In February 2024, Microsoft took a significant step in bolstering the security of its operating systems by announcing the rollout of new 2023 Secure Boot Certificate Authority (CA) keys. These keys are set to replace the aging certificates from 2011, which were introduced alongside Windows 8 when the Secure Boot feature was first implemented.
The initiative commenced with the Patch Tuesday updates, specifically KB5034765 for Windows 11 and KB5034763 for Windows 10, marking a crucial update as the 2011 certificates approach their expiration date in 2026, after 15 years of service.
PowerShell Script for Enhanced Security
In a recent development, Microsoft has released a PowerShell script designed to update Windows bootable media, ensuring compatibility with the new Windows UEFI CA 2023 certificate. This update is particularly relevant in light of the Black Lotus Secure Boot vulnerability, identified as CVE-2023-24932.
For those unfamiliar with the concept, Certificate Authorities (CAs) play a vital role in managing the authenticity and validity of essential components such as bootloaders, drivers, firmware, and various applications.
Regarding the new PowerShell script, Microsoft elaborated:
The PowerShell script described in this article can be used to update Windows bootable media so that the media can be used on systems that trust the “Windows UEFI CA 2023” certificate.
The Make2023BootableMedia.ps1 PowerShell script updates boot manager support on Windows media to the boot manager signed by the new “Windows UEFI CA 2023” certificate. The input and output can be bootable media of the following type:
- ISO CD/DVD image file,
- USB flash drive,
- a local drive path, or
- a network drive path.
Microsoft has also highlighted several important considerations for users executing the update:
The latest Windows Assessment and Deployment Kit (Windows ADK) can be found on the Download and install the Windows ADK page and is necessary for this script to work properly.
Notes
- The Make2023BootableMedia.ps1 script should be run from an elevated PowerShell prompt.
- You must provide the script with a media source (-MediaPath) which has the latest servicing updates applied.
For comprehensive details, users can refer to the KB5053484 support article available on Microsoft’s official website.
