{"id":37248,"date":"2025-03-03T00:02:05","date_gmt":"2025-03-02T23:02:05","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=37248"},"modified":"2025-03-03T18:26:01","modified_gmt":"2025-03-03T17:26:01","slug":"faq-and-script-for-secure-boot-protection-against-cve-2023-24932-black-lotus","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2025\/03\/03\/faq-and-script-for-secure-boot-protection-against-cve-2023-24932-black-lotus\/","title":{"rendered":"FAQ and script for secure boot protection against CVE-2023-24932 (Black Lotus)"},"content":{"rendered":"

\"Windows\"[German<\/a>]Microsoft has been trying for some time to secure the Secure Boot in Windows against the Black Lotus Boot Kit vulnerability CVE-2023-24932. Below is a short summary or FAQ, including the certificate to be exchanged in the boot media. And a reader has sent me his script for exchanging certificates.<\/p>\n

<\/p>\n

Windows UEFI CA 2023 certificate<\/h2>\n

\"\"For a long time, Microsoft has been trying to close the vulnerability CVE-2023-24932 in the Secure Boot of Windows 11, which is exploited by the BlackLotus UEFI bootkit (see KB5025885: Secure boot hardening against vulnerability CVE-2023-24932 (Black Lotus)<\/a>).<\/p>\n

But there is another problem: In October 2026, a UEFI certificate (\"Windows Production PCA 2011\") from Microsoft that is used for Secure Boot will expire. This should not only affect Windows users, but Linux administrators should also look into the issue. Here, too, Microsoft has been trying to renew the certificate for some time (see my German blog post Windows 10\/11 KB5053484: Neues PS-Script f\u00fcr Zertifikate in Boot-Medien<\/a>). Administrators need to install the new certificate in the UEFI of the machines by October 2026.<\/p>\n

Questions and answers about the UEFI certificate<\/h2>\n

Bolko had posted some questions and answers about the replacement of the UEFI certificate for the Secure Boot in this German comment<\/a> (thanks for that). I'll extract the information as an FAQ.<\/p>\n

Which update contains the new UEFI certificate?<\/h3>\n

Cumulative update KB5036210<\/a> from February 13, 2024 brought the Windows UEFI CA 2023 certificate and the functions to update the UEFI Secure Boot Allowed Signature Database (DB) with the new key for the first time. This and all subsequent updates should contain the new boot loader certificate, which will be required for Secure Boot after October 2026.<\/p>\n

How do I know if the new certificate is available?<\/h3>\n

You should be able to find out whether Windows has integrated the new certificate by looking at the following registry key (according to the support page<\/a>):<\/p>\n

HKEY_LOCAL_MACHINE\\SYSTEM\\\\CurrentControlSet\\Control\\SecureBoot\\Servicing<\/p>\n

If the 32-bit DWORD value WindowsUEFICA2023Capable<\/em> is set to 0x40, Windows should be prepared. With the DWORD value 0x0, the system is not ready for the new UEFI certificate.<\/p>\n

Are UEFI signatures integrated?<\/h3>\n

The interesting question is whether an OEM manufacturer has already integrated the new certificates in the UEFI of a new computer. Then you save yourself the trouble of patching. Bolko writes that you can check the UEFI yourself. To do this, open the UEFI when starting the computer (via a function key) and look in the following options:<\/p>\n

secure boot keys -> Authorized Signatures (db) -> search for \"Windows UEFI CA 2023\"<\/p>\n

More detailed information on these UEFI signatures, including downloads for the new certificate, can be found in this document<\/a> from Microsoft. Summary: Depending on the motherboard manufacturer, you need a signed KEK key to be able to integrate these new signatures into the UEFI.<\/p>\n

Microsoft refers to the new key exchange certificate as the \"Microsoft Corporation KEK CA 2023 certificate\". All motherboard manufacturers must download this Microsoft certificate, sign it and upload it back to Microsoft so that Microsoft can then write new DB and DBX signatures to the UEFI via an update from Windows from 2026. Without this new signed KEK, the UEFIs would refuse to update the permitted bootloader signature databases.<\/p>\n

More information<\/h3>\n

As far as I know, Microsoft wants to declare the old UEFI secure boot certificate (\"Windows Production PCA 2011\") invalid with a future update. However, the so-called enforcement phase will not begin before January 2026. I recommend that all readers read the Microsoft support article How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932<\/a> from May 2023, as a lot of additional information (including the timelines for the enforcement phase) has been compiled there.<\/p>\n

A script for certificate installation<\/h2>\n

There was a reference to a script for certificate installation in this German comment thread<\/a>. I offered to publish the script – here are the instructions. An administrator sent me the following code (thanks for that).<\/p>\n

@ECHO OFF\r\n@REM\tAutor:RF\r\n@REM\tDatum:31.01.2025\r\n@REM\tKB5025885\r\n\r\nREM TODO\r\nREM reg add HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Secureboot \/v AvailableUpdates \/t REG_DWORD \/d 0x40 \/f\r\nREM 2x Reboot\r\nREM\r\nREM powershell -command \"[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'\"\r\nREM\r\nREM reg add HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Secureboot \/v AvailableUpdates \/t REG_DWORD \/d 0x100 \/f\r\nREM 2x Reboot\r\nREM\r\nREM mountvol Q: \/s && copy \"Q:\\EFI\\Microsoft\\Boot\\bootmgfw.efi\" \"%TEMP%\\bootmgfw.efi\" && mountvol Q: \/d\r\nREM Signatur von %TEMP%\\bootmgfw.efi pr\u00fcfen\r\nREM\r\nREM reg add HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Secureboot \/v AvailableUpdates \/t REG_DWORD \/d 0x80 \/f\r\nREM 2x Reboot\r\nREM\r\nREM powershell -command \"[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI dbx).bytes) -match 'Microsoft Windows Production PCA 2011'\"\r\nREM\r\nREM reg add HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Secureboot \/v AvailableUpdates \/t REG_DWORD \/d 0x200 \/f\r\nREM 2x Reboot\r\n\r\n@ECHO.\r\n@ECHO %~nx0 %*\r\n\r\nREM ****************************************************************************\r\nREM Test Administator Berechtigung\r\n\"%windir%\\System32\\net.exe\" session >nul 2>nul\r\n\"%windir%\\System32\\net.exe\" session >nul 2>nul\r\nREM ECHO ErrorLevel: %errorlevel%\r\n\r\nIF ERRORLEVEL 1 (\r\n  ECHO.\r\n  ECHO Error: %~nx0\r\n  ECHO Administator Berechtigung erforderlich\r\n  ECHO.\r\n  Pause\r\n  Exit \/b\r\n)\r\n\r\nREM ****************************************************************************\r\nSETLOCAL\r\nSET $CWD=%CD%\r\nSET $CERT_OLD=Microsoft Windows Production PCA 2011\r\nSET $CERT_NEW=Windows UEFI CA 2023\r\nSET $OUT=%TEMP%\\~%~n0.txt\r\n\r\nCD \/D \"%~dp0\"\r\nREM CD \/D \"%~1\"\r\n\r\nREM ****************************************************************************\r\nECHO Check new Certificate installed in UEFI db (%$CERT_NEW%)\r\nECHO.\r\n\r\n> \"%$OUT%\" powershell.exe -command \"[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match '%$CERT_NEW%'\"\r\n> NUL \"%windir%\\System32\\find.exe\" \/I \"True\" \"%$OUT%\"\r\nREM ECHO %ERRORLEVEL%\r\nIF \"0\"==\"%ERRORLEVEL%\"\tGOTO :DB_OK\r\n\r\nREM ****************************************************************************\r\nECHO.\r\nECHO ERROR: new Certificate is not installed in UEFI db.\r\nECHO.\r\nSET \/P $ANSWER=\"Do you want to install new Certificate in UEFI db? [Y\/N] \"\r\nIF \/I NOT \"Y\"==\"%$ANSWER%\"\tGOTO :ENDE\r\n\r\nREM ****************************************************************************\r\nECHO.\r\nECHO Add Reg Key\r\nECHO.\r\n\"%windir%\\System32\\REG.EXE\" ADD \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Secureboot\" \/v AvailableUpdates \/t REG_DWORD \/d 0x40 \/f\r\n\r\nECHO.\r\nECHO Please reboot twice and run this script again\r\nECHO.\r\nGOTO :ENDE\r\n\r\nREM ****************************************************************************\r\n:DB_OK\r\nECHO new Certificate is installed in UEFI db (%$CERT_NEW%).\r\nECHO.\r\n\r\nREM ****************************************************************************\r\nECHO Check Signature of BootLoader (%$CERT_NEW%)\r\nECHO.\r\n\"%windir%\\System32\\mountvol.exe\" Q: \/S\r\n> NUL COPY \/Y \"Q:\\EFI\\Microsoft\\Boot\\bootmgfw.efi\" \"%TEMP%\\bootmgfw.efi\"\r\n\"%windir%\\System32\\mountvol.exe\" Q: \/D\r\n\r\n> NUL \"%windir%\\System32\\find.exe\" \/I \"%$CERT_NEW%\" \"%TEMP%\\bootmgfw.efi\"\r\nREM ECHO %ERRORLEVEL%\r\nIF \"0\"==\"%ERRORLEVEL%\"\tGOTO :BOOT_OK\r\n\r\n> NUL \"%windir%\\System32\\find.exe\" \/I \"%$CERT_OLD%\" \"%TEMP%\\bootmgfw.efi\"\r\nIF \"0\"==\"%ERRORLEVEL%\"\tECHO BootLoader is signed with old Certificate \"%$CERT_OLD%\"\r\n\r\nREM ****************************************************************************\r\nECHO.\r\nECHO ERROR: BootLoader is not signed with new Certificate.\r\nECHO.\r\nSET \/P $ANSWER=\"Do you want to update the BootLoader? [Y\/N] \"\r\nIF \/I NOT \"Y\"==\"%$ANSWER%\"\tGOTO :ENDE\r\n\r\nREM ****************************************************************************\r\nECHO.\r\nECHO Add Reg Key\r\nECHO.\r\n\"%windir%\\System32\\REG.EXE\" ADD \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Secureboot\" \/v AvailableUpdates \/t REG_DWORD \/d 0x100 \/f\r\n\r\nECHO.\r\nECHO Please reboot twice and run this script again\r\nECHO.\r\nGOTO :ENDE\r\n\r\nREM ****************************************************************************\r\n:BOOT_OK\r\nECHO BootLoader is signed with new Certificate (%$CERT_NEW%).\r\nECHO.\r\n\r\nREM ****************************************************************************\r\nECHO Check old Certificate blocked in UEFI dbx (%$CERT_OLD%)\r\nECHO.\r\n\r\n> \"%$OUT%\" powershell.exe -command \"[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI dbx).bytes) -match '%$CERT_OLD%'\"\r\n> NUL \"%windir%\\System32\\find.exe\" \/I \"True\" \"%$OUT%\"\r\nREM ECHO %ERRORLEVEL%\r\nIF \"0\"==\"%ERRORLEVEL%\"\tGOTO :DBX_OK\r\n\r\nREM ****************************************************************************\r\nECHO.\r\nECHO ERROR: old Certificate is not blocked in UEFI dbx.\r\nECHO.\r\nSET \/P $ANSWER=\"Do you want to blocked old Certificate in UEFI dbx? [Y\/N] \"\r\nIF \/I NOT \"Y\"==\"%$ANSWER%\"\tGOTO :ENDE\r\n\r\nREM ****************************************************************************\r\nECHO.\r\nECHO Add Reg Key\r\nECHO.\r\n\"%windir%\\System32\\REG.EXE\" ADD \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Secureboot\" \/v AvailableUpdates \/t REG_DWORD \/d 0x80 \/f\r\n\r\nECHO.\r\nECHO Please reboot twice and run this script again\r\nECHO.\r\nGOTO :ENDE\r\n\r\nREM ****************************************************************************\r\n:DBX_OK\r\nECHO old Certificate is blocked in UEFI dbx.\r\nECHO.\r\n\r\nREM ****************************************************************************\r\nREM TODO\r\nREM \"%windir%\\System32\\REG.EXE\" ADD \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Secureboot\" \/v AvailableUpdates \/t REG_DWORD \/d 0x200 \/f\r\n\r\nREM ****************************************************************************\r\n:ENDE\r\nECHO bye\r\nPAUSE\r\nCD \/D \"%$CWD%\"\r\nENDLOCAL\r\nGOTO :EOF<\/pre>\n
The administrator has informed me that he has converted around 50 computers with the script. Of course, the code is provided on an as-is basis and use is at your own risk.<\/p>\n","protected":false},"excerpt":{"rendered":"
[German]Microsoft has been trying for some time to secure the Secure Boot in Windows against the Black Lotus Boot Kit vulnerability CVE-2023-24932. Below is a short summary or FAQ, including the certificate to be exchanged in the boot media. And … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580,2],"tags":[69,194],"class_list":["post-37248","post","type-post","status-publish","format-standard","hentry","category-security","category-windows","tag-security","tag-windows"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/37248","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=37248"}],"version-history":[{"count":4,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/37248\/revisions"}],"predecessor-version":[{"id":37252,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/37248\/revisions\/37252"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=37248"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=37248"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=37248"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}