Microsoft has released a PowerShell script to help Windows users and admins update bootable media so it utilizes the new “Windows UEFI CA 2023” certificate before the mitigations of the BlackLotus UEFI bootkit are enforced later this year.
BlackLotus is a UEFI bootkit that can bypass Secure Boot and gain control over the operating system’s boot process. Once in control, BlackLotus can disable Windows security features, such as BitLocker, Hypervisor-Protected Code Integrity (HVCI), and Microsoft Defender Antivirus, allowing it to deploy malware at the highest privilege level while remaining undetected.
In March 2023 and then July 2024, Microsoft released security updates for a Secure Boot bypass tracked as CVE-2023-24932 that revokes vulnerable boot managers used by BlackLotus.
However, this fix is disabled by default, as incorrectly applying the update or conflicts on devices could cause the operating system to no longer load. Instead, rolling out the fix in stages allows Windows admins to test it before it is enforced sometime before 2026.
When enabled, the security update will add the “Windows UEFI CA 2023” certificate to the UEFI “Secure Boot Signature Database.” Admins can then install newer boot managers that are signed with this certificate.
This process also includes updating the Secure Boot Forbidden Signature Database (DBX) to add the “Windows Production CA 2011” certificate. This certificate is used to sign older, vulnerable boot managers, and once revoked, will cause those boot managers to become untrusted and not load.
However, if you apply the mitigations and run into an issue booting your devices, you must first update your bootable media to use the Windows UEFI CA 2023 certificate to troubleshoot the Windows install.
“If you encounter an issue with the device after applying the mitigations and the device becomes unbootable, you might be unable to start or recover your device from existing media,” Microsoft explains in a support bulletin about the staged rollout of fixes for CVE-2023-24932.
“Recovery or install media will need to be updated so that it will work with a device that has the mitigations applied.”
Yesterday, Microsoft released a PowerShell script that helps you update bootable media so it uses the Windows UEFI CA 2023 certificate.
Source: BleepingComputer
“The PowerShell script described in this article can be used to update Windows bootable media so that the media can be used on systems that trust the Windows UEFI CA 2023 certificate,” explains a new support bulletin about the script.
The PowerShell script can be downloaded from Microsoft and can be used to update bootable media files for ISO CD/DVD image files, a USB flash drive, a local drive path, or a network drive path.
To utilize the utility, you must first download and install the Windows ADK, which is necessary for this script to work correctly.
When run, the script will update the media files to use the Windows UEFI CA 2023 certificate and install the boot managers signed by this certificate.
It is strongly advised that Windows admins test this process before the enforcement stage of the security updates is reached. Microsoft says this will happen by the end of 2026 and will give a six-month notice before it begins.
