Forum Discussion

sfijndata's avatar
sfijndata
Copper Contributor
Aug 22, 2024

Windows Boot Manager not updated

KB5025885 outlines how to update Windows Boot Manager, but build 26257 still has a Windows Boot Manager that is signed with the old "PCA 2011" certificate.

 

The manual processes in KB5025885 are a real pain (and don't scale) so it would be very annoying if this is not fixed before RTM.

 

https://support.microsoft.com/en-us/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d

  • sfijndata other than the remaining CVE, I am unsure if it is feasible to pursue this issue / "non-issue" because everything still works, weeks after the certificate expired. Wonder why.

    I see a security related problem and it remains unclear how Microsoft, OEMs and mainboard retail vendors are going to change the cert without blowing up. Granted: they are all silent about it. My former "lead" to Asrock is now silent. Nothing coming in this regard, while I have received a beta BIOS to play in November.

  • Thanks for checking I will be curious if the 14th of November or this plus 30 days marks the largest IT outage ever... You have warned them enough. And I didn't get any traction on this either. We can just sit and wait. 

    Unfortunately the ticking timebomb thread on reddit is not anymore. Just M365. 

  • sfijndata's avatar
    sfijndata
    Copper Contributor

    Windows Server 2022 updated to Windows Server 2025 RTM => bootmgfw_2023.efi is signed with a certificate that expires 14th November 2024 - issued by legacy "PCA 2011" 🤬

    • Karl-WE's avatar
      Karl-WE
      MVP

      my attempts to receive information on this situation weren't successful.

      My concerns are high that once this certificate expires, > billion devices of Windows Server and Clients with Secure Boot will be affected.

      So far from the "documentation" on techcommunity I cannot see any solution that works easy and at scale.

      Plus it likely requires BIOS updates to update Secure Boot in the UEFI logic, which we all know will not happen for all devices. Either because OEMs do not provide updates AND / OR customers and consumers do not push out UEFI updates at scale on their devices.

      If these assumptions are true, the Crowdstrike issue would be declared a shadow of a problem in severity and scale compared to this.


      More information about patching Secure Boot can be found in this collection and blogpost

      This is about WinRE and WinRE patching, but also spans on Secure Boot patching. Quite long stories.
      https://techcommunity.microsoft.com/t5/windows-server-for-it-pro/blog-guidance-for-windows-recovery-partition-winre-patching-and/m-p/4129384/highlight/true#M11545

      SochiOgbuanya  could you please help to clarify?

      I strongly agree with sfijndata that Windows Server 2025 should be deployed with the correct certificate, out of the box.

      • sfijndata's avatar
        sfijndata
        Copper Contributor
        Still not fixed in 26311.
        However, bootmgfw.efi in 26311 is signed with a certificate that expires 14th November 2024, so something will happen soon.
  • Second this. My hope and humble expectation is that an in-place upgrade to build 26100 will care to fix the certificate for secure boot and also closing the WinRE security issue by a suitable resized and recreated WinRE Partition when upgrading WS 2012 R2 through 2022 to WS 2022.

     

    Is this something you would like to consider with a dynamic update for setup? 

    • Matthew_Stevenson's avatar
      Matthew_Stevenson
      Copper Contributor
      Completely agree with this suggestion. Our Org will be upgrading to Win 11 24H2 anyway so would save us a lot of time if we could avoid the manual process for patching KB5025885.

Resources