Blog Post

Core Infrastructure and Security Blog
4 MIN READ

May 2023 Cumulative Update Explained

hewagen's avatar
hewagen
Icon for Microsoft rankMicrosoft
Jul 05, 2023

Hi all,

 

Mitigating the Secure Boot UEFI bootkit using the May 2023 cumulative update still causes misunderstandings at some of my customers.  So I wrote this short article to give you an overview and illustrate how this update works, especially regarding the elemination of the BlackLotus bootkit, covered in CVE-2023-24932. A very detailed description can be found in the official KB article: KB5025885 support page.

 

Among many other fixes, this update adds protection against a Secure Boot security feature bypass of the BlackLotus UEFI bootkit tracked by CVE-2023-24932. However, some steps to fully mitigate the vulnerability must be performed manually. For easier understanding, let me first divide the May 2023 CU into 2 steps:

 

  1. Install the CU to apply all the monthly security fixes, update the boot files of the running OS and copy the UEFI Code Integrity boot policy file to the harddrive.
  2. Manually copy the Code Integrity boot policy to the EFI partition and apply the UEFI block list

 

Step 1 only affects the running operating system while step 2 modifies the UEFI of your PC. This is important because the 2nd step has to be done manually at the time of writing. Later CUs will simplify this part. Following illustration may help.

 

 

Install the CU

Installing the CU updates the boot components of the running operating system or an offline image, if you slipstream the update into it. As a part of the CU installation, files necessary for the UEFI patch (2nd step) are copied to the hard drive to %systemroot%\System32\SecureBootUpdates. However, the update installation process does not acitivate the UEFI patch, which means, it does not copy those files to the EFI partition so the PC remains vulnerable against the CVE-2023-24932 bootkit.

If you just install the CU using Windows Update, WSUS or any other method, all fixes will be applied to the OS but the UEFI of the PC remains unpatched. In that case, both, updated and unpatched images will boot from that PC.

 

Please note, that we always recommend to roll out monthly cumulative updates as soon as possible!

 

 

Install the UEFI patch

Applying the UEFI patch requires you to add the code integrity policy to the EFI partition. The CI policy file, you need for this step, was copied to the system as part of the CU installation. As mentioned before, I will not cover the technical details in this blog post. See chapter 3a within the KB5025885 support page for technical instructions. Secondly, the UEFI deny list needs to be applied. This is done by adding a registry key to the patched OS, followed by a reboot. Technical instructions can also be found in the KB article, chapter 3b.

After the PC’s UEFI has been patched, the vulnerability for the BlackLotus bootkit has been mitigated. However, this PC does not longer boot unpatched operating systems (meaning OS with boot files from before the May 2023 update).

 

Please note, that all bootable operating system images need to be patched after the 2nd step (UEFI patch) has been applied, in order to make them work on UEFI patched PCs. This includes running operating systems, custom Windows images, Windows PE boot images, Windows SafeOS Recovery Environment (WinRE) and all recovery media. There will be Dynamic Updates for WinRE since there are known issues when trying to apply the full CU.

 

 

 

Best practice for enterprises

I suggest to follow the rough approach below. Note, that only after finishing step 3 your PC is fully protected against the Secure Boot bypass vulnerability.

 

  1. Patch all running operating systems with the May 2023 CU or later. Do not apply the UEFI patch part yet. Only install the CU.
  2. After that or at the same time, make sure to patch all Windows PE and Windows images you use for fresh installations. You can use DISM to “slipstream” the patch into the images. See Appendix B in this post for a rough explanation. If you’re using Windows Recovery Environment (WinRE), those images must be patched as well. Please use the corresponding Dynamic Updates in the context with WinRE.
  3. As a last action, apply the UEFI patch on all running systems by following the steps 3a and 3b of the KB article mentioned at the beginning of this blog. For automation you can write a batch file and deploy it using your system management tool.

 

Appendix A – Download a cumulative update

Navigate to the Microsoft Update Catalog to download the latest cumulative update in MSU file format. In the search field enter 2023-05 22H2 to narrow down the search results. Find your desired update in the list and click the Download button.

 

Appendix B – Update a custom Image using DISM

There are tons of examples of how to update offline images available in the web. So I do not spend too much time for explanation. Use these lines just as a reference. Please note that you may need to change some values to fit your environment:

 

 

mkdir C:\Mount
DISM /mount-wim /wimfile:“C:\Path\To\Install.wim“ /mountdir:C:\Mount /index:3
DISM /image:C:\Mount /add-package /packagepath:“C:\Path\To\Update.msu“
DISM /unmount-wim /mountdir:“C:\Mount“ /commit
rmdir /Q /S C:\Mount

 

 

 

 

Disclaimer
The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.

 

 

Updated Jul 05, 2023
Version 2.0
  • KSE-LP's avatar
    KSE-LP
    Copper Contributor

    Hi Helmut,

     

    I found the issue; The WDS server had not yet deployed the Windows Cumulative 2023 July updates. This update deployed a new UEFI WDS boot manager (wdsmgfw.efi) in this folder: c:\Windows\System32\RemInst\boot\x64 (or \x86 for other architectures).

     

    The deployments run fine now.

    Cheers!

     

    *Edit* It seems this location needs to be updated too: \RemoteInstall\Boot\x64. I figured updating the boot image would have taken care of that, but it didn't in my case.

     

  • From top of my mind, I don't have any helpful idea. Updated media should boot both, patched and unpatched devices.

  • KSE-LP's avatar
    KSE-LP
    Copper Contributor

    Hi,

     

    I've been applying this update on Windows 10 systems and some servers and it works fine. Except now when I use my WDS server to deploy a Windows 10 machine that has this patch applied, the WDS server shows me error 272 (0xc000000272 if I remember correctly).

     

    I've previously downloaded a new ISO for Windows 10 the May 2023 release and this morning the June 2023 release and updated my boot image on WDS on both occasions, the same error. I've exported that boot image and updated it with a dynamic cumulative update for July 2023 and that doesn't work either.

     

    If I turn off Secure Boot on the system, I can deploy it fine with WDS afterwards, which is logical, since its turned off.

     

    Any ideas? I thought you just needed new ISO's to get a supported Boot image to work with this update.

  • I'm not sure if the Server 2019 media will be updated in the near future. However, using Appendix A and Appendix B in the blog post, you can easily create your own updated media. In Appendix A enter the search term "2023-05 2019" to find the May CU for Server 2019.

  • JT_Kukkonen's avatar
    JT_Kukkonen
    Brass Contributor

    Thank you for your blog post. I was wondering how I should proceed, if I want to do in place upgrade from Windows server 2012r2 to Windows Server 2019. I have read that if server 2012r2 has may CU installed, and secure boot enabled and I do in place upgrade using latest available server 2019 media Microsoft provides on VLSC page, which has been updated November 2022, server won't boot after upgrade. Will Microsoft release updated server 2019 installation media sometime in autumn?