ConfigMgr Task Sequence – KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932

Required Reading: KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932 – Microsoft Support

Words of Warning

Once you’ve applied the mitigations outlined in the KB, the device is difficult to work with when it comes to boot media / reimaging. Personally, I’d only do this on some lab test machines, and not rollout to larger groups until MS provides a better story for managing post mitigated machines. My assumption is that this will be a horror story until October when 24H2 is released.

My Thoughts, take it or leave it…

Get a couple test devices and apply all 3 steps. Learn the pain firsthand! Get a few more test devices and only apply steps 1 & 2. I’ve updated my TS to only do steps 1 & 2 for now.

After some testing, start to roll out Steps 1 & 2 (NOT 3) to a broader scope of devices. Since it takes so many reboots (if you don’t push with a TS), you can let these changes slowly filter out as end users naturally reboot. Recommend #ConfigMgr Baseline / #Intune Remediation

When (if) MS releases 24H2 ADK (Hopefully July based on the KB), start updating your boot media and continue testing on the couple devices you have applied all 3 steps on.

Then for Step 3 wide deployment, wait for MS to ensure PXE is working, and you have your Windows Media Updated & your Boot Images all updated, and everything is working smoothly on your few test devices, then slowly rollout step 3 to rest of your devices.

On to the Post

Related Content:

This is what I came up with in my lab for applying the remediations. I’ve had 2 successful tests so far, 1 VM and 1 Physical HP device. So please TEST TEST TEST!!!!

I’m uploading it now so people can mess with it and hopefully it might save them a little time.

Download: KB5025885 Remediation TS (1283 downloads ) – Version Released (2nd Release) – FULL 3 Step Version

Download: KB5025885 Remediation PART 1 & 2 TS (1218 downloads ) – Version Released – Steps 1 & 2 Only Version

Update – Changes to TS based on feedback from Mike Terrill – Modified checks and flattened groups and added updated conditions.

I’m not going to go over it now, maybe in the future I’ll come back and explain it. Please look at each step and each condition. If you find a mistake, let me know and I’ll fix and upload an updated one.

Few notes, this is broken into a few sections,

  • OS UBR Check, to ensure the device has the April patch first
  • Pre-Check, which will determine if remediations have been completed in the past. Sometimes they could report false when true if the event logs have rolled over, so that’s why there is a Registry Value that we’re tagging at the end of the successful remediation to know the device did in fact get remediated.
  • Remediation
    • Step 1 – DB Update
    • Step 2 – Boot Manager Update
    • Step 3 – DBX Update
    • Success – Stamps registry that remediation was successful.
  • Complete – write info to smsts.log
  • FAIL – if fails, dumps variables to a log file and exits with error code.

Walkthrough of Demo via Screen Captures

Note, after import, I recommend you go into the properties and update these fields. I’d probably add something like “This will take about 15 minutes, during which time you will not be able to use your computer, please start before heading to lunch or at the end of your work day”

IF the device does NOT have the the April (or better) patch installed, it will fail out:

I recommend only deploying to devices that have the April patch. Create a collection query to ensure it only allows devices with the specific builds or higher:

Ok, back to the TS:

Running again:

Running again on a successful device, will show that the prechecks will let the TS know that it does not need to run the remediation again.


5 thoughts on “ConfigMgr Task Sequence – KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932”

    • I think that is just the reboot count, after several reboots I believe Bitlocker is supposed to re-enable. I will try and test. Thanks Gary for working this out. This is such a massive coming change that will affect so many CM admins, that without people like you — I wonder if Microsoft would have just let 1000s of CM environments start having OSD failures this summer. :\

  1. We have ADK 10 in our environment and boot.wim is of version 21H2 and no patch is available for 21H2. Will it affect our environment if I applied all 3 Steps. What action should we take beforehand.

    • If you apply all 3 steps, it will break your imaging until you update your ADK to a newer version, then patch it to at least April. I would avoid applying all 3 steps until MS provides a better process.


Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.