Revoking vulnerable Windows Boot Managers
Windows is making updates to address a known security vulnerability exploited by BlackLotus to bypass Windows Secure Boot. Windows updates release April 9, 2024, and later, include new controls which provide the manual ability to deploy the “Windows UEFI CA 2023” certificate to the Secure Boot DB, as well as revoke trust for the “Microsoft Windows Production PCA 2011” signing certificate.
Enabling and testing these controls ahead of time will prepare your environment for the enforcement of security requirements which will become mandatory in the future. Get the details in our latest article, Revoking vulnerable Windows Boot Managers.
When will this happen:
You can opt in to revoke trust of the Microsoft Windows Production PCA 2011 as of the April 9, 2024 security update. You will need to follow steps listed in the article, including the installation of Windows updates released April 2024, or later.
What you need to do to prepare:
Prepare for these changes now by installing Windows updates released April 9, 2024, or later. Before enabling security hardening changes, understand the changing boot manager requirements, and verify devices can be safely updated.
Additionally, you can update the Secure Boot Forbidden Signature Database (DBX) on your system. To prepare your device to receive the Secure Boot DBX update package, please ensure that you have accurately applied the DB update package first. Read additional information for more details.
Additional information:
- Revoking vulnerable Windows Boot Managers
- Updating Microsoft Secure Boot keys
- KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932
- Deploying Windows UEFI CA 2023 certificate to Secure Boot Allowed Signature Database (DB)
- Security Update Guide – Microsoft – Microsoft Secure Boot Security Feature Bypass Vulnerability
Message ID: MC785007