Microsoft released a PowerShell script that allows Windows administrators and update loading carriers to use the new Windows UEFI CA 2023 certificate. This update will prepare systems for protection against Blackklotus, a threat capable of introducing harmful software during the loading stage.
Blacklotus is a powerful UEFI BUTTKT that can disable Windows protective mechanisms such as BitLocker, Hypervisor-Proteded Code Integrity (HVCI), and Microsoft Defender. This allows attackers to deploy malicious programs with maximum privileges without being detected.
In response to the vulnerability CVE-2023-24932 (CVSS: 6.7 rating), Microsoft issued corrections in 2023 to block Blacklotus-operated vulnerable loaders. However, the updates were initially disabled as incorrect usage could prevent the operating system from loading. The company is gradually introducing these corrections, allowing administrators to test them before the final mandatory inclusion planned by the end of 2026.
Once the update is activated, the Windows UEFI CA 2023 certificate will be added to the Secure Boot signatures, enabling the installation of new loaders signed by this certificate. The update also includes the addition of the Windows Production CA 2011 certificate to the Secure Forbidden Signature Database (DBX) used to sign outdated loaders, rendering them untrusted and unable to load.
If issues arise with device loading after applying the corrections, updating installation media using the new certificate will be necessary. Microsoft warns that old installation and restoration medias will no longer be compatible with the updated systems.
To streamline this process, Microsoft has introduced a PowerShell script that automates the update of installation media to support Windows UEFI CA 2023. The script is compatible with ISO images, USB drives, local disks, and network disks. Prior to running the script, administrators must set up Windows Adk