How to Protect Your System from Black Lotus Vulnerability (CVE-2023-24932)

How to Secure Boot Protection Against CVE-2023-24932 (Black Lotus)

Microsoft has been working to secure Windows against the Black Lotus Bootkit vulnerability (CVE-2023-24932). This exploit targets Secure Boot, a critical feature that ensures only trusted software runs during startup. By October 2026, Microsoft will phase out the old UEFI certificate (“Windows Production PCA 2011”) and replace it with the “Windows UEFI CA 2023” certificate. Administrators must act now to ensure systems remain secure.

Which Update Introduces the New Certificate?

The new UEFI certificate was first included in Cumulative Update KB5036210 (February 13, 2024). All updates after this include the required bootloader certificate for Secure Boot compliance post-October 2026.

How Can I Check If My System Has the New Certificate?

1. Look for this registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing
2. Check the value of WindowsUEFICA2023Capable:

• • 0x40: Certificate is installed.
  • 0x0: Certificate is missing.

Are New Certificates Preloaded by OEMs?

Some manufacturers may have already integrated the new certificates. To verify:

1. Enter your system’s UEFI/BIOS settings during startup.
2. Navigate to: Secure Boot Keys > Authorized Signatures (db)
3. Look for “Windows UEFI CA 2023.”

What Administrators Need to Do

Install the New Certificate

• Ensure that your system receives updates containing the “Windows UEFI CA 2023” certificate.
• Use registry keys or scripts (like the one provided below) to confirm or install certificates.

Check and Update Bootloaders

• Verify if your bootloader is signed with the new certificate.
• Update it if necessary using tools or scripts.

Block Old Certificates

Prevent systems from using outdated certificates by blocking them in the UEFI dbx (revocation list).

Prepare for Enforcement

The enforcement phase begins in January 2026. Ensure all systems comply before this deadline.

A Script to Automate Certificate Installation

The following script can help administrators automate these tasks. It checks for the new certificate, installs it if missing, updates bootloaders, and blocks old certificates:

@ECHO OFF
@REM Autor:RF
@REM Datum:31.01.2025
@REM KB5025885

REM TODO
REM reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x40 /f
REM 2x Reboot
REM
REM powershell -command "[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'"
REM
REM reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x100 /f
REM 2x Reboot
REM
REM mountvol Q: /s && copy "Q:\EFI\Microsoft\Boot\bootmgfw.efi" "%TEMP%\bootmgfw.efi" && mountvol Q: /d
REM Signatur von %TEMP%\bootmgfw.efi prüfen
REM
REM reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x80 /f
REM 2x Reboot
REM
REM powershell -command "[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI dbx).bytes) -match 'Microsoft Windows Production PCA 2011'"
REM
REM reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x200 /f
REM 2x Reboot

@ECHO.
@ECHO %~nx0 %*

REM ****************************************************************************
REM Test Administator Berechtigung
"%windir%\System32\net.exe" session >nul 2>nul
"%windir%\System32\net.exe" session >nul 2>nul
REM ECHO ErrorLevel: %errorlevel%

IF ERRORLEVEL 1 (
ECHO.
ECHO Error: %~nx0
ECHO Administator Berechtigung erforderlich
ECHO.
Pause
Exit /b
)

REM ****************************************************************************
SETLOCAL
SET $CWD=%CD%
SET $CERT_OLD=Microsoft Windows Production PCA 2011
SET $CERT_NEW=Windows UEFI CA 2023
SET $OUT=%TEMP%\~%~n0.txt

CD /D "%~dp0"
REM CD /D "%~1"

REM ****************************************************************************
ECHO Check new Certificate installed in UEFI db (%$CERT_NEW%)
ECHO.

> "%$OUT%" powershell.exe -command "[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match '%$CERT_NEW%'"
> NUL "%windir%\System32\find.exe" /I "True" "%$OUT%"
REM ECHO %ERRORLEVEL%
IF "0"=="%ERRORLEVEL%" GOTO :DB_OK

REM ****************************************************************************
ECHO.
ECHO ERROR: new Certificate is not installed in UEFI db.
ECHO.
SET /P $ANSWER="Do you want to install new Certificate in UEFI db? [Y/N] "
IF /I NOT "Y"=="%$ANSWER%" GOTO :ENDE

REM ****************************************************************************
ECHO.
ECHO Add Reg Key
ECHO.
"%windir%\System32\REG.EXE" ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot" /v AvailableUpdates /t REG_DWORD /d 0x40 /f

ECHO.
ECHO Please reboot twice and run this script again
ECHO.
GOTO :ENDE

REM ****************************************************************************
:DB_OK
ECHO new Certificate is installed in UEFI db (%$CERT_NEW%).
ECHO.

REM ****************************************************************************
ECHO Check Signature of BootLoader (%$CERT_NEW%)
ECHO.
"%windir%\System32\mountvol.exe" Q: /S
> NUL COPY /Y "Q:\EFI\Microsoft\Boot\bootmgfw.efi" "%TEMP%\bootmgfw.efi"
"%windir%\System32\mountvol.exe" Q: /D

> NUL "%windir%\System32\find.exe" /I "%$CERT_NEW%" "%TEMP%\bootmgfw.efi"
REM ECHO %ERRORLEVEL%
IF "0"=="%ERRORLEVEL%" GOTO :BOOT_OK

> NUL "%windir%\System32\find.exe" /I "%$CERT_OLD%" "%TEMP%\bootmgfw.efi"
IF "0"=="%ERRORLEVEL%" ECHO BootLoader is signed with old Certificate "%$CERT_OLD%"

REM ****************************************************************************
ECHO.
ECHO ERROR: BootLoader is not signed with new Certificate.
ECHO.
SET /P $ANSWER="Do you want to update the BootLoader? [Y/N] "
IF /I NOT "Y"=="%$ANSWER%" GOTO :ENDE

REM ****************************************************************************
ECHO.
ECHO Add Reg Key
ECHO.
"%windir%\System32\REG.EXE" ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot" /v AvailableUpdates /t REG_DWORD /d 0x100 /f

ECHO.
ECHO Please reboot twice and run this script again
ECHO.
GOTO :ENDE

REM ****************************************************************************
:BOOT_OK
ECHO BootLoader is signed with new Certificate (%$CERT_NEW%).
ECHO.

REM ****************************************************************************
ECHO Check old Certificate blocked in UEFI dbx (%$CERT_OLD%)
ECHO.

> "%$OUT%" powershell.exe -command "[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI dbx).bytes) -match '%$CERT_OLD%'"
> NUL "%windir%\System32\find.exe" /I "True" "%$OUT%"
REM ECHO %ERRORLEVEL%
IF "0"=="%ERRORLEVEL%" GOTO :DBX_OK

REM ****************************************************************************
ECHO.
ECHO ERROR: old Certificate is not blocked in UEFI dbx.
ECHO.
SET /P $ANSWER="Do you want to blocked old Certificate in UEFI dbx? [Y/N] "
IF /I NOT "Y"=="%$ANSWER%" GOTO :ENDE

REM ****************************************************************************
ECHO.
ECHO Add Reg Key
ECHO.
"%windir%\System32\REG.EXE" ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot" /v AvailableUpdates /t REG_DWORD /d 0x80 /f

ECHO.
ECHO Please reboot twice and run this script again
ECHO.
GOTO :ENDE

REM ****************************************************************************
:DBX_OK
ECHO old Certificate is blocked in UEFI dbx.
ECHO.

REM ****************************************************************************
REM TODO
REM "%windir%\System32\REG.EXE" ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot" /v AvailableUpdates /t REG_DWORD /d 0x200 /f

REM ****************************************************************************
:ENDE
ECHO bye
PAUSE
CD /D "%$CWD%"
ENDLOCAL
GOTO :EOF

Disclaimer: Use at your own risk; test on non-production systems first.

Failing to update certificates could leave systems vulnerable to exploits like Black Lotus. Proactive updates ensure compliance and security.