Required Reading: KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932 – Microsoft Support
This is what I came up with in my lab for applying the remediations. I’ve had 2 successful tests so far, 1 VM and 1 Physical HP device. So please TEST TEST TEST!!!!
I’m uploading it now so people can mess with it and hopefully it might save them a little time.
Download: KB5025885 Remediation TS (25 downloads )
I’m not going to go over it now, maybe in the future I’ll come back and explain it. Please look at each step and each condition. If you find a mistake, let me know and I’ll fix and upload an updated one.
Few notes, this is broken into a few sections,
- OS UBR Check, to ensure the device has the April patch first
- Pre-Check, which will determine if remediations have been completed in the past. Sometimes they could report false when true if the event logs have rolled over, so that’s why there is a Registry Value that we’re tagging at the end of the successful remediation to know the device did in fact get remediated.
- Remediation
- Step 1 – DB Update
- Step 2 – Boot Manager Update
- Step 3 – DBX Update
- Success – Stamps registry that remediation was successful.
- Complete – write info to smsts.log
- FAIL – if fails, dumps variables to a log file and exits with error code.
Walkthrough of Demo via Screen Captures
Note, after import, I recommend you go into the properties and update these fields. I’d probably add something like “This will take about 15 minutes, during which time you will not be able to use your computer, please start before heading to lunch or at the end of your work day”
Running again:
Running again on a successful device, will show that the prechecks will let the TS know that it does not need to run the remediation again, all 3 checks did pass, plus registry value was there to tell it it was already completed.
GARYTOWN.COM
