Microsoft has launched a PowerShell script to assist Home windows customers and admins replace bootable media so it makes use of the brand new “Home windows UEFI CA 2023” certificates earlier than the mitigations of the BlackLotus UEFI bootkit are enforced later this yr.
BlackLotus is a UEFI bootkit that may bypass Safe Boot and achieve management over the working system’s boot course of. As soon as in management, BlackLotus can disable Home windows safety features, reminiscent of BitLocker, Hypervisor-Protected Code Integrity (HVCI), and Microsoft Defender Antivirus, permitting it to deploy malware on the highest privilege stage whereas remaining undetected.
In March 2023 after which July 2024, Microsoft launched safety updates for a Safe Boot bypass tracked as CVE-2023-24932 that revokes susceptible boot managers utilized by BlackLotus.
Nevertheless, this repair is disabled by default, as incorrectly making use of the replace or conflicts on gadgets might trigger the working system to not load. As a substitute, rolling out the repair in phases permits Home windows admins to check it earlier than it’s enforced someday earlier than 2026.
When enabled, the safety replace will add the “Home windows UEFI CA 2023” certificates to the UEFI “Safe Boot Signature Database.” Admins can then set up newer boot managers which can be signed with this certificates.
This course of additionally contains updating the Safe Boot Forbidden Signature Database (DBX) so as to add the “Home windows Manufacturing CA 2011” certificates. This certificates is used to signal older, susceptible boot managers, and as soon as revoked, will trigger these boot managers to turn out to be untrusted and never load.
Nevertheless, when you apply the mitigations and run into a difficulty booting your gadgets, you need to first replace your bootable media to make use of the Home windows UEFI CA 2023 certificates to troubleshoot the Home windows set up.
“Should you encounter a difficulty with the machine after making use of the mitigations and the machine turns into unbootable, you may be unable to start out or recuperate your machine from current media,” Microsoft explains in a assist bulletin in regards to the staged rollout of fixes for CVE-2023-24932.
“Restoration or set up media will have to be up to date so that it’ll work with a tool that has the mitigations utilized.”
Yesterday, Microsoft launched a PowerShell script that helps you replace bootable media so it makes use of the Home windows UEFI CA 2023 certificates.
Supply: BleepingComputer
“The PowerShell script described on this article can be utilized to replace Home windows bootable media in order that the media can be utilized on programs that belief the Home windows UEFI CA 2023 certificates,” explains a brand new assist bulletin in regards to the script.
The PowerShell script will be downloaded from Microsoft and can be utilized to replace bootable media recordsdata for ISO CD/DVD picture recordsdata, a USB flash drive, a neighborhood drive path, or a community drive path.
To make the most of the utility, you need to first obtain and set up the Home windows ADK, which is important for this script to work appropriately.
When run, the script will replace the media recordsdata to make use of the Home windows UEFI CA 2023 certificates and set up the boot managers signed by this certificates.
It’s strongly suggested that Home windows admins check this course of earlier than the enforcement stage of the safety updates is reached. Microsoft says it will occur by the tip of 2026 and can give a six-month discover earlier than it begins.