SmartDeploy boot media revocations for Secure Boot changes associated with CVE-2023-24932 and Microsoft KB5025885

On May 9th, 2023, Microsoft began a phased mitigation process for the vulnerability designated CVE-2023-24932, a publicly disclosed Secure Boot bypass vulnerability leveraged by the BlackLotus UEFI bootkit, which can allow a malicious actor with physical or administrative access to a device to bypass Secure Boot protections.

This mitigation is outlined in detail in the link below, and we encourage all SmartDeploy users to read this article in detail, take note of the impact of the mitigation, and exercise all appropriate caution.

The mitigation steps (which include installation of a Windows Update package and making changes to the boot process on the device itself) apply to a particular device, not a particular operating system instance installed on that device. Reimaging or wiping the hard drive of a mitigated device does not remove the mitigation. This means that after you have mitigated a specific device, you will not be able to use any previously created Windows bootable media (including all SmartDeploy USB and WDS boot media) to boot that device.

SmartDeploy 3.0.1080 has been been updated for compatibility with this mitigation, so we recommend updating to the latest version and re-running Media Wizard to recreate your media. This will allow you to boot all of your devices - whether they have had the mitigation applied or not - using the updated media.

As of this writing, Microsoft plans to add easier, automated deployment of the revocation files in July 2023, and begin mandatory installation and enforcement of these revocations in Q1 2024.

We encourage you to check the Microsoft link above for the latest information, and please feel free to reach out to SmartDeploy Support with any questions.

Was this article helpful?
Still have a question or want to share what you have learned? Visit our Community Discord to get help and collaborate with others.