Windows Installation Media Creation tool on another computer and then recover user files from File History. I'm not sure if that simplifies things or not, at least in terms of the mechanics of making the 'fix'.

hsehestedt · May 24, 2023

First, my apologies that no one responded to you in ten days. I just happened to come across your post now.

I know that Microsoft makes it a point in their KB to say that both consumers and enterprise customers should take action to address this issue. However, in my personal opinion, this whole issue can be a bit daunting because there are so many issues to be taken into consideration.

But, in your case, I think that we can really greatly simplify this. Most of the complexity in this whole thing revolves around what to do with boot media that is based upon Windows PE or local installations of Windows PE after the mitigations are applied. Because you are not creating full disk images that would require updating of the boot media, applying this update is actually extremely simple. In fact, the hardest part of this whole issue for you would be to simply verify that the update was successfully applied, and that's a piece of cake

Read through the steps below and see if you want to do this. I think that you will find this to be very simple in your case.

1) You have already completed step one. This step is to simply install the latest Windows updates so that you are on build 1702 or later. I see that you are already on build 1702 so this step is done.

2) Open an elevated command prompt. In other words, open it as Administrator. Then run these four commands exactly as shown below:

NOTE: The command that starts with "reg add" is the last command. It's a little bit long so it may wrap onto a second line below, but from "reg add" to the end is all one command.

mountvol q: /S
xcopy %systemroot%\System32\SecureBootUpdates\SKUSiPolicy.p7b q:\EFI\Microsoft\Boot
mountvol q: /D
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x10 /f

3) Reboot your computer. After rebooting, wait at least five minutes and then reboot a second time.

4) That's it! At this point you are technically done. However, we'll simply verify that the update took place like this:

Right-click on Start and then select Event Viewer. In Event Viewer, expand Windows Logs > System.

On the far right, select Filter Current Log...

Where it says <All Event IDs>, type in 1035 and then click on OK .

You should see one event. Click on it and it should say Secure Boot DBX update applied successfully.

Done!

I hope that this helps.

Dru2 · May 24, 2023

Shouldn't this also be included in a Windows Update package?

Buddywh · May 24, 2023

hsehestedt said:
...

But, in your case, I think that we can really greatly simplify this. Most of the complexity in this whole thing revolves around what to do with boot media that is based upon Windows PE or local installations of Windows PE after the mitigations are applied. Because you are not creating full disk images that would require updating of the boot media, applying this update is actually extremely simple. In fact, the hardest part of this whole issue for you would be to simply verify that the update was successfully applied, and that's a piece of cake
...

I think that's the "money line" :) It sounds like even if things go wrong I'm not really going to lose more than a couple hours to reinstall Windows and recover my user files from a file history.

But now the second part of my question... Should I really worry about the threat this is fixing? I AM a home user with my system locked up in a basement. So isn't it a lot easier to just Microsoft do it's thing as they roll out future updates?