Microsoft has taken a significant step in enhancing the security of Windows systems by releasing a PowerShell script designed to assist users and administrators in updating bootable media. This update is particularly crucial as it integrates the new “Windows UEFI CA 2023” certificate, a proactive measure ahead of the impending enforcement of mitigations against the BlackLotus UEFI bootkit later this year.
Understanding BlackLotus and Its Threats
BlackLotus is a sophisticated UEFI bootkit capable of circumventing Secure Boot protocols, thereby seizing control of the operating system’s boot process. Once it infiltrates a system, BlackLotus can disable essential Windows security features, including BitLocker, Hypervisor-Protected Code Integrity (HVCI), and Microsoft Defender Antivirus. This level of access enables the deployment of malware with elevated privileges, all while evading detection.
In response to this threat, Microsoft has previously issued security updates in March 2023 and is set to release additional measures in July 2024. These updates address a Secure Boot bypass vulnerability, identified as CVE-2023-24932, which revokes the use of vulnerable boot managers exploited by BlackLotus. However, it is important to note that this fix is disabled by default to prevent potential conflicts that could render the operating system unbootable.
Phased Rollout and Security Enhancements
To mitigate risks, Microsoft is implementing a phased rollout of the fix, allowing Windows administrators to test the updates before full enforcement, which is anticipated to occur before 2026. When activated, the security update will incorporate the “Windows UEFI CA 2023” certificate into the UEFI Secure Boot Signature Database. This will enable the installation of newer boot managers that are signed with this certificate.
Additionally, the process involves updating the Secure Boot Forbidden Signature Database (DBX) to include the “Windows Production CA 2011” certificate. This certificate is responsible for signing older, vulnerable boot managers, and its revocation will render these boot managers untrusted, preventing them from loading.
For administrators who apply these mitigations and encounter booting issues, it is essential to update bootable media to utilize the Windows UEFI CA 2023 certificate for troubleshooting. Microsoft cautions that failure to do so may result in an inability to start or recover devices from existing media.
Utilizing the PowerShell Script
In a bid to facilitate this transition, Microsoft has released a PowerShell script that simplifies the process of updating bootable media to comply with the new certificate requirements. This script can be downloaded directly from Microsoft and is compatible with various media formats, including ISO CD/DVD images, USB flash drives, local drive paths, and network drive paths.
Before utilizing the script, users must download and install the Windows ADK, which is a prerequisite for its proper functionality. Once executed, the script will update the media files to incorporate the Windows UEFI CA 2023 certificate and install the corresponding boot managers.
Microsoft strongly recommends that Windows administrators conduct thorough testing of this process in advance of the enforcement phase of the security updates, which is expected to commence by the end of 2026, with a six-month notice provided prior to implementation.
