Manual Mitigation Steps for BlackLotus UEFI Bootkit (CVE‑2023‑24932) and Microsoft’s Three‑Phase Update Strategy

BlackLotus UEFI bootkit (also called "Black Lotus" virus) is a malicious program that runs in the UEFI environment and can bypass Secure Boot. The vulnerability is identified as CVE‑2023‑24932.

Microsoft plans to fix the issue in three stages because the remediation requires changes to the UEFI firmware, making pre‑May‑9‑2023 images unusable.

Phase 1 (completed): On 2023‑05‑09 Microsoft released update KB5025885 . It updates the Windows boot manager, adds a “code integrity boot policy” to verify boot manager integrity, and writes a DBX (revoked signature database) into UEFI, blacklisting both the bootkit and older boot managers.

Although the update was silent, it did not become effective immediately; Microsoft provided a manual activation method because older boot managers would otherwise be blocked.

Phase 2 (started): On 2023‑07‑11 Microsoft released KB5028166 (Win10) and KB5028185 (Win11) . This phase simplifies the manual activation steps and adds event‑log entries to verify success, as well as a SafeOS dynamic update package for WinRE.

To manually activate the fix after installing the July update, run the following command as an administrator:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x30 /f

Then restart the computer twice (at least five minutes between reboots). Verify success by checking the Windows Event Viewer under System for event IDs 1035 and 276.

Phase 3 (future): Microsoft expects to force the remediation in Q1 2024, after which no manual steps will be required.

Core warning: Once the update is active, even a full disk format cannot restore the old boot manager. Any system that relies on legacy Windows boot managers—such as USB installers, WinPE, OEM recovery partitions, old system images, or dual‑boot setups—will become unbootable.

Disabling Secure Boot would bypass these protections, but it is not recommended because Secure Boot is a critical security feature.