Windows Boot Manager revocations for Secure Boot Changes | CVE-2023-24932

[HotCakeX]

The Harden Windows Security Module was employed to implement supplementary measures related to Windows Boot Manager revocations for Secure Boot Modifications from May 9, 2023, until April 9, 2024. Presently, the procedures have changed in such a manner that their automation is currently unfeasible. This article tries to inform you regarding the manual steps required for the application of the Secure Boot Modifications, should you decide to proceed.

As explained in the Microsoft's article and pull request notes, they will be applied automatically in the near future through Windows Update.

Please refer to the following links for more info

• https://support.microsoft.com/en-us/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d

• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24932

• Harden Windows Security Module v.0.3.7 #229

[agpt8]

Have you tried the steps given the support article?

I know the pull request mentions that nothing has to be done if the now removed May 9 fix was implemented using the hardening module.
But I went ahead and tried the steps anyway. I was able to get till step 2b. But when I check for the updated certificate chain as given in the screenshot in the article, I still see the old Windows Production CA 2011. I tried restarting several times but it won't install the boot manager with the new certificate.

If you have tried this, were you able to complete all the steps successfully?

[HotCakeX]

Hi, no I haven't tried that yet. It probably will make the UEFI deny installation medias like ISO files that are available right now and if I ever decide to do a clean install between now and July 9 (when they release updated installation medias), I wouldn't be able to do that so that's why I'm holding off for now, at least on my physical machine. (I kinda wanna do a clean install when 24H2 is released to the beta channel to test its new OOBE experience and more)

I'll try it on a VM later, will let you know how it goes ^^

[agpt8]

I think this can be tried on the hardware as the first 2 steps are just installing the new certificate and attempting to install the boot manager with the new certificate. And as mentioned in the article, only before revoking the previous certificate it recommends that recovery image to be updated in case the system needs to be reverted back (for which it also provides the steps).

This is ofcourse what I have understood from the article:

1. Back up bitlocker keys
2. Install the new certificate
3. Verify it is added in the trusted DB
4. Try and install the boot manager with the new certificate
5. Verify after restarts that the boot manager is now using the new certificate
6. Update recovery image
7. Revoke the previous certificate
8. Verify that the previous certificate is no longer in the good DB and now present in the block list db (DBX).

[HotCakeX]

That's true but I'd still try it on a VM first just to be safe. There is another thing that i'll add to the script in few days

https://support.microsoft.com/en-us/topic/kb5037754-how-to-manage-pac-validation-changes-related-to-cve-2024-26248-and-cve-2024-29056-6e661d4f-799a-4217-b948-be0a1943fef1

That needs everyone to be on the latest stable build of the OS. The new category will be here from approx Apri 13 2024 to Oct 15 2024, the extra days should provide time for everyone to update.