In May 2023, NIST announced a vulnerability (CVE-2023-24932) that allows the attacker to bypass secureboot on a device (https://nvd.nist.gov/vuln/detail/CVE-2023-24932).
All Windows devices with Secure Boot protections enabled are affected by this BlackLotus UEFI bootkit.
Microsoft released a patch to address this, but it also required some additional steps/revocations to be applied (KB5025885).
https://msrc.microsoft.com/blog/2023/05/guidance-related-to-secure-boot-manager-changes-associated-with-cve-2023-24932/
The WinMagic QA team thoroughly tested these mitigation steps and confirmed that SecureDoc was not affected.
In April 2024, this same KB (KB5025885) was updated with new mitigation steps. WinMagic QA thoroughly tested these new steps on PBU/PBLU and confirmed that SecureDoc was not affected.
https://support.microsoft.com/en-us/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d
As Microsoft release new updates regarding this vulnerability, WinMagic will continue testing to ensure no disruptions to SecureDoc encrypted devices.
Microsoft's timeline of updates:
- Initial Deployment This phase started with updates released on May 9, 2023, and provided basic mitigations with manual steps to enable those mitigations.
- Second Deployment This phase started with updates released on July 11, 2023, which added simplified steps to enable the mitigations for the issue.
- Evaluation Phase This phase will start April 9, 2024, and will add additional boot manager mitigations.
- Deployment Phase This is when Microsoft will encourage all customers to begin deploying the mitigations and updating media. Currently aiming for July 9 2024, or later.
- Enforcement Phase The Enforcement Phase that will make the mitigations permanent. The date for this phase will be announced at a later date.