Microsoft has launched a PowerShell script to assist Home windows customers and admins replace bootable media so it makes use of the brand new “Home windows UEFI CA 2023” certificates earlier than the mitigations of the BlackLotus UEFI bootkit are enforced later this yr.
BlackLotus is a UEFI bootkit that may bypass Safe Boot and acquire management over the working system’s boot course of. As soon as in management, BlackLotus can disable Home windows safety features, akin to BitLocker, Hypervisor-Protected Code Integrity (HVCI), and Microsoft Defender Antivirus, permitting it to deploy malware on the highest privilege stage whereas remaining undetected.
In March 2023 after which July 2024, Microsoft launched safety updates for a Safe Boot bypass tracked as CVE-2023-24932 that revokes susceptible boot managers utilized by BlackLotus.
Nonetheless, this repair is disabled by default, as incorrectly making use of the replace or conflicts on units might trigger the working system to now not load. As an alternative, rolling out the repair in levels permits Home windows admins to check it earlier than it’s enforced someday earlier than 2026.
When enabled, the safety replace will add the “Home windows UEFI CA 2023” certificates to the UEFI “Safe Boot Signature Database.” Admins can then set up newer boot managers which can be signed with this certificates.
This course of additionally consists of updating the Safe Boot Forbidden Signature Database (DBX) so as to add the “Home windows Manufacturing CA 2011” certificates. This certificates is used to signal older, susceptible boot managers, and as soon as revoked, will trigger these boot managers to turn out to be untrusted and never load.
Nonetheless, in case you apply the mitigations and run into a problem booting your units, it’s essential to first replace your bootable media to make use of the Home windows UEFI CA 2023 certificates to troubleshoot the Home windows set up.
“In the event you encounter a problem with the gadget after making use of the mitigations and the gadget turns into unbootable, you may be unable to begin or get well your gadget from present media,” Microsoft explains in a assist bulletin in regards to the staged rollout of fixes for CVE-2023-24932.
“Restoration or set up media will must be up to date so that it’ll work with a tool that has the mitigations utilized.”
Yesterday, Microsoft launched a PowerShell script that helps you replace bootable media so it makes use of the Home windows UEFI CA 2023 certificates.
Supply: BleepingComputer
“The PowerShell script described on this article can be utilized to replace Home windows bootable media in order that the media can be utilized on methods that belief the Home windows UEFI CA 2023 certificates,” explains Microsoft.
The PowerShell script will be downloaded from Microsoft and can be utilized to replace bootable media information for ISO CD/DVD picture information, a USB flash drive, a neighborhood drive path, or a community drive path.
To make the most of the utility, it’s essential to first obtain and set up the Home windows ADK, which is important for this script to work appropriately.
When run, the script will replace the media information to make use of the Home windows UEFI CA 2023 certificates and set up the boot managers signed by this certificates.
It’s strongly suggested that Home windows admins check this course of earlier than the enforcement stage of the safety updates is reached. Microsoft says this can occur by the top of 2026 and can give a six-month discover earlier than it begins.