Event details

Whether you're actively managing device security or planning your next steps, this AMA is your opportunity to connect directly with Microsoft experts and get clear, actionable guidance on updating Se...
Heather_Poulsen
Updated Jun 04, 2026
AMA
VicMastandrea's avatar
VicMastandrea
Occasional Reader
May 26, 2026

We tested mitigating BlackLotus (Windows UEFI 2011 -> DBX). 0x80 applied to test devices, then a pilot devices. No problems.


It was decided to not mitigate BlackLotus. Is there a way to remove the Windows UEFI 2011 from the DBX, outside of booting into BIOS and reseting Secure Boot keys to factory defaults?

mihi's avatar
mihi
Iron Contributor
Jun 04, 2026

There is no way to undo DBX revocations from inside the operating system. (Think about it, otherwise Black Lotus could do that as well). So you will have to do that from within the firmware setup somehow - if there is no separate option to undo DBX updates (which I've seen only very rarely), you'd have to restore the keys to factory defaults, properly taking care of BitLocker and/or SecureBootRecovery in that process, if applicable.