Changes to Windows Boot Manager revocations for Secure Boot, effective July 9, 2024

Follow the new guidelines to deploy changes across enterprises and understand how the new Windows Boot Manager self-revocation works. These new guidelines are part of a plan with five phases to deploy protections against the publicly disclosed Secure Boot security feature bypass (CVE-2023-24932).The Deployment Phase is now in effect and documented in the updated KB5025885. This new phase starts with changes introduced by the July 2024 Windows security update. Learn more about these changes at KB...

• Initial Deployment phase: This phase started with updates released on May 9, 2023, and provided basic mitigations with manual steps to enable those mitigations.
• Second Deployment phase: This phase started with updates released on July 11, 2023, which added simplified steps to enable the mitigations for the issue.
• Evaluation phase: This phase started on April 9, 2024, and added additional Boot Manager mitigations.
• Deployment phase: Starting with the July 9, 2024 update, we encourage all customers to begin deploying the mitigations and updating media.
• Enforcement phase: The date for this phase will be announced in the future. The Enforcement phase will make the mitigations permanent. We are now in the Deployment phase. In this phase, we add support for Secure Version Number (SVN) to block older Boot Managers. This update installs a new Boot Manager that has an SVN, and it allows you to set the same SVN in the firmware.

1. Update the certificate definitions.
2. Update the Boot Manager.
3. Enable the revocations.
4. Apply the SVN update to the firmware.

• Guidance for investigating attacks using CVE-2022-21894: The BlackLotus campaign
• Secure Boot
• Enable Secure Boot on enrolled Windows devices
• For events that are generated when applying DBX updates, see KB5016061: Addressing vulnerable and revoked Boot Managers.