Blog Post

Windows IT Pro Blog
7 MIN READ

Revoking vulnerable Windows boot managers

SochiOgbuanya's avatar
SochiOgbuanya
Icon for Microsoft rankMicrosoft
Apr 24, 2024
Editor's note 6.27.2024 – Microsoft's timeline for enforcement of the changes outlined in this post is currently under evaluation. We will provide an update once timing has been confirmed. If you'r...
Updated Oct 07, 2024
Version 5.0
security
Karl-WE's avatar
Karl-WE
MVP
May 02, 2024

This post seems related to 
https://techcommunity.microsoft.com/t5/windows-it-pro-blog/updating-microsoft-secure-boot-keys/ba-p/4055324


Q1: How we can execute both advisories at scale in enterprises and SMB/SMC?
Q2: How, if ever, people at home would be patching these manually?
Q3: How does one know if the UEFI / BIOS FW is ready for this change or not?
Q4: Speaking of OEMs: Will they list CVE, DBX Update this in their changelogs, so one can distinguish to be ready?
Q5:  Speaking of retail mainboards - very usual use case - with lower numbers compared to OEM devices.
To name Asrock, Asus, MSI, Gigabyte, Biostar, - you name it - for consumers, what about these?
Are these manufactures obliged to provide this update, or is it just in their hands to do so or not, depending the age of the mainboard and their servicing policy? Then again like with OEMs, how will consumers recognize this?

 

We encourage IT admins and enterprise customers to invest in building workflows that ensure an efficient rollout of these updates across their device fleet.


Please bear in mind:
Consumers (and quite some organisations) never do UEFI updates on their Client or Server devices.
Speaking of Client devices most of them are too old, to receive UEFI Firmware Updates seamlessly through Windows Update or WuFB.
So manual patching appears to be part of the course.

I understand the complexity of the topic, yet it feels same like with the Side Channel vulnerabilities patches, that a lot of manual user / admin interaction is required and most likely not executed by lack of knowledge (and time).
Fleet patchmanagement for firmware isn't something that is usually well-addressed among SMB customers. Especially not with challenges as "work from home".


My own experience on this so far:
Just checked my machine with an Asrock mainboard, being in the lucky position to know that Asrock usually cares to bring updates.


[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match ‘Windows UEFI CA 2023'
False
 
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI dbx).bytes) -match 'Microsoft Windows Production PCA 2011'
False

BIOS version is 14.02. Apparently revoked
No notification about this CVE. Just the regular and expected updates resolving around the 13th and 14th gen Intel CPU K-SKU power limit, CPU aging and instability controversy.

 


Thank you for your assistance, how this could be resolved at scale. If at all, this would also address some existing side-channel vulnerabilities, as we cannot expect the recommendations have been followed for all devices.