[German]Microsoft has been trying for some time to secure the Secure Boot in Windows against the Black Lotus Boot Kit vulnerability CVE-2023-24932. Below is a short summary or FAQ, including the certificate to be exchanged in the boot media. And a reader has sent me his script for exchanging certificates.
Windows UEFI CA 2023 certificate
For a long time, Microsoft has been trying to close the vulnerability CVE-2023-24932 in the Secure Boot of Windows 11, which is exploited by the BlackLotus UEFI bootkit (see KB5025885: Secure boot hardening against vulnerability CVE-2023-24932 (Black Lotus)).
But there is another problem: In October 2026, a UEFI certificate ("Windows Production PCA 2011") from Microsoft that is used for Secure Boot will expire. This should not only affect Windows users, but Linux administrators should also look into the issue. Here, too, Microsoft has been trying to renew the certificate for some time (see my German blog post Windows 10/11 KB5053484: Neues PS-Script für Zertifikate in Boot-Medien). Administrators need to install the new certificate in the UEFI of the machines by October 2026.
Questions and answers about the UEFI certificate
Bolko had posted some questions and answers about the replacement of the UEFI certificate for the Secure Boot in this German comment (thanks for that). I'll extract the information as an FAQ.
Which update contains the new UEFI certificate?
Cumulative update KB5036210 from February 13, 2024 brought the Windows UEFI CA 2023 certificate and the functions to update the UEFI Secure Boot Allowed Signature Database (DB) with the new key for the first time. This and all subsequent updates should contain the new boot loader certificate, which will be required for Secure Boot after October 2026.
How do I know if the new certificate is available?
You should be able to find out whether Windows has integrated the new certificate by looking at the following registry key (according to the support page):
HKEY_LOCAL_MACHINE\SYSTEM\\CurrentControlSet\Control\SecureBoot\Servicing
If the 32-bit DWORD value WindowsUEFICA2023Capable is set to 0x40, Windows should be prepared. With the DWORD value 0x0, the system is not ready for the new UEFI certificate.
Are UEFI signatures integrated?
The interesting question is whether an OEM manufacturer has already integrated the new certificates in the UEFI of a new computer. Then you save yourself the trouble of patching. Bolko writes that you can check the UEFI yourself. To do this, open the UEFI when starting the computer (via a function key) and look in the following options:
secure boot keys -> Authorized Signatures (db) -> search for "Windows UEFI CA 2023"
More detailed information on these UEFI signatures, including downloads for the new certificate, can be found in this document from Microsoft. Summary: Depending on the motherboard manufacturer, you need a signed KEK key to be able to integrate these new signatures into the UEFI.
Microsoft refers to the new key exchange certificate as the "Microsoft Corporation KEK CA 2023 certificate". All motherboard manufacturers must download this Microsoft certificate, sign it and upload it back to Microsoft so that Microsoft can then write new DB and DBX signatures to the UEFI via an update from Windows from 2026. Without this new signed KEK, the UEFIs would refuse to update the permitted bootloader signature databases.
More information
As far as I know, Microsoft wants to declare the old UEFI secure boot certificate ("Windows Production PCA 2011") invalid with a future update. However, the so-called enforcement phase will not begin before January 2026. I recommend that all readers read the Microsoft support article How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932 from May 2023, as a lot of additional information (including the timelines for the enforcement phase) has been compiled there.
A script for certificate installation
There was a reference to a script for certificate installation in this German comment thread. I offered to publish the script – here are the instructions. An administrator sent me the following code (thanks for that).
@ECHO OFF @REM Autor:RF @REM Datum:31.01.2025 @REM KB5025885 REM TODO REM reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x40 /f REM 2x Reboot REM REM powershell -command "[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'" REM REM reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x100 /f REM 2x Reboot REM REM mountvol Q: /s && copy "Q:\EFI\Microsoft\Boot\bootmgfw.efi" "%TEMP%\bootmgfw.efi" && mountvol Q: /d REM Signatur von %TEMP%\bootmgfw.efi prüfen REM REM reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x80 /f REM 2x Reboot REM REM powershell -command "[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI dbx).bytes) -match 'Microsoft Windows Production PCA 2011'" REM REM reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x200 /f REM 2x Reboot @ECHO. @ECHO %~nx0 %* REM **************************************************************************** REM Test Administator Berechtigung "%windir%\System32\net.exe" session >nul 2>nul "%windir%\System32\net.exe" session >nul 2>nul REM ECHO ErrorLevel: %errorlevel% IF ERRORLEVEL 1 ( ECHO. ECHO Error: %~nx0 ECHO Administator Berechtigung erforderlich ECHO. Pause Exit /b ) REM **************************************************************************** SETLOCAL SET $CWD=%CD% SET $CERT_OLD=Microsoft Windows Production PCA 2011 SET $CERT_NEW=Windows UEFI CA 2023 SET $OUT=%TEMP%\~%~n0.txt CD /D "%~dp0" REM CD /D "%~1" REM **************************************************************************** ECHO Check new Certificate installed in UEFI db (%$CERT_NEW%) ECHO. > "%$OUT%" powershell.exe -command "[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match '%$CERT_NEW%'" > NUL "%windir%\System32\find.exe" /I "True" "%$OUT%" REM ECHO %ERRORLEVEL% IF "0"=="%ERRORLEVEL%" GOTO :DB_OK REM **************************************************************************** ECHO. ECHO ERROR: new Certificate is not installed in UEFI db. ECHO. SET /P $ANSWER="Do you want to install new Certificate in UEFI db? [Y/N] " IF /I NOT "Y"=="%$ANSWER%" GOTO :ENDE REM **************************************************************************** ECHO. ECHO Add Reg Key ECHO. "%windir%\System32\REG.EXE" ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot" /v AvailableUpdates /t REG_DWORD /d 0x40 /f ECHO. ECHO Please reboot twice and run this script again ECHO. GOTO :ENDE REM **************************************************************************** :DB_OK ECHO new Certificate is installed in UEFI db (%$CERT_NEW%). ECHO. REM **************************************************************************** ECHO Check Signature of BootLoader (%$CERT_NEW%) ECHO. "%windir%\System32\mountvol.exe" Q: /S > NUL COPY /Y "Q:\EFI\Microsoft\Boot\bootmgfw.efi" "%TEMP%\bootmgfw.efi" "%windir%\System32\mountvol.exe" Q: /D > NUL "%windir%\System32\find.exe" /I "%$CERT_NEW%" "%TEMP%\bootmgfw.efi" REM ECHO %ERRORLEVEL% IF "0"=="%ERRORLEVEL%" GOTO :BOOT_OK > NUL "%windir%\System32\find.exe" /I "%$CERT_OLD%" "%TEMP%\bootmgfw.efi" IF "0"=="%ERRORLEVEL%" ECHO BootLoader is signed with old Certificate "%$CERT_OLD%" REM **************************************************************************** ECHO. ECHO ERROR: BootLoader is not signed with new Certificate. ECHO. SET /P $ANSWER="Do you want to update the BootLoader? [Y/N] " IF /I NOT "Y"=="%$ANSWER%" GOTO :ENDE REM **************************************************************************** ECHO. ECHO Add Reg Key ECHO. "%windir%\System32\REG.EXE" ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot" /v AvailableUpdates /t REG_DWORD /d 0x100 /f ECHO. ECHO Please reboot twice and run this script again ECHO. GOTO :ENDE REM **************************************************************************** :BOOT_OK ECHO BootLoader is signed with new Certificate (%$CERT_NEW%). ECHO. REM **************************************************************************** ECHO Check old Certificate blocked in UEFI dbx (%$CERT_OLD%) ECHO. > "%$OUT%" powershell.exe -command "[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI dbx).bytes) -match '%$CERT_OLD%'" > NUL "%windir%\System32\find.exe" /I "True" "%$OUT%" REM ECHO %ERRORLEVEL% IF "0"=="%ERRORLEVEL%" GOTO :DBX_OK REM **************************************************************************** ECHO. ECHO ERROR: old Certificate is not blocked in UEFI dbx. ECHO. SET /P $ANSWER="Do you want to blocked old Certificate in UEFI dbx? [Y/N] " IF /I NOT "Y"=="%$ANSWER%" GOTO :ENDE REM **************************************************************************** ECHO. ECHO Add Reg Key ECHO. "%windir%\System32\REG.EXE" ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot" /v AvailableUpdates /t REG_DWORD /d 0x80 /f ECHO. ECHO Please reboot twice and run this script again ECHO. GOTO :ENDE REM **************************************************************************** :DBX_OK ECHO old Certificate is blocked in UEFI dbx. ECHO. REM **************************************************************************** REM TODO REM "%windir%\System32\REG.EXE" ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot" /v AvailableUpdates /t REG_DWORD /d 0x200 /f REM **************************************************************************** :ENDE ECHO bye PAUSE CD /D "%$CWD%" ENDLOCAL GOTO :EOF
The administrator has informed me that he has converted around 50 computers with the script. Of course, the code is provided on an as-is basis and use is at your own risk.
There is also a Remediation SCCM Task sequence by Garytown available for those who use SCCM to manage their clients. It checks a client for compliance and performs all the necessary remediation steps if required, by setting the REG keys and doing the restarts. We've successfully tested it on about 40 clients and plan to push into production soon.
https://garytown.com/configmgr-task-sequence-kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932
https://github.com/gwblok/garytown/tree/master/ConfigMgr/Baselines/CVE-2023-24932
Many thanks for reminding me about this pickle – escaped my mind totally.
Can confirm that script (via command line) has worked fine on my HP Omen PC (Gen 6 Intel CPU).
Can also confirm that all sorts of media once treated with Microsoft bodge (see https://support.microsoft.com/en-gb/topic/how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d#bkmk_update_boot_media for details) are up to date and bootable again, all is well and one is truly back in the gane.
Worth emphasising the importance of having access to ANY sort of recovery media being up to date prior to all the above as once 2011 cert revoke takes place, there's no coming back and if something fails, there's no way to recover / reinstall / retrieve from backups. But then it's chicken and egg scenario: one cannot have updated recovery media or backup before one patches one's machine…