Microsoft has launched a PowerShell script to assist Home windows customers and admins replace bootable media so it makes use of the brand new “Home windows UEFI CA 2023” certificates earlier than the mitigations of the BlackLotus UEFI bootkit are enforced later this 12 months.
BlackLotus is a UEFI bootkit that may bypass Safe Boot and achieve management over the working system’s boot course of. As soon as in management, BlackLotus can disable Home windows security measures, akin to BitLocker, Hypervisor-Protected Code Integrity (HVCI), and Microsoft Defender Antivirus, permitting it to deploy malware on the highest privilege stage whereas remaining undetected.
In March 2023 after which July 2024, Microsoft launched safety updates for a Safe Boot bypass tracked as CVE-2023-24932 that revokes susceptible boot managers utilized by BlackLotus.
Nonetheless, this repair is disabled by default, as incorrectly making use of the replace or conflicts on gadgets might trigger the working system to not load. As an alternative, rolling out the repair in levels permits Home windows admins to check it earlier than it’s enforced someday earlier than 2026.
When enabled, the safety replace will add the “Home windows UEFI CA 2023” certificates to the UEFI “Safe Boot Signature Database.” Admins can then set up newer boot managers which can be signed with this certificates.
This course of additionally contains updating the Safe Boot Forbidden Signature Database (DBX) so as to add the “Home windows Manufacturing CA 2011” certificates. This certificates is used to signal older, susceptible boot managers, and as soon as revoked, will trigger these boot managers to turn into untrusted and never load.
Nonetheless, should you apply the mitigations and run into a problem booting your gadgets, you have to first replace your bootable media to make use of the Home windows UEFI CA 2023 certificates to troubleshoot the Home windows set up.
“If you happen to encounter a problem with the machine after making use of the mitigations and the machine turns into unbootable, you may be unable to start out or recuperate your machine from current media,” Microsoft explains in a help bulletin concerning the staged rollout of fixes for CVE-2023-24932.
“Restoration or set up media will should be up to date so that it’s going to work with a tool that has the mitigations utilized.”
Yesterday, Microsoft launched a PowerShell script that helps you replace bootable media so it makes use of the Home windows UEFI CA 2023 certificates.
Supply: BleepingComputer
“The PowerShell script described on this article can be utilized to replace Home windows bootable media in order that the media can be utilized on methods that belief the Home windows UEFI CA 2023 certificates,” explains a brand new help bulletin concerning the script.
The PowerShell script could be downloaded from Microsoft and can be utilized to replace bootable media recordsdata for ISO CD/DVD picture recordsdata, a USB flash drive, an area drive path, or a community drive path.
To make the most of the utility, you have to first obtain and set up the Home windows ADK, which is critical for this script to work appropriately.
When run, the script will replace the media recordsdata to make use of the Home windows UEFI CA 2023 certificates and set up the boot managers signed by this certificates.
It’s strongly suggested that Home windows admins check this course of earlier than the enforcement stage of the safety updates is reached. Microsoft says this can occur by the tip of 2026 and can give a six-month discover earlier than it begins.
