Changes to Windows Boot Manager revocations for Secure Boot, effective July 9, 2024
Follow the new guidelines to deploy changes across enterprises and understand how the new Windows Boot Manager self-revocation works. These new guidelines are part of a plan with five phases to deploy protections against the publicly disclosed Secure Boot security feature bypass (CVE-2023-24932).
The Deployment Phase is now in effect and documented in the updated KB5025885. This new phase starts with changes introduced by the July 2024 Windows security update. Learn more about these changes at KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932,
When will this happen
The new Boot Manager is included in the Windows updates released on or after July 9, 2024.
How does this affect your organization
This update for Secure Boot has five phases:
- Initial Deployment phase: This phase started with updates released on May 9, 2023, and provided basic mitigations with manual steps to enable those mitigations.
- Second Deployment phase: This phase started with updates released on July 11, 2023, which added simplified steps to enable the mitigations for the issue.
- Evaluation phase: This phase started on April 9, 2024, and added additional Boot Manager mitigations.
- Deployment phase: Starting with the July 9, 2024 update, we encourage all customers to begin deploying the mitigations and updating media.
- Enforcement phase: The date for this phase will be announced in the future. The Enforcement phase will make the mitigations permanent. We are now in the Deployment phase. In this phase, we add support for Secure Version Number (SVN) to block older Boot Managers. This update installs a new Boot Manager that has an SVN, and it allows you to set the same SVN in the firmware.
What you need to do to prepare
Install the Windows monthly servicing update released on or after July 9, 2024, on supported Windows devices. Take the following steps to apply the revocations, install the new Boot Manager, and apply the new SVN update:
- Update the certificate definitions.
- Update the Boot Manager.
- Enable the revocations.
- Apply the SVN update to the firmware.
For more detailed steps, see KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932.
Additional information
- Guidance for investigating attacks using CVE-2022-21894: The BlackLotus campaign
- Secure Boot
- Enable Secure Boot on enrolled Windows devices
- For events that are generated when applying DBX updates, see KB5016061: Addressing vulnerable and revoked Boot Managers.
Message ID: MC873559