[CRITICAL] May 2023 SecureBoot fix will break all boot media

G

garlin

Moderator
Staff member
May 2023's SecureBoot fix in Win 10 & 11, to block the BlackLotus UEFI bypass, will invalidate digital signatures for all existing boot media.

This means if you have SecureBoot enabled, existing ISO images won't boot after you install May 2023. Boot images (like ISO's or recovery tools) need to be patched with new boot files to continue working. If you've already installed May 2023, check if your media fails to boot now -- BEFORE you need it in an emergency!

July 2023 will bring more SecureBoot changes, and the lockout policy will be permanently enforced in early 2024.

MS will release W10 & W11 ISO's with a newer boot image later this year, so RTM or older UUP dump images should be discarded or patched.
If you're dual-booting or installing Win 7 or 8 on a PC where May 2023 was previously applied, you must also check if you need to patch the image.

As some online users have noted, it's a clusterf* for anyone involved.


KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932

Examples of bootable media and recovery media impacted by this issue
  • Bootable media created by using Create a recovery drive
    Note: The “Create a recovery drive” functionality is not supported in the updates released on or after May 9, 2023, and cannot be used to restore devices with revocation enabled. We are working on a resolution and will provide an update in an upcoming release.

  • Backups of Windows which were imaged before the installation of updates released on or after May 9, 2023. These will not be directly usable to restore your Windows installation after the revocations have been enabled on your device.

  • Custom CD/DVD or recovery partition created by you, your device manufacturer (OEM) or enterprises
  • ISO (via download or using ADK)
  • Network Boot
    • Windows Deployment Services
    • Preboot Execution Environment boot services (PXE boot services)
    • Microsoft Deployment Toolkit
    • HTTPS Boot
  • OEM installation and recovery media
  • Official Windows media from Microsoft including:
  • Windows PE
  • Windows installed on physical hardware or virtual machines
  • Windows Validation OS
 
I'm sure Rufus or other USB tools will respond by allowing you copy the new files when writing to USB. After the dust settles, the online community will agree on a common way of fixing old ISO's.

NTLite needs to detect whether any bootable image has the fix, and warn you of the consequences. It won't know if the target machine has SecureBoot enabled or has been patched by May 2023. But a heads-up notification would be helpful.
 
Thanks garlin for the heads up, will support this.
We have some time in this initial stage, it's not applied by default for the next year I believe (the "Enforcement Phase").
Will start working on it immediately.
 
Released updated build 9247+, supports this.
Basically integrate latest cumulative update, propagate it to boot.wim (reapply integrate updates to Setup edition) and that's all.
Tested, and other than Win11 and 11 22H2, other, older OS-es, boot fine with this enforcement without boot manager updates.
Maybe MS will lock it further with the next update.

Tool warns on the Apply page and Create ISO label popup if update is needed.
 
I have read the Microsoft article, the whole thing seems a massive mess, they should be 100% releasing ISOs before the patch.

But I am confused, the article indicates installing the patch wont actually activate the mitigation, but instead manual commands are required, which if true means installing the update wont immediately invalidate boot media.

I am curious how a OS patch prevents other media from booting, because isnt the Secure Boot whitelist in the bios?

As https://www.ntlite.com/community/in...fix-will-break-all-boot-media.3596/post-35529 nuhi said it does look like the actual mitigation wont be automatically applied then?
 
chrcol said:
I have read the Microsoft article, the whole thing seems a massive mess, they should be 100% releasing ISOs before the patch.
Click to expand...
True, they did release updated ISOs just the other day, and the enforcement is not enabled by default.

chrcol said:
But I am confused, the article indicates installing the patch wont actually activate the mitigation, but instead manual commands are required, which if true means installing the update wont immediately invalidate boot media.
Click to expand...
True, you need to set a special reg key, and reboot twice, more info here.

chrcol said:
I am curious how a OS patch prevents other media from booting, because isnt the Secure Boot whitelist in the bios?
Click to expand...
Haven't found a technical paper, but since the change survives reformats, it must be that it actually updates the secure boot portion of the EFI Bios itself.
Secure boot can still be disabled from the Bios UI, not sure if reinstalling another OS can overwrite Secure boot portion back to default or that exception requires a CMOS reset or not even that helps... a lot of questions on top.

Part of protection enabling is in the hidden EFI partition as well, explained in the link above how to do manually.
 
Thank you nuhi, it makes sense, as I only recently discovered e.g. that proxmox has a efi boot partition to setup for full UEFI emulation, I always wondered what that was about, after your explanation its all coming together on how it works. Your point if another older OS could undo the mitigation is an interesting one as well.
 
MS has to play nice with Linux, and come to an agreement on boot code that passes approval. Which means if MS doesn't release a separate boot file, then the UEFI blocklist will eventually allow a blessed Linux boot file. Rufus is then free to redistribute (or download) this code for itself.
 
Is it expected this update isnt visible on WU on a newly installed windows?

If relevant 21H2 LTSC so before this got published. It shows in ntlite online list, but not on WU.

Secure boot state is on in the VM. So windows recognises the compatibility.

Found articles which stated it got pulled then republished, so unsure if an issue with the ISO/VM or its deliberate by Microsoft.
 
chrcol said:
Is it expected this update isnt visible on WU on a newly installed windows?
Click to expand...
All May 2023 and newer cumulative updates have this in them, but very important, it is not activated by default.
You have roughly a year not to worry about it, then it's enabled by default.
Until then all updated ISOs will be bootable anyway.
For those that want to enable the protection now, instructions are in the link at the top post.
 
nuhi said:
All May 2023 and newer cumulative updates have this in them, but very important, it is not activated by default.
You have roughly a year not to worry about it, then it's enabled by default.
Until then all updated ISOs will be bootable anyway.
For those that want to enable the protection now, instructions are in the link at the top post.
Click to expand...
Ok thanks, was just concerned for some reason it was missing due to an error on my part.
 
garlin said:
May 2023's SecureBoot fix in Win 10 & 11, to block the BlackLotus UEFI bypass, will invalidate digital signatures for all existing boot media.

This means if you have SecureBoot enabled, existing ISO images won't boot after you install May 2023. Boot images (like ISO's or recovery tools) need to be patched with new boot files to continue working. If you've already installed May 2023, check if your media fails to boot now -- BEFORE you need it in an emergency!

July 2023 will bring more SecureBoot changes, and the lockout policy will be permanently enforced in early 2024.

MS will release W10 & W11 ISO's with a newer boot image later this year, so RTM or older UUP dump images should be discarded or patched.
If you're dual-booting or installing Win 7 or 8 on a PC where May 2023 was previously applied, you must also check if you need to patch the image.

As some online users have noted, it's a clusterf* for anyone involved.


KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932

Examples of bootable media and recovery media impacted by this issue
  • Bootable media created by using Create a recovery drive
    Note: The “Create a recovery drive” functionality is not supported in the updates released on or after May 9, 2023, and cannot be used to restore devices with revocation enabled. We are working on a resolution and will provide an update in an upcoming release.

  • Backups of Windows which were imaged before the installation of updates released on or after May 9, 2023. These will not be directly usable to restore your Windows installation after the revocations have been enabled on your device.

  • Custom CD/DVD or recovery partition created by you, your device manufacturer (OEM) or enterprises
  • ISO (via download or using ADK)
  • Network Boot
    • Windows Deployment Services
    • Preboot Execution Environment boot services (PXE boot services)
    • Microsoft Deployment Toolkit
    • HTTPS Boot
  • OEM installation and recovery media
  • Official Windows media from Microsoft including:
  • Windows PE
  • Windows installed on physical hardware or virtual machines
  • Windows Validation OS
Click to expand...
mines fine. secureboot on normal mode, uefi bios
 
Enforcement hasn't begun yet, unless you follow MS's optional (for now) instructions to force update your UEFI firmware. After that's done, there is no rollback except to replace your UEFI chip. And likely your OEM will catch up and start shipping new firmware too.
 
I'm not an UEFI expert, but basically they push a UEFI update which bans bootloaders than fail a certain signature check. Then they lock their change with another signature so you can't just edit UEFI to remove it. Otherwise a new root kit would undo those steps.

MS must work with UEFI Forum and Linux vendors so they agree on which bootloaders are considered legitimate, especially if you're in a dual-boot environment. Most of this will be done with new signing keys, and invalidating old keys which have signed previous bootloaders.

Even if the non-Windows bootloaders are secure, you don't want allow a PC to get hacked because someone later installed a non-updated Windows image which opens the door to BlackLotus.
 
I hadn't heard much in the last few months about the BlackLotus/SecureBoot news, so I checked into the Microsoft article linked in the first post and it now has an updated timeline in the "Timing of updates" section. Below is a summary of that information and some takeaways:

NEW TIMELINE
- Microsoft originally said there would be three phases for the exploit fix, with the third one taking place in the first quarter of 2024. The previous two fixes were complete by May 9th, 2023 and July 11th, 2023. The new timeline splits it into four phases total.

- Phase three is scheduled for April 9th, 2024 and states: "New mitigations to block additional vulnerable boot managers. These new mitigations will require that media be updated."

- Phase four is scheduled for October 8th, 2024 and finalizes everything: "The revocations (Code Integrity Boot policy and Secure Boot disallow list) will be programmatically enforced after installing updates for Windows to all affected systems with no option to be disabled."

NEW ISO BUILDS
- Microsoft is releasing updated ISO builds as some phases are finished, which is why the Windows 10 22H2 ISO received a "v1" update back in May of 2023, when they would normally wait to release those around November of each year.

- Windows 10 didn't get a "v2" ISO after the July 2023 phase, so we may see a new ISO for Windows 10 after the incoming third phase. I suggest everyone using Windows 10 get a copy of "v2" when it's available and save it somewhere safe, for reasons explained below.

OTHER CONSIDERATIONS
- I suspect the end of 2024 is going to be problematic in general, because the masses will be unaware of BlackLotus and when everyone's boot media suddenly stops working it's going to be a public relations nightmare. Microsoft's quality control is also poor, so combine that with the push for Copilot and other related bloat coming our way, it's a recipe for disaster.

- Microsoft removed all ISO links to older operating systems and versions last year, now only offering the latest release of Windows 8/10/11, which greatly affected tools like Rufus. This is probably going to come up again later this year or at the start of 2025.

- The new updates for Windows Recovery Environment (WinRE) are also causing issues for people, and my only point here is that it's creating more confusion around installs now, and will continue to in the coming months. Here's some reading on it (link1, link2, link3, link4).
 
Last edited:
The latest supported ISO versions are:
- Win10_22H2_English_x64v1
- Win11_23H2_English_x64v2

All releases before them will have the soon-to-be-revoked boot EFI files. Of course you can simply replace the boot files on your own, but you have to remember this if your UEFI gets updated with the upcoming security updates. The old boot files will no longer be trusted for booting.

The new guideline is set the Recovery partition size to at least 800MB, if not 1GB.
 
You must log in or register to reply here.
Back
Top