Patch Tuesday Blog | Critical Patches

What System Administrators Need to Know About May’s KB5025885 Patches

By Bryan Dam

Microsoft’s May security updates partially address a Secure Boot bypass flaw named BlackLotus (CVE-2023-24932), made possible by a much older Secure Boot vulnerability called Baton Drop (CVE-2022-21894). I say partially because the security updates alone will not protect your devices from either vulnerability. To protect devices, administrators must take additional remediation steps that are not exactly pleasant.

NOTE: This blog will be updated as additional information and guidance is released.

May’s Patches Are Safe to Install!

At least, they’re as safe as any other Windows updates released. Nothing you read here should cause you to slow your release of May’s security updates. Merely installing them won’t cause any of the impacts discussed in this post so continue to rely on your typical rollout plan. Then use the information here to start internal discussions about what next steps, if any, to take.

What is BlackLotus (CVE-2023-24932)?

Microsoft has assigned this a CVSS base score of 6.7 which isn’t great but isn’t earth-shattering. While BlackLotus is considered to have a low attack complexity and does not require user interaction, the vulnerability requires administrative rights. In practice, this means your user needs to be a local administrator to install it. BlackLotus becomes one of any infinite bad things a local administrator could install or do.

That being said, the remediation steps here are not pretty. Microsoft’s current remediation (here) is to wipe the entire drive to remove all partitions. In addition, as BlackLotus modifies the UEFI configuration stored in NVRAM, you may also need to wipe or reconfigure this to remove all traces. How bad that is depends on your standard operating procedures for virus mitigation. If that’s what you’re already doing, then BlackLotus isn’t unique in that regard. Note that neither May’s security updates nor the proactive steps below to protect against BlackLotus will fix an infected machine. Anything that gets infected needs to be nuked and paved.

How Can I Protect My Devices?

I’m not going to sugarcoat this: it’s gross.
Microsoft’s actual Knowledge Base article outlines the following steps to protect your devices (here):

  • Install May’s security update.
  • Since patching is rebooting, you must reboot the device.
  • On every device, copy the Code Integrity Boot Policy file to the EFI partition

mountvol q: /S

xcopy %systemroot%\System32\SecureBootUpdates\SKUSiPolicy.p7b q:\EFI\Microsoft\Boot

mountvol q: /D

  • Apply the Secure Boot UEFI Forbidden List (DBX) registry value.
    • Set HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot\AvailableUpdates (DWORD) value to 0x10
  • Reboot the device.
  • Wait 5 minutes. No, I’m not kidding.
  • Reboot again.

Are There Impacts for Existing Devices

Yes, yes, there are. Once a device is protected, Secure Boot will no longer trust any existing bootloaders that have not been updated with May’s security updates. That includes, among other things, any existing Windows Recovery partitions or boot media you may have. This means all your existing Microsoft Deployment Toolkit (MDT) or Configuration Manager (ConfigMgr) boot media used to boot from USB or PXE will cease to function.

Microsoft released guidance (here) to apply May’s security updates using DISM to offline service the boot media. You can find detailed instruction on doing so here. You might consider updating the boot image included in the Windows ADK’s Windows PE download. This way, any customization applied by MDT or ConfigMgr will be applied on top of the updated boot image instead of wiping them out if they were applied to the boot image that those tools help generate.

What Should I Do? When?

First, apply May’s security updates. There’s no reason not to.

Second, internally discuss whether the risks posed by BlackLotus outweigh the challenges involved in rolling out the changes needed to be protected.

Thirdly, review your backup strategies. Any full-disk backups or system restore points without May’s security updates may no longer boot on devices that have been protected.

As they’ve done in the past for significant breaking changes like this, these security updates represent Microsoft’s initial phase of solving the problem. In July, they plan to begin a second phase by providing an automated method to enable Safe Boot protection and update existing Recovery Partitions. Then, in the first quarter of 2024, Microsoft plans to release updates that enforce this protection on all devices, making it mandatory. However, Microsoft has yet to commit to providing a new Windows PE release for the Windows ADK that includes the needed updates. If you have a Microsoft Technical Account Manager (TAM) or Customer Success Account Manager (CSAM) I recommend contacting them to ‘encourage’ them to do so.

Tech Blog

How to use PowerShell to install Windows updates & ensure long-term compliance

In this post I will walk you through how to install Windows updates and report on patch compliance using Windows PowerShell. We will be using:...

Mastering ConfigMgr Client Actions

In this blog post, we’ll take a deep dive into the various SCCM client actions, including when to use them, what they do, and which log files...
How to use Dynamic Azure AD Groups and Filters to Improve Targeting Feature Image

How to Use Dynamic Azure AD Groups and Filters to Improve Targeting

Creating Dynamic Groups in Azure AD is a helpful way to automatically add and remove members to a group. However, when using those groups for...
Update offline configuration manager environments January 2023 tech blog feature image

How to update Offline Configuration Manager Environments – Faster

If you've ever had a Patch My PC demo call or watched a Patch My PC video you've probably seen the Patch My PC demo environment. What you might not...

Writing a Better Network Tester

There are few things more frustrating in IT than troubleshooting weird network problems. Especially when those weird network problems, impact...

MEM Patching Optimizer (Project-Clippy)

MEM Patching Optimizer is a free tool from Patch My PC that helps analyze your WSUS & ConfigMgr environment for known issues and provides...

Win32app Retry Interval – Demystified

Testing installation failure of win32apps, the IntuneManagementExtension.log file and it’s retry schedule on the same device but based on...

Getting started with Microsoft Graph and Win32apps

Have you have been using Intune for a while now, getting to grips with the cool features and “nuances”, and are now ready to dive a little bit...

How to use PowerShell to install Windows updates & ensure long-term compliance

In this post I will walk you through how to install Windows updates and report on patch compliance using Windows PowerShell. We will be using:...

Mastering ConfigMgr Client Actions

In this blog post, we’ll take a deep dive into the various SCCM client actions, including when to use them, what they do, and which log files...

How to Use Dynamic Azure AD Groups and Filters to Improve Targeting

Creating Dynamic Groups in Azure AD is a helpful way to automatically add and remove members to a group. However, when using those groups for...

How to update Offline Configuration Manager Environments – Faster

If you've ever had a Patch My PC demo call or watched a Patch My PC video you've probably seen the Patch My PC demo environment. What you might not...

Writing a Better Network Tester

There are few things more frustrating in IT than troubleshooting weird network problems. Especially when those weird network problems, impact...

MEM Patching Optimizer (Project-Clippy)

MEM Patching Optimizer is a free tool from Patch My PC that helps analyze your WSUS & ConfigMgr environment for known issues and provides...

Win32app Retry Interval – Demystified

Testing installation failure of win32apps, the IntuneManagementExtension.log file and it’s retry schedule on the same device but based on...

Getting started with Microsoft Graph and Win32apps

Have you have been using Intune for a while now, getting to grips with the cool features and “nuances”, and are now ready to dive a little bit...