ConfigMgr Task Sequence – KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932

Required Reading: KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932 – Microsoft Support

Words of Warning

Once you’ve applied the mitigations outlined in the KB, the device is difficult to work with when it comes to boot media / reimaging. Personally, I’d only do this on some lab test machines, and not rollout to larger groups until MS provides a better story for managing post mitigated machines. My assumption is that this will be a horror story until October when 24H2 is released.

My Thoughts, take it or leave it…

Get a couple test devices and apply all 3 steps. Learn the pain firsthand! Get a few more test devices and only apply steps 1 & 2. I’ve updated my TS to only do steps 1 & 2 for now.

After some testing, start to roll out Steps 1 & 2 (NOT 3) to a broader scope of devices. Since it takes so many reboots (if you don’t push with a TS), you can let these changes slowly filter out as end users naturally reboot. Recommend #ConfigMgr Baseline / #Intune Remediation

When (if) MS releases 24H2 ADK (Hopefully July based on the KB), start updating your boot media and continue testing on the couple devices you have applied all 3 steps on.

Then for Step 3 wide deployment, wait for MS to ensure PXE is working, and you have your Windows Media Updated & your Boot Images all updated, and everything is working smoothly on your few test devices, then slowly rollout step 3 to rest of your devices.

On to the Post

Related Content:

• KB5025885 – Updating your USB Boot Media – Leveraging OSD Module
• PowerShell Script – KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932

This is what I came up with in my lab for applying the remediations. I’ve had 2 successful tests so far, 1 VM and 1 Physical HP device. So please TEST TEST TEST!!!!

I’m uploading it now so people can mess with it and hopefully it might save them a little time.

Download: KB5025885 Remediation TS (256 downloads ) – Version 24.1.17.1 Released (2nd Release) – FULL 3 Step Version

Download: KB5025885 Remediation PART 1 & 2 TS (96 downloads ) – Version 24.1.19.1 Released – Steps 1 & 2 Only Version

Update 24.1.17.1 – Changes to TS based on feedback from Mike Terrill – Modified checks and flattened groups and added updated conditions.

I’m not going to go over it now, maybe in the future I’ll come back and explain it. Please look at each step and each condition. If you find a mistake, let me know and I’ll fix and upload an updated one.

Few notes, this is broken into a few sections,

• OS UBR Check, to ensure the device has the April patch first
• Pre-Check, which will determine if remediations have been completed in the past. Sometimes they could report false when true if the event logs have rolled over, so that’s why there is a Registry Value that we’re tagging at the end of the successful remediation to know the device did in fact get remediated.
• Remediation
  • Step 1 – DB Update
  • Step 2 – Boot Manager Update
  • Step 3 – DBX Update
  • Success – Stamps registry that remediation was successful.
• Complete – write info to smsts.log
• FAIL – if fails, dumps variables to a log file and exits with error code.

Walkthrough of Demo via Screen Captures

Note, after import, I recommend you go into the properties and update these fields. I’d probably add something like “This will take about 15 minutes, during which time you will not be able to use your computer, please start before heading to lunch or at the end of your work day”

IF the device does NOT have the the April (or better) patch installed, it will fail out:

I recommend only deploying to devices that have the April patch. Create a collection query to ensure it only allows devices with the specific builds or higher:

Ok, back to the TS:

Running again:

Running again on a successful device, will show that the prechecks will let the TS know that it does not need to run the remediation again.

GARYTOWN.COM