[CRITICAL] May 2023 SecureBoot fix will break all boot media

[Hellbovine]

What about LTSC releases like Windows 10 2021? Will those be getting an updated ISO?

At the very top of the support article there's a small "more" in blue italics. If you click on that it shows the operating systems getting patched.

I'm assuming the reason Windows 10 didn't get a "v2" like Windows 11 did, was because the patch on that OS was minor and didn't require it, but the cynic in me says Microsoft is tired of Windows 10 continuing to dominate the market share, so I think they purposely delay things sometimes in order to encourage migration. It's all about money.

We already saw this in past years, like when things reach EOL and there's no final service pack, rollup, etcetera, and it becomes a pain to manually hunt it all down and integrate everything the proper way. I suspect they will do that with Windows 10 next year, intentionally not releasing an updated ISO that includes all the updates up to the time it went off the shelf.

 

[tired-it]

Hrmm, well at least it is not too difficult to acquire updates and integrate them, but that is a barrier to entry.

 

[Apoly]

The Enforcement Phase for KB5025885 which was scheduled for October 2024 seems to have been postponed to a later date.
The Enforcement Phase will be at least six months after the Deployment Phase (July 2024) so that means the final Enforcement Phase will be January 2025 at the earliest.

This update will be a nightmare in 2025, I'm glad it keeps getting pushed back for now.
There is always the possibility of disabling SecureBoot completely from the BIOS especially for older Motherboards with outdated BIOS versions but that's far from being the ideal solution.

Also a warning for Windows Server 2012 and Windows Server 2012 R2 users (and also W8 / 8.1 with BypassESU) :
Do not manually enable the mitigations from KB5025885 on systems with TPM2.0 if you have installed the 2024-04 Monthly Rollup KB5036960

These systems that run Windows Server 2012 and Windows Server 2012 R2 cannot deploy the mitigations released in the April 9, 2024 security update because of known compatibility issues with TPM measurements. The April 9, 2024 security updates will block mitigations #2 (boot manager) and #3 (DBX update) on affected systems.

Microsoft is aware of the issue and an update will be released in the future to unblock TPM 2.0-based systems.

 

[Apoly]

The Enforcement Phase for KB5025885 has once again been postponed to a later date. How many years has it been now...

The Enforcement Phase will not begin before January 2026, and we will give at least six months of advance warning in this article before this phase begins.

Users on NT6.2 and NT6.3 are still advised to AVOID manually applying the mitigations as the compatibility issue that originally started with the 2024-04 Monthly Rollup is still not fixed !

These systems that run Windows Server 2012 and Windows Server 2012 R2 cannot deploy the mitigations released in the July 9, 2024 security update because of known compatibility issues with TPM measurements. The July 9, 2024 security updates will block mitigations #2 (boot manager) and #3 (DBX update) on affected systems.

Microsoft is aware of the issue and an update will be released in the future to unblock TPM 2.0-based systems.

 

[garlin]

I'm testing a new PS script to check if your newly created ISO is capable of booting on a random PC.

1. Plug in the USB drive you've created, or manually mount the ISO file in File Explorer (so it has a drive letter) on a target PC.
2. Run the script with no arguments.

The script checks for several features:

- Is Secure Boot enabled? If we don't have Secure Boot running, then none of this matters.​

- Which MS signing certificates have been added to UEFI DB (accepted certs)?​

- Which MS signing certificates have been added to UEFI DBX (banned certs)?​

Presuming Secure Boot is enabled, and the EFI boot file found on the USB or mounted ISO (the script searches for removable disk volumes) is both accepted on the UEFI DB list and not revoked by the UEFI DBX list – it's good!

Obviously it doesn't help unless you run it from the PC that's about to be re-imaged. The idea is you would copy it to the ISO's root folder, and run a quick sanity test before performing a clean install. I'd like to see if the script matches what's on different users' PC's.

 

[garlin]

I have a much improved version of the script, renamed to Check_UEFI-CA2023.ps1 to avoid confusion with the older script.

The script supports four different command-line options:

- Audit	Report what UEFI CA 2023 steps have not been completed. Check the Windows Boot Manager as if Secure Boot is enabled (in case you're running with Secure Boot as disabled).
- Verbose	Extended details including Windows build, BIOS versions, factory defaults for PK, KEK, DB and DBX variables, Windows BootMgr SVN, and count of EFI signature hashes for the DBX list.
-BootMedia	Check the boot file and Windows install image are allowed by the current UEFI setup.
- Log	Save output to a log named after the current date, and PC model.

Example output (using all 4 flags):

PS C:\Users\GARLIN\Downloads> .\Check_UEFI-CA2023.ps1 -audit -verbose -bootmedia
Windows 11 25H2 (26200.7462)

Secure Boot: ON
Virtualization Based Security: ON

BitLocker on (C:) OFF
    SUSPENDED for 1 reboot.

BIOS Firmware
-------------
    VMware VMware7,1
    Version: VMW71.00V.16221537.B64.2005150253
    Date: 2020-05-14

Factory Default UEFI PK Cert
----------------------------
    VMware Default PK

UEFI PK Cert
------------
    Windows OEM Devices PK

Factory Default UEFI KEK Certs
------------------------------
    Microsoft Corporation KEK CA 2011

UEFI KEK Certs
--------------
    Microsoft Corporation KEK CA 2011
    Microsoft Corporation KEK 2K CA 2023

Factory Default UEFI DB Certs
-----------------------------
    Microsoft Corporation UEFI CA 2011
    Microsoft Windows Production PCA 2011
    VMware Secure Boot Signing

UEFI DB Certs
-------------
    Microsoft Corporation UEFI CA 2011
    Microsoft Windows Production PCA 2011
    Microsoft Option ROM UEFI CA 2023
    Microsoft UEFI CA 2023
    Windows UEFI CA 2023

Factory Default UEFI DBX Certs
------------------------------
    (NONE)
    EFI_CERT_SHA256_GUID Signatures: 77

UEFI DBX Certs
--------------
    Microsoft Windows Production PCA 2011
    Windows BootMgr SVN 7.0
    EFI_CERT_SHA256_GUID Signatures: 437

EFI Files
---------
    Disk 0: Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.
        bootmgfw.efi File version: 26100.30227

    Registry: WindowsUEFICA2023Capable = 2
        [Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.

    Disk 0: SkuSiPolicy.p7b (for VBS) is CURRENT.

Bootable Media
--------------
    DVD Drive D: "CPRA_X64FRE_EN-US_DV9"
        Boot File [Production PCA 2011] is BANNED.
            bootx64.efi File version: 26100.30227

        boot.wim:2    Boot Manager [Windows UEFI CA 2023] is PRESENT.
        install.wim:1 Boot Manager [Windows UEFI CA 2023] is PRESENT.


AUDIT REPORT
============
1.  Secure Boot is DISABLED

STATUS REPORT
-------------
    Registry: UEFICA2023Status = Updated

SUCCESS: NO UPDATES ARE REQUIRED.