How Microsoft’s 5‑Phase Secure Boot Update Tackles the BlackLotus UEFI Bootkit
Microsoft’s multi‑stage mitigation plan for the BlackLotus UEFI bootkit details five phases—from initial KB5025885 deployment to final forced enforcement—aimed at revoking vulnerable certificates, updating boot managers, and ensuring systems stay secure through automatic updates and manual activation steps.
Background
Two years ago the author introduced the BlackLotus UEFI bootkit, a malicious payload that can bypass Secure Boot and pose a serious threat. Microsoft has given users time to understand the issue and has outlined a multi‑stage mitigation plan.
Phase 1 – Initial Deployment (May 9 2023)
Microsoft released update KB5025885, adding the BlackLotus virus and older Windows boot managers to the DBX blacklist. When the update is applied, the UEFI BIOS is refreshed to only boot the new Windows boot manager, rendering older ISO‑based boot media unusable unless manually enabled.
Phase 2 – Second Deployment (July 11 2023)
Updates KB5028166 (Windows 10) and KB5028185 (Windows 11) introduced WinRE support and simplified manual activation. The fixes remain disabled by default and must be turned on by the user.
Phase 3 – Evaluation
Microsoft revoked the “Windows Production PCA 2011” certificate in the DBX and switched to the new “Windows UEFI CA 2023” signing certificate. This effectively disables any boot manager signed with the old certificate and requires the new one for future boots.
Phase 4 – Deployment (July 9 2024 onward)
Customers are encouraged to start applying the mitigation and manage media updates. Secure Boot, introduced with Windows 8 in 2012, uses certificates issued in 2011 that are now nearing expiration, affecting many Windows versions and server editions.
Phase 5 – Enforcement
The final phase forces the update. Once installed, systems using the old PCA 2011‑signed bootmgfw.efi will no longer boot, while the new PCA 2023‑signed boot manager will be required.
In practice, users can simply keep Windows Update enabled; Microsoft will gradually enforce the changes.
https://support.microsoft.com/en-us/topic/how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d https://support.microsoft.com/en-us/topic/frequently-asked-questions-about-the-secure-boot-update-process-b34bf675-b03a-4d34-b689-98ec117c7818
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
IT Services Circle
Delivering cutting-edge internet insights and practical learning resources. We're a passionate and principled IT media platform.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.