[CRITICAL] May 2023 SecureBoot fix will break all boot media

[Hellbovine]

What about LTSC releases like Windows 10 2021? Will those be getting an updated ISO?

At the very top of the support article there's a small "more" in blue italics. If you click on that it shows the operating systems getting patched.

I'm assuming the reason Windows 10 didn't get a "v2" like Windows 11 did, was because the patch on that OS was minor and didn't require it, but the cynic in me says Microsoft is tired of Windows 10 continuing to dominate the market share, so I think they purposely delay things sometimes in order to encourage migration. It's all about money.

We already saw this in past years, like when things reach EOL and there's no final service pack, rollup, etcetera, and it becomes a pain to manually hunt it all down and integrate everything the proper way. I suspect they will do that with Windows 10 next year, intentionally not releasing an updated ISO that includes all the updates up to the time it went off the shelf.

 

[tired-it]

Hrmm, well at least it is not too difficult to acquire updates and integrate them, but that is a barrier to entry.

 

[Apoly]

The Enforcement Phase for KB5025885 which was scheduled for October 2024 seems to have been postponed to a later date.
The Enforcement Phase will be at least six months after the Deployment Phase (July 2024) so that means the final Enforcement Phase will be January 2025 at the earliest.

This update will be a nightmare in 2025, I'm glad it keeps getting pushed back for now.
There is always the possibility of disabling SecureBoot completely from the BIOS especially for older Motherboards with outdated BIOS versions but that's far from being the ideal solution.

Also a warning for Windows Server 2012 and Windows Server 2012 R2 users (and also W8 / 8.1 with BypassESU) :
Do not manually enable the mitigations from KB5025885 on systems with TPM2.0 if you have installed the 2024-04 Monthly Rollup KB5036960

These systems that run Windows Server 2012 and Windows Server 2012 R2 cannot deploy the mitigations released in the April 9, 2024 security update because of known compatibility issues with TPM measurements. The April 9, 2024 security updates will block mitigations #2 (boot manager) and #3 (DBX update) on affected systems.

Microsoft is aware of the issue and an update will be released in the future to unblock TPM 2.0-based systems.

 

[tired-it]

So what is the process to deal with this? I noticed that in the latest version of NTLite, there is an option to update the boot sector under the Updates category. It also comes with a suggestion to integrate the update into the boot.wim file. So in theory, all I would have to do is integrate the latest (May at this time) cumulative update into both the install.wim and boot.wim (2. Windows Setup)?

I did receive a Security Violation when attempting to install an updated image onto a PC recently. I do not recall if that PC already had the May update.