Microsoft has launched a PowerShell script to assist Home windows customers and admins replace bootable media so it makes use of the brand new “Home windows UEFI CA 2023” certificates earlier than the mitigations of the BlackLotus UEFI bootkit are enforced later this yr.
BlackLotus is a UEFI bootkit that may bypass Safe Boot and acquire management over the working system’s boot course of. As soon as in management, BlackLotus can disable Home windows security measures, similar to BitLocker, Hypervisor-Protected Code Integrity (HVCI), and Microsoft Defender Antivirus, permitting it to deploy malware on the highest privilege stage whereas remaining undetected.
In March 2023 after which July 2024, Microsoft launched safety updates for a Safe Boot bypass tracked as CVE-2023-24932 that revokes weak boot managers utilized by BlackLotus.
Nonetheless, this repair is disabled by default, as incorrectly making use of the replace or conflicts on gadgets may trigger the working system to now not load. As a substitute, rolling out the repair in levels permits Home windows admins to check it earlier than it’s enforced someday earlier than 2026.
When enabled, the safety replace will add the “Home windows UEFI CA 2023” certificates to the UEFI “Safe Boot Signature Database.” Admins can then set up newer boot managers which are signed with this certificates.
This course of additionally contains updating the Safe Boot Forbidden Signature Database (DBX) so as to add the “Home windows Manufacturing CA 2011” certificates. This certificates is used to signal older, weak boot managers, and as soon as revoked, will trigger these boot managers to turn into untrusted and never load.
Nonetheless, if you happen to apply the mitigations and run into a difficulty booting your gadgets, you will need to first replace your bootable media to make use of the Home windows UEFI CA 2023 certificates to troubleshoot the Home windows set up.
“Should you encounter a difficulty with the system after making use of the mitigations and the system turns into unbootable, you could be unable to start out or get better your system from current media,” Microsoft explains in a help bulletin concerning the staged rollout of fixes for CVE-2023-24932.
“Restoration or set up media will have to be up to date so that it’ll work with a tool that has the mitigations utilized.”
Yesterday, Microsoft launched a PowerShell script that helps you replace bootable media so it makes use of the Home windows UEFI CA 2023 certificates.
Supply: BleepingComputer
“The PowerShell script described on this article can be utilized to replace Home windows bootable media in order that the media can be utilized on techniques that belief the Home windows UEFI CA 2023 certificates,” explains a brand new help bulletin concerning the script.
The PowerShell script could be downloaded from Microsoft and can be utilized to replace bootable media recordsdata for ISO CD/DVD picture recordsdata, a USB flash drive, an area drive path, or a community drive path.
To make the most of the utility, you will need to first obtain and set up the Home windows ADK, which is critical for this script to work appropriately.
When run, the script will replace the media recordsdata to make use of the Home windows UEFI CA 2023 certificates and set up the boot managers signed by this certificates.
It’s strongly suggested that Home windows admins check this course of earlier than the enforcement stage of the safety updates is reached. Microsoft says this may occur by the tip of 2026 and can give a six-month discover earlier than it begins.
