Applying the fix for KB5025885 (CVE-2023-24932)
In reference to this article: https://support.microsoft.com/en-us/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d In late August, I created a series of scripts that perform the steps described in the article. This worked fine for 30 to 40 PCs over the next few weeks. I stopped as I had other tasks to attend to. Today, I decided to resume. A Surface Go 2 and a Lenovo E590 both fail to apply it. Both machines have the latest 2024-10 Cumulative Update (newer than is required). Both machines are Secure Boot enabled. Both machines are rebooted twice before proceeding to the next step (e.g. making a registry change). Both machines return "false" to both Get-SecureBootUEFI commands (which verify whether applying the fix was successful), for a total of 8 reboots. Machines in which my scripts were successful still return "true" for both Get-SecureBootUEFI commands. Has something changed?
Unexpected behavior of Set-SecureBootUEFI with the -ContentFilePath parameter
I'm using the following 3 commands to add a new key to my Secure Boot db: $CurrentTime=Get-Date -Format "yyyy-MM-ddTHH:mm:ssZ";Format-SecureBootUEFI -Name db -SignatureOwner 12345678-1234-1234-1234-123456789abc -FormatWithCert -Certificate .\dbKey.cer -ContentFilePath .\FormattedContent.bin -SignableFilePath GeneratedFileToSign.bin -Time $CurrentTime -AppendWrite .\signtool.exe sign /fd sha256 /p7 .\ /p7co 1.2.840.113549.1.7.1 /p7ce DetachedSignedData /a /f PrivateKey.pfx /p thePassword GeneratedFileToSign.bin Set-SecureBootUEFI -ContentFilePath .\FormattedContent.bin -SignedFilePath GeneratedFileToSign.bin.p7 The first two commands succeeds but Set-SecureBootUEFI unexpectedly produces the following prompt: Supply values for the following parameters: Name: Shouldn't it be able to obtain the name from FormattedContent.bin? This behavior isn't described anywhere in the https://docs.microsoft.com/en-us/powershell/module/secureboot/set-securebootuefi?view=windowsserver2022-ps and is contrary to the behavior shown in example 2 where the command succeeds without any further prompt. I entered "db", and then it prompted: Time: Again this should have been obtained from `FormattedContent.bin`, and the behavior isn't documented anywhere. When I repeated everything in the same session with a slight modification, Set-SecureBootUEFI succeeds immediately: $CurrentTime=Get-Date -Format "yyyy-MM-ddTHH:mm:ssZ";$ObjectFromFormat=Format-SecureBootUEFI -Name db -SignatureOwner 12345678-1234-1234-1234-123456789abc -FormatWithCert -Certificate .\dbKey.cer -SignableFilePath GeneratedFileToSign.bin -Time $CurrentTime -AppendWrite .\signtool.exe sign /fd sha256 /p7 .\ /p7co 1.2.840.113549.1.7.1 /p7ce DetachedSignedData /a /f PrivateKey.pfx /p thePassword GeneratedFileToSign.bin $ObjectFromFormat | Set-SecureBootUEFI -SignedFilePath GeneratedFileToSign.bin.p7 The only different between the two sets of commands is that the first outputs the formatted data to a file which is then supplied as a parameter to Set-SecureBootUEFI while the second outputs the formatted data to a PowerShell object which is then piped to Set-SecureBootUEFI. Functionally both are identical and it is puzzling why they have different behavior.
Error P2V with UEFI Secure Boot to Hyper-V
NEED YOUR HELP! We are failing to convert a few physical machine to Hyper-V (W2012 R2) due to UEFI Secure Boot on the physical machine. The physical machines are running Windows 2008 R2 Server or Windows 2012 Server. During the conversion process, we got the error showed in the attached image. -- Could someone help us to resolve this issue? -- How can the secure boot be disabled? -- How can we convert the physical machines to Hyper-V based on Generation 2? -- Any converter tool that support the convertion to Hyper-V on Windows 2012 R2 or 2016?
