Windows 10: Issues with Dell Optiplex after Release KB5025885: Windows Boot Manager revocations for...

Hello all,We have noticed changes in the Bitlocker Event Manager on some Optiplex from Dell after the update release. Several reboots were performed and the system goes into Bitlocker recovery mode, we also had cases where the boot order was changed. After we started investigating this issue, we found the release based on the Microsoft link see link Microsoft says that this is not enabled by default. see link https://support.microsoft.com/en-us/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a

:)

 

KB5025885: APPLY revocations to protect against the vulnerability in CVE-2023-24932.

I follow this KB KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932 - Microsoft Support

After installing the Windows updates released on or after July 11, 2023, open a Command Prompt window running as an Administrator, type the following command and then press Enter:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x30 /f

The value of AvailableUpdates, set as REG_DWORD with a value of 0x30 and enforced through either manual resetting or Group Policy Object (GPO), consistently reverts back to its default value of 0. This issue occurs across both Windows 10 and Windows 11 workstations.

Best regards,

 

Using Bcdboot repair after appling Windows Boot Manager revocations for Secure Boot changes

I already applied applied the Windows Boot Manager revocations for Secure Boot changes referring to this:

KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932 - Microsoft Support

My question: I did a disk restore but no boot, so I formatted the fat32 efi partition and using Bcdboot repaired the booting. Which I have done many times as needed over the years.

But now with the revocations for Secure Boot, does using Bcdboot like I did affect the revocations?

Note the not booting had nothing to do with the revocations, I restored to a different size drive using Acronis and restored one partition at a time. I have done this before as well.

I only need to know if Bcdboot affects the revocations.

 

Black Lotus Revocation Issue: Should I Be Worried About The Digital Signature Timestamp Difference?

Hello All I was trying to harden up my Windows 10 Enterprise install and I had what I thought might be a little issue. I was following the instructions for the Black Lotus set of revocations for the my boot manager detailed here When I got to the end of step 2 (part D.: step IV) I checked the digital signatures on bootmgfw_2023.efi and everything was matching what was to be expected from the article except for the date listed in the digital signature page was a little more than 7 days off. This made me worry and I was just wondering if I should be worried and if so, how I should fix the problem. I've tried resyncing my clock but that didn't seem to do anything. I've attached images here for comparison between the image in the article and the picture I took of my laptop when I was at that same step. Thank you .