Required Reading: KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932 - Microsoft Support
Related: KB5025885: Dealing with CVE-2023-24932 for your ConfigMgr boot images.
TLDR: GitHub: garytown/ConfigMgr/Baselines/CVE-2023-24932
Disclaimer: Before continuing, I've created all of this in a very short time with VERY LITTLE testing, so please, as with anything you're pulling from the internet, inspect and test before deployment. - Feedback Welcome!!
UPDATES
23.05.24 - Updated the Proactive Remediation scripts to mount the sysvol to c:\windows\temp\sysvol instead of S:\, which was launching explorer at detecting a new volume on some systems.
23.05.16 - Updated the Proactive Remediation versions of the script (include "v2" in name), trying to resolve reported bug. | Confirmed the v2 proactive remediation scripts resolved issue.
23.05.15 - Modified the script to do a HASH check of SKUSiPolicy.P7b file, if the one in boot partition matches the one in windir, it marks the device as compliant. Otherwise, the way the script was written, if the log entry in the system log ages out, the device would report as non-compliant and run the remediation again (which isn't a big deal, but it would trigger a restart). Knowing this, you can either: Remove the restart from the script and have it reapply the remediation each time the eventlog roles over and the entry goes missing or use this updated method to detect remediation based on the file hash.
------ Original Post:
I've created a script that can be used for Configuration Manager Configuration Items & Intune's Proactive Remediation. The script will:
- Check System Event Log for ID 1035 [More Info]
- Test if 'System32\SecureBootUpdates\SKUSiPolicy.P7b' exist
- If Yes, Continue, if NOT, exit reminding you to apply May Patches
- Test if SKUSiPolicy.P7b has already been copied to the EFI partition (EFI\Microsoft\Boot)
- If Yes, skip the copy, if No, copy the file to the EFI Partition
- Update the Registry Key (Which resets after reboot)
- Trigger Reboot if Fix Event Log ID 1035 not exist after May Patches have been applied
- Feel free to remove this... just know it might take longer for fix to apply
Proactive Remediation
Then assign to your Windows Devices.
Configuration Baseline
Add information from the MS Website
Check the Boxes for Windows 10 & 11
Set the CI Setting to Script / String, then add the scripts from GitHub
Create Compliance Rule, where Operator: Equals & value: "Compliant", Check the box for "Run the specified remediation script when this setting is noncompliant.
Add the CI to your Security Basline
Test & Deploy
The Script (on Github)
GARYTOWN.COM
How would you modify the scripts if working in an Ivanti environment. Thank you.
I've never used Ivanti. But whatever mechanism Ivanti has for deploying PowerShell scripts, you could pretend you're using Intune.
Ensure May patches are already installed, then deploy script
Set the variables.
- UseCase = "Intune"
- Remediate = $true
If you have a Baseline type feature in Ivanti, then use that instead, and use the Detection / Remediation process
If you need more help, contact Ivanti support.
We're not currently utilizing licensing that allows us to deploy as a PR. Will the script still work if pushed as a policy script, using the variables you recommended to the Ivanti user?
Yes... just make sure the May Patches are completely installed before sending the script.
You might be better off making this into an Intune App, where the detection method is the Event Log showing a successful update ...
$DBXUpdateSuccess = Get-EventLog -LogName System -Source "Microsoft-Windows-TPM-WMI" -InstanceId 1035 -ErrorAction SilentlyContinue
That way if will continue to retry until you get the event log saying it has been applied.
Ooooh good call, thanks man!
Just wanted to say that this was the way to go, I was also able to use the section of your script to detect if SKUSiPolicy.P7b was present as a requirement prior to running the remediation script itself to help stop premature installs. Testing it on my lab VM now!
excellent, glad you have a viable solution for deployment!
Hi, Many thanks for this. Unfortunately I'm getting a 0X87D00327 Script Not Signed Error. I've already got a custom client pointing to a collection that my test devices are in set to with the Enable Powershell Policy set to bypass, is this sufficient or does it need to be set to signed?
you should be able to set it to Bypass..
But feel free to sign it with your own enterprise signing certificate.
Very good script
In the case of Intune, it's probably not the best idea to restart users after 8 hours.
I will try to remake this script as an application in conjunction with psadt.
Running this manully and the fix is applied however I see this error.
And when using it as an ProActive remediation it fails due to to error i belive.
Copy-Item : Illegal characters in path.
At line:86 char:13
+ Copy-Item -Path $SKUSiPolicyPath -Destination "$($SystemV ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Copy-Item], ArgumentException
+ FullyQualifiedErrorId : System.ArgumentException,Microsoft.PowerShell.Commands.CopyItemCommand
Thanks, I see that error when using ISE on Windows 11, however using VSCode I don't see that error on Windows 11.
I'm looking into the proactive remediation now... testing PRs just takes awhile, it's not quick and simple like ConfigMgr Configuration Items.
https://github.com/gwblok/garytown/issues/10