Reminder: Changes to Windows Boot Manager revocations for Secure Boot effective April 9, 2024



 Windows Message Center:

Windows updates released July 11, 2023 and later include security measures which protect against a Secure Boot bypass vulnerability disclosed in CVE-2023-24932. Secure Boot is a Windows security feature designed to protect devices from bootkit malware.

Administrators should observe mitigations and security enforcement requirements coming into effect with Windows updates released on and after April 9, 2024. These updates will provide new mitigations to block additional vulnerable boot managers. Windows updates released on and after October 8, 2024 will enforce the Code Integrity Boot policy and Secure Boot disallow list revocations related to this hardening. There will be no option to disable this enforcement after this update.

To enable protections manually, it's necessary to ensure all devices and bootable media are updated and ready for this security hardening change. Users should determine whether it's important to enable protections now, or wait for a future update from Microsoft. To better assess this, in addition to understanding the options available for configuring these security requirements, see KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932.


 Source:

Windows message center

Windows message center
learn.microsoft.com

How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932 - Microsoft Support

support.microsoft.com
 
Last edited:
Click to expand...
Hi,
What
So no secure boot = no booting into win-11 because the update make it mandatory on efi partition ?
Or just hide the silly update ?
 

My Computer

System One

  • OS
    Win-7-10-11Pro's
    Computer type
    PC/Desktop
    Manufacturer/Model
    Acer 17" Nitro 7840sn/ 2x16gb 5600c40/ 4060/ stock 1tb-os/ 4tb sn850x
    CPU
    10900k & 9940x & 5930k
    Motherboard
    z490-Apex & x299-Apex & x99-Sabertooth
    Memory
    Trident-Z Royal 4000c16 2x16gb & Trident-Z 3600c16 4x8gb & 3200c14 4x8gb
    Graphics Card(s)
    Titan Xp & 1080ti FTW3 & evga 980ti gaming
    Sound Card
    Onboard Realtek x3
    Monitor(s) Displays
    1-AOC G2460PG 24"G-Sync 144Hz/ 2nd 1-ASUS VG248QE 24"/ 3rd LG 43" series
    Screen Resolution
    1920-1080 not sure what the t.v is besides 43" class scales from 1920-1080 perfectly
    Hard Drives
    2-WD-sn850x 4tb/ 970evo+500gb/ 980 pro 2tb.
    PSU
    1000p2 & 1200p2 & 850p2
    Case
    D450 x2 & 1 Test bench in cherry Entertainment center
    Cooling
    Custom water loops x3 with 2x mora 360mm rads only 980ti gaming air cooled
    Keyboard
    G710+x3
    Mouse
    Redragon x3
    Internet Speed
    xfinity gigabyte
    Browser
    Firefox
    Antivirus
    mbam pro
This smells terrible
So MS wants to own all our ssd's without purchasing them ?
CAUTION Once the mitigation for this issue is enabled on a device, meaning the revocations have been applied, it cannot be reverted if you continue to use Secure Boot on that device. Even reformatting of the disk will not remove the revocations if they have already been applied. Please be aware of all the possible implications and test thoroughly before applying the revocations that are outlined in this article to your device.
Click to expand...
 

My Computer

System One

  • OS
    Win-7-10-11Pro's
    Computer type
    PC/Desktop
    Manufacturer/Model
    Acer 17" Nitro 7840sn/ 2x16gb 5600c40/ 4060/ stock 1tb-os/ 4tb sn850x
    CPU
    10900k & 9940x & 5930k
    Motherboard
    z490-Apex & x299-Apex & x99-Sabertooth
    Memory
    Trident-Z Royal 4000c16 2x16gb & Trident-Z 3600c16 4x8gb & 3200c14 4x8gb
    Graphics Card(s)
    Titan Xp & 1080ti FTW3 & evga 980ti gaming
    Sound Card
    Onboard Realtek x3
    Monitor(s) Displays
    1-AOC G2460PG 24"G-Sync 144Hz/ 2nd 1-ASUS VG248QE 24"/ 3rd LG 43" series
    Screen Resolution
    1920-1080 not sure what the t.v is besides 43" class scales from 1920-1080 perfectly
    Hard Drives
    2-WD-sn850x 4tb/ 970evo+500gb/ 980 pro 2tb.
    PSU
    1000p2 & 1200p2 & 850p2
    Case
    D450 x2 & 1 Test bench in cherry Entertainment center
    Cooling
    Custom water loops x3 with 2x mora 360mm rads only 980ti gaming air cooled
    Keyboard
    G710+x3
    Mouse
    Redragon x3
    Internet Speed
    xfinity gigabyte
    Browser
    Firefox
    Antivirus
    mbam pro
What is an average PC user completely oblivious to this update supposed to do?
 

My Computer

System One

  • OS
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    Self build
    CPU
    Core i7-13700K
    Motherboard
    Asus TUF Gaming Plus WiFi Z790
    Memory
    64 GB Kingston Fury Beast DDR5
    Graphics Card(s)
    Gigabyte GeForce RTX 2060 Super Gaming OC 8G
    Sound Card
    Realtek S1200A
    Monitor(s) Displays
    Viewsonic VP2770
    Screen Resolution
    2560 x 1440
    Hard Drives
    Kingston KC3000 2TB NVME SSD & SATA HDDs & SSD
    PSU
    EVGA SuperNova G2 850W
    Case
    Nanoxia Deep Silence 1
    Cooling
    Noctua NH-D14
    Keyboard
    Microsoft Digital Media Pro
    Mouse
    Logitech Wireless
    Internet Speed
    50 Mb / s
    Browser
    Chrome
    Antivirus
    Defender
ThrashZone said:
This smells terrible
So MS wants to own all our ssd's without purchasing them ?
Click to expand...
That's just how Secure Boot database updates work (and have to work) whenever a major manufacturer/OS vendor's secure boot key has been compromised. You actually get these Secure Boot DBX updates from time to time through either the Windows Update process they're using here or directly from your device manufacturer in a firmware/BIOS update, but the drama around the new BlackLotus threat they're blocking with this DBX update is that Microsoft's own bootloader for Windows is also affected. Microsoft has gradually patched the Windows bootloader over the last sixish months so that it won't be blocked by the Secure Boot update when it happens, but that's why they say you have to update any older usb install sticks or recovery partitions you have. As long as you receive Secure Boot updates from Windows Update or LVFS on Linux it'll be taken care of automatically.
 

My Computer

System One

  • OS
    Windows 11
Steve C said:
What is an average PC user completely oblivious to this update supposed to do?
Click to expand...
You don't have to do anything, these updates will eventually be applied automatically by Windows Update. The article is intended for IT admins in organizations that have a specific reason to manually apply them early.
 

My Computer

System One

  • OS
    Windows 11
As long as Secure Boot remains optional I don't care...
 

My Computer

System One

  • OS
    Windows 11 Pro 24H2 (RP channel)
    Computer type
    PC/Desktop
    Manufacturer/Model
    MSI
    CPU
    AMD Ryzen 7 9800X3D 8-core
    Motherboard
    MEG X870E Godlike
    Memory
    64GB Corsair Titanium 6000/CL30
    Graphics Card(s)
    MSI Suprim X 3080 Ti
    Sound Card
    Soundblaster AE-5 Plus
    Monitor(s) Displays
    ASUS TUF Gaming VG289Q
    Screen Resolution
    3840x2160
    Hard Drives
    Samsung 990 Pro 2TB
    Samsung 980 Pro 2TB
    Samsung 970 Evo Plus 1TB
    Samsung 870 Evo 4TB
    Samsung T7 Touch 1TB
    PSU
    Seasonic PX-2200
    Case
    Bequiet! Dark Base Pro 901
    Cooling
    Noctua NH-D15S
    Keyboard
    Logitech G915 X (wired)
    Mouse
    Logitech G903 with PowerPlay charger
    Internet Speed
    900Mb/sec
    Browser
    Microsoft Edge
    Antivirus
    Windows Defender
BrianInEngland said:
As long as Secure Boot remains optional I don't care...
Click to expand...
Hi,
Unfortunately it is not on many oem machines
My secure boot setting is locked along with tpm and all security settings so no option to disable in bios.
 

My Computer

System One

  • OS
    Win-7-10-11Pro's
    Computer type
    PC/Desktop
    Manufacturer/Model
    Acer 17" Nitro 7840sn/ 2x16gb 5600c40/ 4060/ stock 1tb-os/ 4tb sn850x
    CPU
    10900k & 9940x & 5930k
    Motherboard
    z490-Apex & x299-Apex & x99-Sabertooth
    Memory
    Trident-Z Royal 4000c16 2x16gb & Trident-Z 3600c16 4x8gb & 3200c14 4x8gb
    Graphics Card(s)
    Titan Xp & 1080ti FTW3 & evga 980ti gaming
    Sound Card
    Onboard Realtek x3
    Monitor(s) Displays
    1-AOC G2460PG 24"G-Sync 144Hz/ 2nd 1-ASUS VG248QE 24"/ 3rd LG 43" series
    Screen Resolution
    1920-1080 not sure what the t.v is besides 43" class scales from 1920-1080 perfectly
    Hard Drives
    2-WD-sn850x 4tb/ 970evo+500gb/ 980 pro 2tb.
    PSU
    1000p2 & 1200p2 & 850p2
    Case
    D450 x2 & 1 Test bench in cherry Entertainment center
    Cooling
    Custom water loops x3 with 2x mora 360mm rads only 980ti gaming air cooled
    Keyboard
    G710+x3
    Mouse
    Redragon x3
    Internet Speed
    xfinity gigabyte
    Browser
    Firefox
    Antivirus
    mbam pro
ThrashZone said:
Hi,
Unfortunately it is not on many oem machines
My secure boot setting is locked along with tpm and all security settings so no option to disable in bios.
Click to expand...
Bummer. My PC is a self-built and I've never enabled Secure boot
 

My Computer

System One

  • OS
    Windows 11 Pro 24H2 (RP channel)
    Computer type
    PC/Desktop
    Manufacturer/Model
    MSI
    CPU
    AMD Ryzen 7 9800X3D 8-core
    Motherboard
    MEG X870E Godlike
    Memory
    64GB Corsair Titanium 6000/CL30
    Graphics Card(s)
    MSI Suprim X 3080 Ti
    Sound Card
    Soundblaster AE-5 Plus
    Monitor(s) Displays
    ASUS TUF Gaming VG289Q
    Screen Resolution
    3840x2160
    Hard Drives
    Samsung 990 Pro 2TB
    Samsung 980 Pro 2TB
    Samsung 970 Evo Plus 1TB
    Samsung 870 Evo 4TB
    Samsung T7 Touch 1TB
    PSU
    Seasonic PX-2200
    Case
    Bequiet! Dark Base Pro 901
    Cooling
    Noctua NH-D15S
    Keyboard
    Logitech G915 X (wired)
    Mouse
    Logitech G903 with PowerPlay charger
    Internet Speed
    900Mb/sec
    Browser
    Microsoft Edge
    Antivirus
    Windows Defender
ThrashZone said:
My secure boot setting is locked along with tpm and all security settings so no option to disable in bios.
Click to expand...
So you will never be able to start any program from an external system DVD or USB-Stick?
For the Clonezilla I use I always have to disable the security setting in the UEFI Bios.
Directly after using Clonezilla I enable that again, as I think it's a valuable protection of the system.
But that would mean you would not be able to run any kind of utility software like Hirens Boot CD (or the moderner version on USB Stick).
 

My Computer

System One

  • OS
    Windows 11 Pro 23H2 22631.4890
    Computer type
    PC/Desktop
    Manufacturer/Model
    Build by vendor to my specs
    CPU
    AMD Ryzen 7 5700G
    Motherboard
    MSI PRO B550M-P Gen3
    Memory
    Kingston FURY Beast 2x16GB DIMM DDR4 2666 CL16
    Graphics Card(s)
    MSI GeForce GT 730 2GB LP V1
    Sound Card
    Creative Sound Blaster Audigy FX
    Monitor(s) Displays
    Samsung S24E450F 24"
    Screen Resolution
    1920 x 1080
    Hard Drives
    1. SSD Crucial P5 Plus 500GB PCIe M.2
    2. SSD-SATA Crucial MX500-2TB
    PSU
    Corsair CV650W
    Case
    Cooler Master Silencio S400
    Cooling
    Cooler Master Hyper H412R with Be Quiet Pure Wings 2 PWM BL038 fan
    Keyboard
    Cherry Stream (wired, scissor keys)
    Mouse
    Asus WT465 (wireless)
    Internet Speed
    70 Mbps down / 80 Mbps up
    Browser
    Firefox 130.0
    Antivirus
    F-secure via Internet provider
    Other Info
    Router: FRITZBox 7490
    Oracle VirtualBox 7 for testing software on Win 10 or 11
Kees said:
So you will never be able to start any program from an external system DVD or USB-Stick?
For the Clonezilla I use I always have to disable the security setting in the UEFI Bios.
Directly after using Clonezilla I enable that again, as I think it's a valuable protection of the system.
But that would mean you would not be able to run any kind of utility software like Hirens Boot CD (or the moderner version on USB Stick).
Click to expand...
Hi,
No I can still use any efi formatted usb with f12 boot menu or bios boot override, I prefer boot menu obviously faster.
I use M.Reflect winpe often with both activated and all seems fine.

Only wish list is to be able to disable tpm it's the one bitlocker crapware would use automatically if it ever became mandatory to use plus the silly ms account/ onedrive bs...

Got with acer about it they gave me a couple 4 digit pins that are usually used
I haven't been asked to enter one yet
In bios there is a add password there but haven't used it I'm not sure what good that is when settings are already locked but may look into that shortly.
 

My Computer

System One

  • OS
    Win-7-10-11Pro's
    Computer type
    PC/Desktop
    Manufacturer/Model
    Acer 17" Nitro 7840sn/ 2x16gb 5600c40/ 4060/ stock 1tb-os/ 4tb sn850x
    CPU
    10900k & 9940x & 5930k
    Motherboard
    z490-Apex & x299-Apex & x99-Sabertooth
    Memory
    Trident-Z Royal 4000c16 2x16gb & Trident-Z 3600c16 4x8gb & 3200c14 4x8gb
    Graphics Card(s)
    Titan Xp & 1080ti FTW3 & evga 980ti gaming
    Sound Card
    Onboard Realtek x3
    Monitor(s) Displays
    1-AOC G2460PG 24"G-Sync 144Hz/ 2nd 1-ASUS VG248QE 24"/ 3rd LG 43" series
    Screen Resolution
    1920-1080 not sure what the t.v is besides 43" class scales from 1920-1080 perfectly
    Hard Drives
    2-WD-sn850x 4tb/ 970evo+500gb/ 980 pro 2tb.
    PSU
    1000p2 & 1200p2 & 850p2
    Case
    D450 x2 & 1 Test bench in cherry Entertainment center
    Cooling
    Custom water loops x3 with 2x mora 360mm rads only 980ti gaming air cooled
    Keyboard
    G710+x3
    Mouse
    Redragon x3
    Internet Speed
    xfinity gigabyte
    Browser
    Firefox
    Antivirus
    mbam pro
Well I added a bios password and all settings are live :thumbsup:
Acer didn't say that but tpm is dead as a door nail atm
Secure boot well we'll see what translations become of the April update between now and then before it's toast or not
Otherwise I've not had any issues with it.
 

My Computer

System One

  • OS
    Win-7-10-11Pro's
    Computer type
    PC/Desktop
    Manufacturer/Model
    Acer 17" Nitro 7840sn/ 2x16gb 5600c40/ 4060/ stock 1tb-os/ 4tb sn850x
    CPU
    10900k & 9940x & 5930k
    Motherboard
    z490-Apex & x299-Apex & x99-Sabertooth
    Memory
    Trident-Z Royal 4000c16 2x16gb & Trident-Z 3600c16 4x8gb & 3200c14 4x8gb
    Graphics Card(s)
    Titan Xp & 1080ti FTW3 & evga 980ti gaming
    Sound Card
    Onboard Realtek x3
    Monitor(s) Displays
    1-AOC G2460PG 24"G-Sync 144Hz/ 2nd 1-ASUS VG248QE 24"/ 3rd LG 43" series
    Screen Resolution
    1920-1080 not sure what the t.v is besides 43" class scales from 1920-1080 perfectly
    Hard Drives
    2-WD-sn850x 4tb/ 970evo+500gb/ 980 pro 2tb.
    PSU
    1000p2 & 1200p2 & 850p2
    Case
    D450 x2 & 1 Test bench in cherry Entertainment center
    Cooling
    Custom water loops x3 with 2x mora 360mm rads only 980ti gaming air cooled
    Keyboard
    G710+x3
    Mouse
    Redragon x3
    Internet Speed
    xfinity gigabyte
    Browser
    Firefox
    Antivirus
    mbam pro
You must log in or register to reply here.

Similar threads

  • Article Article
Revoking vulnerable Windows boot managers
2
Replies
24
Views
6K
Warre1
Warre1
  • Article Article
Updating Windows bootable media to use the PCA2023 signed boot manager
Replies
2
Views
425
garlin
G
  • Article Article
Additional guidance for devices using Secure Boot to address CVE-2023-24932
6 7 8
Replies
157
Views
27K
Almighty1
Almighty1
Windows Boot Manager revocations for Secure Boot changes - CVE-2023-24932
Replies
3
Views
3K
Buddywh
B
  • Article Article
Win Update KB5012170: Security update for Secure Boot DBX: August 9, 2022
Replies
12
Views
5K
Bree
Bree

Latest Support Threads

Latest Tutorials

Back
Top Bottom