Windows Boot Manager revocations for Secure Boot changes - CVE-2023-24932


B

Buddywh

Active member
Local time
12:12 PM
Posts
27
OS
Windows 11 Pro
I'm on Win 11 Ver 22H2 build 22621.1702

I was reading about this and became a bit concerned by how involved it seems to be. But am also left unsure just whether I should do anything or just wait for the changes to roll out, and if I should do something exactly what and when.

The whole topic is covered here, in this link.

As a home user I don't think I'm significantly threatened by the security threat it's fixing, that since it requires physical access to the computer or a level of remote access I think I would have to grant someone. But the fix, as related, sounds like it can go pretty bad if done incorrectly. So, a few questions:

Am I correct in assuming I'm not significantly threatened as a home user with my desktop computer physically secure in my basement?

Will the three updates MS will roll out (I presume in regular updates) to fix this, the last coming sometime in 2024, do the complete fix for me without my involvement?

If there's a 'yes' for both the above questions I think I should then simply ignore this and pretend I never read about it.​

Is it wise, or under what conditions would it be wise, for me to go through the steps aimed at fixing the problem which are laid out in the above linked article sooner?

Honestly, it looks like something meant for IT professionals in support of a managed environment they tend to but it does say in the article that this is appropriate for home users too.

And as a BTW: I do not maintain bootable media in the form of recovery disks or system images. I prefer user file backups with File History and, should the windows installation crash completely, simply do a clean install of Windows using freshly created media made by the Windows Installation Media Creation tool on another computer and then recover user files from File History. I'm not sure if that simplifies things or not, at least in terms of the mechanics of making the 'fix'.
 
Last edited:

My Computer

System One

  • OS
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    DIY
    CPU
    Ryzen 7 5800X
    Motherboard
    Asus TUF B550M Gaming-Plus
    Memory
    GSkill 3200, 2x8GB
    Graphics Card(s)
    MSI RX 6800 XT Gaming Z
    Sound Card
    on-board Realtek
    Monitor(s) Displays
    Samsung 144hz
    Screen Resolution
    1440p
    Hard Drives
    Samsung 980 Pro, Samsung 870 Evo, generic PCIe NVME, WD 1TB 2.5" laptop spinner
    PSU
    Corsair RM 650
    Case
    mATX
    Cooling
    BeQuiet 240mm AIO and a bunch of case fans
    Keyboard
    one that clacks softly
    Mouse
    logitech
    Internet Speed
    bunches of bps
    Browser
    Firefox
    Antivirus
    Windows' own
First, my apologies that no one responded to you in ten days. I just happened to come across your post now.

I know that Microsoft makes it a point in their KB to say that both consumers and enterprise customers should take action to address this issue. However, in my personal opinion, this whole issue can be a bit daunting because there are so many issues to be taken into consideration.

But, in your case, I think that we can really greatly simplify this. Most of the complexity in this whole thing revolves around what to do with boot media that is based upon Windows PE or local installations of Windows PE after the mitigations are applied. Because you are not creating full disk images that would require updating of the boot media, applying this update is actually extremely simple. In fact, the hardest part of this whole issue for you would be to simply verify that the update was successfully applied, and that's a piece of cake :-)

Read through the steps below and see if you want to do this. I think that you will find this to be very simple in your case.

1) You have already completed step one. This step is to simply install the latest Windows updates so that you are on build 1702 or later. I see that you are already on build 1702 so this step is done.

2) Open an elevated command prompt. In other words, open it as Administrator. Then run these four commands exactly as shown below:

NOTE: The command that starts with "reg add" is the last command. It's a little bit long so it may wrap onto a second line below, but from "reg add" to the end is all one command.

mountvol q: /S xcopy %systemroot%\System32\SecureBootUpdates\SKUSiPolicy.p7b q:\EFI\Microsoft\Boot mountvol q: /D reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x10 /f

3) Reboot your computer. After rebooting, wait at least five minutes and then reboot a second time.

4) That's it! At this point you are technically done. However, we'll simply verify that the update took place like this:

Right-click on Start and then select Event Viewer. In Event Viewer, expand Windows Logs > System.

On the far right, select Filter Current Log...

Image1.jpg

Where it says <All Event IDs>, type in 1035 and then click on OK .

Image2.jpg

You should see one event. Click on it and it should say Secure Boot DBX update applied successfully.

Image3.jpg

Done!

I hope that this helps.
 

My Computers

System One System Two

  • OS
    Win11 Pro 24H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Self-built
    CPU
    Intel i7 11700K
    Motherboard
    ASUS Prime Z590-A MB
    Memory
    64GB (Waiting for warranty replacement of another 64GB for 128GB total)
    Graphics Card(s)
    No GPU - Built-in Intel Graphics
    Sound Card
    Integrated
    Monitor(s) Displays
    HP Envy 32
    Screen Resolution
    2560 x 1440
    Hard Drives
    1 x 1TB NVMe SSD
    1 x 2TB NVMe SSD
    1 x 4TB NVMe SSD
    3 x 512GB 2.5" SSD
    1 x 4TB 2.5" SSD
    5 x 8TB Seagate Barracuda HDD
    PSU
    Corsair HX850i
    Case
    Corsair iCUE RGB 5000X mid tower case
    Cooling
    Noctua NF-S12A chromax.black.swap case fans (Qty. 7) & Home Computer Specifications, Configuration, and Usage Notes General Specifications ASUS Prime Z590-A motherboard, serial number M1M0KC222467ARP Intel Core i7-11700K CPU (11th Gen Rocket Lake / LGA 1200 Socket) 128GB Crucial Ballistix RGB DDR4 3200 MHz DRAM (4 x 32GB) Corsair iCUE RGB 5000X mid tower case Noctua NH-D15 chromax.black CPU cooler Noctua NF-S12A chromax.black.swap case fans (Qty. 7) & Corsair LL-120 RGB Fans (Qty. 3)
    Keyboard
    Corsair K70 Max RGB Magnetic Keyboard
    Mouse
    Logitech MX Master 3
    Internet Speed
    1Gb Up / 1 Gb Down
    Browser
    Edge
    Antivirus
    Windows Defender
    Other Info
    The five 8TB drives and three 512GB SSDs are part of a DrivePool using StableBit DrivePool software. The three SSDs are devoted purely to caching for the 8TB drives. All of the important data is stored in triplicate so that I can withstand simultaneous failure of 2 disks.

    Networking: 2.5Gbps Ethernet and WiFi 6e
  • Operating System
    Win11 Pro 23H2
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo ThinkBook 13x Gen 2
    CPU
    Intel i7-1255U
    Memory
    16 GB
    Graphics card(s)
    Intel Iris Xe Graphics
    Sound Card
    Realtek® ALC3306-CG codec
    Monitor(s) Displays
    13.3-inch IPS Display
    Screen Resolution
    WQXGA (2560 x 1600)
    Hard Drives
    2 TB 4 x 4 NVMe SSD
    PSU
    USB-C / Thunderbolt 4 Power / Charging
    Keyboard
    Backlit, spill resistant keyboard
    Mouse
    Buttonless Glass Precision Touchpad
    Internet Speed
    1Gb Up / 1Gb Down
    Browser
    Edge
    Antivirus
    Windows Defender
    Other Info
    WiFi 6e / Bluetooth 5.1 / Facial Recognition / Fingerprint Sensor / ToF (Time of Flight) Human Presence Sensor
Shouldn't this also be included in a Windows Update package?
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 24H2 (Build 26100.4351)
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom built
    CPU
    Intel Core 9 Ultra 285K
    Motherboard
    Gigabyte Aorus Z890 Xtreme AI Top
    Memory
    64G (4x16) DDR5 Corsair RGB Dominator Platinum (6400Mhz)
    Graphics Card(s)
    Radeon (XFX Mercury) RX 9070XT OC (with Magnetic Fans)
    Sound Card
    Onboard (DTS:X® Ultra Audio: ESS ES9280A DAC)
    Monitor(s) Displays
    27-inch Eizo Color Edge - CG2700X
    Screen Resolution
    3840 x 2160
    Hard Drives
    4 Samsung NVM 990 Pro drives: 1TB (OS), 2TB, 2 X 4TB.
    PSU
    Seasonic TX-1300 (1300 Watts)
    Case
    Cooler Master H500M
    Cooling
    Corsair Link Titan 280 RX RGB
    Keyboard
    Logitech Craft
    Mouse
    Logitech MX Master 3S
    Internet Speed
    1TB Download. 512mb Upload
    Browser
    Microsoft Edge Chromium
    Antivirus
    Windows Security
    Other Info
    System used for gaming, photography, music, school.
  • Operating System
    Windows 11 Pro 24H2 (Build 26100.4061)
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom built
    CPU
    Intel Core i9-9900K
    Motherboard
    Gigabyte Z390 Aorus Xtreme
    Memory
    32gig (4 x 8) Corsair Dominator Platinum DDR4 3600Mhz (B-Die)
    Graphics card(s)
    Radeon XFX Merc 7900XT (20gig)
    Sound Card
    Onboard
    Monitor(s) Displays
    24-Inch NEC PA242W
    Screen Resolution
    2880 x 1800
    Hard Drives
    2 X NVME, 1 X SATA SSD
    PSU
    EVGA Super Nova 1000 P2 (1000 Watt)
    Case
    Phantek Enthoo Luxe
    Cooling
    Corsair H115i Elite AIO Cooler
    Keyboard
    Logitech Keys
    Mouse
    Logitech MX Master 3
    Internet Speed
    1TB Download. 512mb Upload
    Browser
    Microsoft Edge Chromium
    Antivirus
    Windows Security
    Other Info
    Backup System
hsehestedt said:
...

But, in your case, I think that we can really greatly simplify this. Most of the complexity in this whole thing revolves around what to do with boot media that is based upon Windows PE or local installations of Windows PE after the mitigations are applied. Because you are not creating full disk images that would require updating of the boot media, applying this update is actually extremely simple. In fact, the hardest part of this whole issue for you would be to simply verify that the update was successfully applied, and that's a piece of cake :-)
...
Click to expand...
I think that's the "money line" :) It sounds like even if things go wrong I'm not really going to lose more than a couple hours to reinstall Windows and recover my user files from a file history.

But now the second part of my question... Should I really worry about the threat this is fixing? I AM a home user with my system locked up in a basement. So isn't it a lot easier to just Microsoft do it's thing as they roll out future updates?
 

My Computer

System One

  • OS
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    DIY
    CPU
    Ryzen 7 5800X
    Motherboard
    Asus TUF B550M Gaming-Plus
    Memory
    GSkill 3200, 2x8GB
    Graphics Card(s)
    MSI RX 6800 XT Gaming Z
    Sound Card
    on-board Realtek
    Monitor(s) Displays
    Samsung 144hz
    Screen Resolution
    1440p
    Hard Drives
    Samsung 980 Pro, Samsung 870 Evo, generic PCIe NVME, WD 1TB 2.5" laptop spinner
    PSU
    Corsair RM 650
    Case
    mATX
    Cooling
    BeQuiet 240mm AIO and a bunch of case fans
    Keyboard
    one that clacks softly
    Mouse
    logitech
    Internet Speed
    bunches of bps
    Browser
    Firefox
    Antivirus
    Windows' own
You must log in or register to reply here.

Similar threads

Windows Boot Manager does not appear in BIOS boot list (but OSes boot via GRUB)
Replies
4
Views
663
FreeBooter
FreeBooter
TPM 2.0 Devices and remediation of CVE-2023-24932 (Black Lotus) UEFI / Secure Boot Vulnerability. - Help for those with "Known Issues"
2
Replies
23
Views
4K
NetMan304
N
  • Article Article
Reminder: Changes to Windows Boot Manager revocations for Secure Boot effective April 9, 2024
Replies
11
Views
6K
ThrashZone
ThrashZone
Secure boot, and its interaction with Windows 11 security, other features
Replies
1
Views
794
Thorshammer342
T
Solved New revocations for CVE-2023-24932 (Black Lotus) not working correctly?
Replies
8
Views
6K
milkturnipsbage
M

Latest Support Threads

Latest Tutorials

Back
Top Bottom