Microsoft has launched a PowerShell script to assist Home windows customers and admins replace bootable media so it makes use of the brand new “Home windows UEFI CA 2023” certificates earlier than the mitigations of the BlackLotus UEFI bootkit are enforced later this yr.
BlackLotus is a UEFI bootkit that may bypass Safe Boot and acquire management over the working system’s boot course of. As soon as in management, BlackLotus can disable Home windows security measures, comparable to BitLocker, Hypervisor-Protected Code Integrity (HVCI), and Microsoft Defender Antivirus, permitting it to deploy malware on the highest privilege degree whereas remaining undetected.
In March 2023 after which July 2024, Microsoft launched safety updates for a Safe Boot bypass tracked as CVE-2023-24932 that revokes weak boot managers utilized by BlackLotus.
Nevertheless, this repair is disabled by default, as incorrectly making use of the replace or conflicts on gadgets might trigger the working system to now not load. As a substitute, rolling out the repair in phases permits Home windows admins to check it earlier than it’s enforced someday earlier than 2026.
When enabled, the safety replace will add the “Home windows UEFI CA 2023” certificates to the UEFI “Safe Boot Signature Database.” Admins can then set up newer boot managers which might be signed with this certificates.
This course of additionally consists of updating the Safe Boot Forbidden Signature Database (DBX) so as to add the “Home windows Manufacturing CA 2011” certificates. This certificates is used to signal older, weak boot managers, and as soon as revoked, will trigger these boot managers to turn out to be untrusted and never load.
Nevertheless, should you apply the mitigations and run into a difficulty booting your gadgets, you could first replace your bootable media to make use of the Home windows UEFI CA 2023 certificates to troubleshoot the Home windows set up.
“Should you encounter a difficulty with the gadget after making use of the mitigations and the gadget turns into unbootable, you may be unable to start out or get well your gadget from present media,” Microsoft explains in a assist bulletin in regards to the staged rollout of fixes for CVE-2023-24932.
“Restoration or set up media will must be up to date so that it’s going to work with a tool that has the mitigations utilized.”
Yesterday, Microsoft launched a PowerShell script that helps you replace bootable media so it makes use of the Home windows UEFI CA 2023 certificates.
Supply: BleepingComputer
“The PowerShell script described on this article can be utilized to replace Home windows bootable media in order that the media can be utilized on programs that belief the Home windows UEFI CA 2023 certificates,” explains Microsoft.
The PowerShell script could be downloaded from Microsoft and can be utilized to replace bootable media information for ISO CD/DVD picture information, a USB flash drive, a neighborhood drive path, or a community drive path.
To make the most of the utility, you could first obtain and set up the Home windows ADK, which is important for this script to work appropriately.
When run, the script will replace the media information to make use of the Home windows UEFI CA 2023 certificates and set up the boot managers signed by this certificates.
It’s strongly suggested that Home windows admins take a look at this course of earlier than the enforcement stage of the safety updates is reached. Microsoft says this may occur by the tip of 2026 and can give a six-month discover earlier than it begins.
