TPM 2.0 Devices and remediation of CVE-2023-24932 (Black Lotus) UEFI / Secure Boot Vulnerability. - Help for those with "Known Issues"


N

NetMan304

New member
Local time
3:39 PM
Posts
4
Location
Washington State, USA
OS
Windows -10 22H2, 11 23H2, Server 2025. Linux - Fedora LTR, Red Hat Enterprise. VM Ware. Hiren's PE
Hello,
I have not been able to find assistance on this but if someone has found something please kindly link me a discussion that may already by started.

I won't beat this Black Lotus horse any more than it already has been... I find myself frustrated at the guidance in microsoft's official documentation on how to apply the mitigations ahead of the forced rollout:
How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932

Under the known issues section, I have a Dell Computer with a TPM 2.0.
Code: 
TPM 2.0-based systems:  These systems that run Windows Server 2012 and Windows Server 2012 R2 
cannot deploy the mitigations released in the July 9, 2024 security update because of known compatibility issues with TPM measurements. 
The July 9, 2024 security updates will block mitigations #2 (boot manager) and #3 (DBX update) on affected systems.

Microsoft is aware of the issue and an update will be released in the future to unblock TPM 2.0-based systems.

To check your TPM version, right-click Start, click Run, and then type tpm.msc. 
On the bottom-right of the center pane under TPM Manufacturer Information, 
you should see a value for Specification Version.

I would like to get some guidance or a guide on how to rekey my machine and have the bad boot loaders revoked and not wait on a fix. is there any guidance on how to do so?

PS: I understand this is vague without any specifics. I will post them if this is the venue but for now I was more or less looking for a discussion on if this is possible, clarification on what the timing issues are with the TPM 2.0 systems and clarification on if this would be an appropriate venue for tackling this sort of task.

I have never been able to find this sort of guidance anywhere and as I am not a IT pro myself, or a complete security novice. I have a desire to tackle this sort of thing with a guide or how to.

Thanks! I look forward to any suggestions etc.
 
Windows Build/Version
22H2 OS Build 19045.5608

My Computer

System One

  • OS
    Windows -10 22H2, 11 23H2, Server 2025. Linux - Fedora LTR, Red Hat Enterprise. VM Ware. Hiren's PE
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell, HP + Various

My Computers

System One System Two

  • OS
    Windows 11 Pro 24H2 26100.3194
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 7080
    CPU
    i9-10900 10 core 20 threads
    Motherboard
    DELL 0J37VM
    Memory
    32 gb
    Graphics Card(s)
    none-Intel UHD Graphics 630
    Sound Card
    Integrated Realtek
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    1tb Solidigm m.2 nvme+256gb SKHynix m.2 nvme /External drives 512gb Samsung m.2 sata+1tb Kingston m2.nvme+ 4gb Solidigm nvme
    PSU
    500w
    Case
    MT
    Cooling
    Dell Premium
    Keyboard
    Logitech wired
    Mouse
    Logitech wireless
    Internet Speed
    so slow I'm too embarrassed to tell
    Browser
    #1 Edge #2 Firefox
    Antivirus
    Defender+MWB Premium
  • Operating System
    Windows 10 Pro 22H2 19045.3930
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 9020
    CPU
    i7-4770
    Memory
    24 gb
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    256 gb Toshiba BG4 M.2 NVE SSB and 1 tb hdd
    PSU
    500w
    Case
    MT
    Cooling
    Dell factory
    Mouse
    Logitech wireless
    Keyboard
    Logitech wired
    Internet Speed
    still not telling
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium
Welcome.

I’m a little lost because I am also not really an IT person. So you’re trying to install Windows or update without luck due to TPM2 issues and Secure Boot? Wanting to beat whatever is coming.

22H2 is really old.

If so, have you tried creating the install media and installing with Rufus?
Using as a fresh install media or for an in-place upgrade

IMG_5343.webp


Rufus - Create bootable USB drives the easy way

Rufus: Create bootable USB drives the easy way
rufus.ie

As much as RUFUS can bypass TPM2.0 secure boot to upgrade to Windows 11 24H2, it will not work if the CPU lacks SSE4.2. Nothing will.

Again, I’m most likely out of my league and have mistaken your issue. Don’t try explaining, better I butt out.

P.S.

Here is a page that contains a security update posted in relation to CVE-2023-24932, created 6 days after July 9th (July 15th 2024)

TPM 2.0 device can't be recognized in Windows Server 2012 R2 - Microsoft Support

Fixes an issue in which TPM drivers can't recognize TPM 2.0 devices in Windows Server 2012 R2.
support.microsoft.com support.microsoft.com
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 23H2 Build 22631.5039
    Computer type
    PC/Desktop
    Manufacturer/Model
    Sin-built
    CPU
    Intel(R) Core(TM) i7-4770K CPU @ 3.50GHz (4th Gen?)
    Motherboard
    ASUS ROG Maximus VI Formula
    Memory
    32.0 GB of I forget and the box is in storage.
    Graphics Card(s)
    Gigabyte nVidia GeForce GTX 1660 Super OC 6GB
    Sound Card
    Onboard
    Monitor(s) Displays
    4 x LG 23MP75 - 2 x 24MK430H-B - 1 x Wacom Pro 22" Tablet
    Screen Resolution
    All over the place
    Hard Drives
    Too many to list.
    OS on Samsung 1TB 870 QVO SATA
    PSU
    Silverstone 1500
    Case
    NZXT Phantom 820 Full-Tower Case
    Cooling
    Noctua NH-D15 Elite Class Dual Tower CPU Cooler / 6 x EziDIY 120mm / 2 x Corsair 140mm somethings / 1 x 140mm Thermaltake something / 2 x 200mm Corsair.
    Keyboard
    Corsair K95 / Logitech diNovo Edge Wireless
    Mouse
    Logitech G402 / G502 / Mx Masters / MX Air Cordless
    Internet Speed
    100/40Mbps
    Browser
    All sorts
    Antivirus
    Kaspersky Premium
    Other Info
    I’m on a horse.
  • Operating System
    Windows 11 Pro 23H2 Build: 22631.4249
    Computer type
    Laptop
    Manufacturer/Model
    LENOVO Yoga 7i EVO OLED 14" Touchscreen i5 12 Core 16GB/512GB
    CPU
    Intel Core 12th Gen i5-1240P Processor (1.7 - 4.4GHz)
    Memory
    16GB LPDDR5 RAM
    Graphics card(s)
    Intel Iris Xe Graphics Processor
    Sound Card
    Optimized with Dolby Atmos®
    Screen Resolution
    QHD 2880 x 1800 OLED
    Hard Drives
    M.2 512GB
    Antivirus
    Defender / Malwarebytes
    Other Info
    …still on a horse.
NetMan304 said:
Under the known issues section, I have a Dell Computer with a TPM 2.0.
Code: 
TPM 2.0-based systems:  These systems that run Windows Server 2012 and Windows Server 2012 R2
cannot deploy the mitigations released in the July 9, 2024 security update because of known compatibility issues with TPM measurements.
The July 9, 2024 security updates will block mitigations #2 (boot manager) and #3 (DBX update) on affected systems.

Microsoft is aware of the issue and an update will be released in the future to unblock TPM 2.0-based systems.
Click to expand...
Unless you're running Server 2012 on your PC's, this warning is irrelevant to you.
 

My Computer

System One

  • OS
    Windows 7
garlin said:
Unless you're running Server 2012 on your PC's, this warning is irrelevant to you.
Click to expand...


That’s what I was wondering when reading all that documentation. It referenced Server 2012 and Windows 8/8.1. That goes also for the download patches I linked to. Hence my confusion.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 23H2 Build 22631.5039
    Computer type
    PC/Desktop
    Manufacturer/Model
    Sin-built
    CPU
    Intel(R) Core(TM) i7-4770K CPU @ 3.50GHz (4th Gen?)
    Motherboard
    ASUS ROG Maximus VI Formula
    Memory
    32.0 GB of I forget and the box is in storage.
    Graphics Card(s)
    Gigabyte nVidia GeForce GTX 1660 Super OC 6GB
    Sound Card
    Onboard
    Monitor(s) Displays
    4 x LG 23MP75 - 2 x 24MK430H-B - 1 x Wacom Pro 22" Tablet
    Screen Resolution
    All over the place
    Hard Drives
    Too many to list.
    OS on Samsung 1TB 870 QVO SATA
    PSU
    Silverstone 1500
    Case
    NZXT Phantom 820 Full-Tower Case
    Cooling
    Noctua NH-D15 Elite Class Dual Tower CPU Cooler / 6 x EziDIY 120mm / 2 x Corsair 140mm somethings / 1 x 140mm Thermaltake something / 2 x 200mm Corsair.
    Keyboard
    Corsair K95 / Logitech diNovo Edge Wireless
    Mouse
    Logitech G402 / G502 / Mx Masters / MX Air Cordless
    Internet Speed
    100/40Mbps
    Browser
    All sorts
    Antivirus
    Kaspersky Premium
    Other Info
    I’m on a horse.
  • Operating System
    Windows 11 Pro 23H2 Build: 22631.4249
    Computer type
    Laptop
    Manufacturer/Model
    LENOVO Yoga 7i EVO OLED 14" Touchscreen i5 12 Core 16GB/512GB
    CPU
    Intel Core 12th Gen i5-1240P Processor (1.7 - 4.4GHz)
    Memory
    16GB LPDDR5 RAM
    Graphics card(s)
    Intel Iris Xe Graphics Processor
    Sound Card
    Optimized with Dolby Atmos®
    Screen Resolution
    QHD 2880 x 1800 OLED
    Hard Drives
    M.2 512GB
    Antivirus
    Defender / Malwarebytes
    Other Info
    …still on a horse.
antspants said:
So you’re trying to install Windows or update without luck due to TPM2 issues and Secure Boot?
22H2 is really old.
Click to expand...
Let me clarify. I'm trying to do a clean install of Windows 10 that includes The mitigations for Black lotus all at once. Reload Bios / uefi from clean install using updated bootloader's and resetting Tpm with new keys, that aren't compromised.

I'm choosing Windows 10 due to personal preference. My computer is also compatible with Windows 11, per the manufacturer (Dell)

I can install Windows 10 just fine but since I have a TPM 2.0 the black lotus mitigation step #2 and #3 are automatically blocked on my system. This is in line with the documentation for Microsoft that states this will happen on those affected (tpm 2.0) systems + others.

I'm looking for a way to have a system with the mitigations applied for black lotus and not just a system that relies on revoked or vulnerable bootloaders.

Essentially I would like to apply the mitigations proactively and not wait for forced roll out.

garlin said:
Unless you're running Server 2012 on your PC's, this warning is irrelevant to you.
Click to expand...
I've always been under the impression that since these articles are geared towards IT professionals they only list "IT professional" builds as affected. It does appear that steps #2 and #3 are being blocked on my system.

Yes an update SHOULD be issued by Microsoft and / or OEM in due time but I am not wanting to wait..... If possible
 

My Computer

System One

  • OS
    Windows -10 22H2, 11 23H2, Server 2025. Linux - Fedora LTR, Red Hat Enterprise. VM Ware. Hiren's PE
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell, HP + Various
NetMan304 said:
Yes an update SHOULD be issued by Microsoft and / or OEM in due time but I am not wanting to wait
Click to expand...


I can’t help but keep coming back to the fact Microsoft has dealt with this in 2023 & July 2024 . Also, again, Build 22H2 is extremely old and in itself, probably a security issue.

www.bleepingcomputer.com

New Microsoft script updates Windows media with bootkit malware fixes

Microsoft has released a PowerShell script to help Windows users and admins update bootable media so it utilizes the new "Windows UEFI CA 2023" certificate before the mitigations of the BlackLotus UEFI bootkit are enforced later this year.
www.bleepingcomputer.com www.bleepingcomputer.com

And again, again. I should probably stay out of it. Garlin always buries me with his knowledge.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 23H2 Build 22631.5039
    Computer type
    PC/Desktop
    Manufacturer/Model
    Sin-built
    CPU
    Intel(R) Core(TM) i7-4770K CPU @ 3.50GHz (4th Gen?)
    Motherboard
    ASUS ROG Maximus VI Formula
    Memory
    32.0 GB of I forget and the box is in storage.
    Graphics Card(s)
    Gigabyte nVidia GeForce GTX 1660 Super OC 6GB
    Sound Card
    Onboard
    Monitor(s) Displays
    4 x LG 23MP75 - 2 x 24MK430H-B - 1 x Wacom Pro 22" Tablet
    Screen Resolution
    All over the place
    Hard Drives
    Too many to list.
    OS on Samsung 1TB 870 QVO SATA
    PSU
    Silverstone 1500
    Case
    NZXT Phantom 820 Full-Tower Case
    Cooling
    Noctua NH-D15 Elite Class Dual Tower CPU Cooler / 6 x EziDIY 120mm / 2 x Corsair 140mm somethings / 1 x 140mm Thermaltake something / 2 x 200mm Corsair.
    Keyboard
    Corsair K95 / Logitech diNovo Edge Wireless
    Mouse
    Logitech G402 / G502 / Mx Masters / MX Air Cordless
    Internet Speed
    100/40Mbps
    Browser
    All sorts
    Antivirus
    Kaspersky Premium
    Other Info
    I’m on a horse.
  • Operating System
    Windows 11 Pro 23H2 Build: 22631.4249
    Computer type
    Laptop
    Manufacturer/Model
    LENOVO Yoga 7i EVO OLED 14" Touchscreen i5 12 Core 16GB/512GB
    CPU
    Intel Core 12th Gen i5-1240P Processor (1.7 - 4.4GHz)
    Memory
    16GB LPDDR5 RAM
    Graphics card(s)
    Intel Iris Xe Graphics Processor
    Sound Card
    Optimized with Dolby Atmos®
    Screen Resolution
    QHD 2880 x 1800 OLED
    Hard Drives
    M.2 512GB
    Antivirus
    Defender / Malwarebytes
    Other Info
    …still on a horse.
You must log in or register to reply here.

Similar threads

Solved New revocations for CVE-2023-24932 (Black Lotus) not working correctly?
Replies
8
Views
5K
milkturnipsbage
M
  • Article Article
Additional guidance for devices using Secure Boot to address CVE-2023-24932
6 7 8
Replies
157
Views
27K
Almighty1
Almighty1
Windows Boot Manager revocations for Secure Boot changes - CVE-2023-24932
Replies
3
Views
3K
Buddywh
B

Latest Support Threads

Latest Tutorials

Back
Top Bottom