May 2023's SecureBoot fix in Win 10 & 11, to block the BlackLotus UEFI bypass, will invalidate digital signatures for all existing boot media.
This means if you have SecureBoot enabled, existing ISO images won't boot after you install May 2023. Boot images (like ISO's or recovery tools) need to be patched with new boot files to continue working. If you've already installed May 2023, check if your media fails to boot now -- BEFORE you need it in an emergency!
July 2023 will bring more SecureBoot changes, and the lockout policy will be permanently enforced in early 2024.
MS will release W10 & W11 ISO's with a newer boot image later this year, so RTM or older UUP dump images should be discarded or patched.
If you're dual-booting or installing Win 7 or 8 on a PC where May 2023 was previously applied, you must also check if you need to patch the image.
As some online users have noted, it's a clusterf* for anyone involved.
KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932
Examples of bootable media and recovery media impacted by this issue
This means if you have SecureBoot enabled, existing ISO images won't boot after you install May 2023. Boot images (like ISO's or recovery tools) need to be patched with new boot files to continue working. If you've already installed May 2023, check if your media fails to boot now -- BEFORE you need it in an emergency!
July 2023 will bring more SecureBoot changes, and the lockout policy will be permanently enforced in early 2024.
MS will release W10 & W11 ISO's with a newer boot image later this year, so RTM or older UUP dump images should be discarded or patched.
If you're dual-booting or installing Win 7 or 8 on a PC where May 2023 was previously applied, you must also check if you need to patch the image.
As some online users have noted, it's a clusterf* for anyone involved.
KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932
Examples of bootable media and recovery media impacted by this issue
- Bootable media created by using Create a recovery drive
Note: The “Create a recovery drive” functionality is not supported in the updates released on or after May 9, 2023, and cannot be used to restore devices with revocation enabled. We are working on a resolution and will provide an update in an upcoming release.
- Backups of Windows which were imaged before the installation of updates released on or after May 9, 2023. These will not be directly usable to restore your Windows installation after the revocations have been enabled on your device.
- Custom CD/DVD or recovery partition created by you, your device manufacturer (OEM) or enterprises
- ISO (via download or using ADK)
- Network Boot
- Windows Deployment Services
- Preboot Execution Environment boot services (PXE boot services)
- Microsoft Deployment Toolkit
- HTTPS Boot
- OEM installation and recovery media
- Official Windows media from Microsoft including:
- Retail media
- Media creation tool (ISO or USB drive)
- VLSC
- Visual Studio Subscriber Downloads
- USB drive
- Windows PE
- Windows installed on physical hardware or virtual machines
- Windows Validation OS