Microsoft updated KB5025885 in April 2024 and it came with an
entire new set of requirements. Prior to this update, systems needed to be
updated with security updates released on or after July 11, 2023. However, now
systems need to be updated with the April 2024 security updates (by the way –
you should stay current and update monthly anyway). The reason for this is
because the EFI boot file (bootmgfw.efi) seems to have been updated with a new
signature list. The mitigation steps are back to being manual again, like they
were in 2023 when the KB was initially published. However, the community rocks
and Gary Blok has already published some blogs on automating these steps for testing purposes (see ConfigMgrTask Sequence – KB5025885: How to manage the Windows Boot Manager revocationsfor Secure Boot changes associated with CVE-2023-24932 – GARYTOWN ConfigMgrBlog).
NOTE: Devices that have the revocation enabled will no longer be able to boot existing boot media or use CM PXE or WDS PXE DPs (2Pint Software's iPXE Anywhere works just fine). It is our recommendation to not enable the revocation (step 3 in the KB at the time of this writing), and wait until more information is provided by Microsoft.
WARNING: Once you apply all of the mitigations, you will no longer
be able to use existing boot media. The KB even states “It will be important to
update bootable media once the Deployment Phase begins in your environment.
Guidance and tools for updating media will be provided in time for the
Deployment Phase. The Deployment Phase is scheduled to begin on July 9, 2024.”
Why Microsoft decided to publish this guidance at a later
date is beyond me. Maybe they think people no longer deploy or re-deploy
Windows anymore. Luckily, we have an easy method for updating those boot WIMs to
get you back to deploying good old Windows.
WIM FILE FIX: First thing is to start with a WinPE build that already
has the April 2024 CU applied. In this case, I am using the Windows 11 22H2 ADK
(10.1.22621.1) version of WinPE since that is the most recent ADK version to be
supported by Configuration Manager.
In the KB, they provide the following steps to validate the EFI
file, which should have “Windows UEFI CA 2023” in the signature list. Extract
this file from a system that has the mitigations applied and leave it named
bootmgfw.efi.
md c:\WinPE
mountvol s: /s
copy S:\EFI\Microsoft\Boot\bootmgfw.efi c:\WinPE\bootmgfw.efi
mountvol s: /d
Now we need to get this file into WinPE so that it will be
able to boot a remediated system. I have copied the updated WinPE.wim in C:\WinPE and created a mount directory (C:\WinPE\mount). Start by mounting
the WinPE.wim:
dism /mount-wim /wimfile:C:\WinPE\winpe.3447.24.04.15.wim
/index:1 /mountdir:C:\WinPE\mount
You should see the bootmgfw.efi in C:\WinPE\mount\Windows\Boot\EFI.
Simply copy the new one over the old one, right?
copy C:\WinPE\bootmgfw.efi C:\WinPE\mount\Windows\Boot\EFI
WRONG! It returns “Access is denied.” when attempting to
replace the file. The reason for this is permissions. This file is owned by
Trusted Installer. Even running the process as System will not be able to
replace the file.
Luckily there are a few options:
Option 1: (not recommended but works) is to take ownership
of the file and grant administrators full rights to the file. Then the file can
be updated, and the WIM file saved.
Option 2: Run the copy process as Trusted Installer. There
are a few utilities out there that will launch a process as Trusted Installer. I
used NirSoft AdvancedRun v1.51. Simply run cmd.exe as Trusted Installer and
then copy over the file.
As mentioned above, in addition to the boot image updates, there are other steps that will be required for Microsoft's PXE solutions. Hopefully Microsoft will provide an official method for
updating boot media sooner than later, but until then this method should help a little...