
Microsoft Introduces New Secure Boot Certificate Authority for Windows
In February 2024, Microsoft unveiled a significant update related to the Secure Boot feature, initially initiated with the introduction of Windows 8. This update involves the implementation of the 2023 Secure Boot Certificate Authority (CA), which will replace the CA established in 2011.
Significance of the Update
This rollout is particularly crucial as the legacy 2011 certificates will reach their expiration in 2026, marking a total of 15 years since their inception. The updates began with February Patch Tuesday (specifically in updates KB5034765 for Windows 11 and KB5034763 for Windows 10), ensuring systems are equipped with the latest security measures.
Addressing Vulnerabilities with a New PowerShell Script
To accompany the rollout, Microsoft has released a PowerShell script designed to update Windows bootable media. This script is essential for system compatibility with the new Windows UEFI CA 2023 certificate, particularly in light of the Black Lotus Secure Boot vulnerability identified by CVE-2023-24932.
Understanding Certificate Authorities
Certificate Authorities (CAs) play a vital role in maintaining the integrity and authenticity of critical system components, including bootloaders, drivers, firmware, and various applications. The introduction of a new CA signifies an important step in bolstering the security framework surrounding these elements.
Details About the PowerShell Script
According to Microsoft, the new PowerShell script is called Make2023BootableMedia.ps1
. It is engineered to update boot manager support for Windows media, enabling them to operate with the boot manager signed by the new “Windows UEFI CA 2023” certificate. The script supports various media types for updates:
- ISO CD/DVD image files
- USB flash drives
- Local drive paths
- Network drive paths
The PowerShell script described in this article can be used to update Windows bootable media so that the media can be used on systems that trust the “Windows UEFI CA 2023” certificate.
The Make2023BootableMedia.ps1 PowerShell script updates boot manager support on Windows media to the boot manager signed by the new “Windows UEFI CA 2023” certificate. The input and output can be bootable media of the following type:
Essential Notes for Users
Microsoft has provided several important guidelines users should consider when executing this update:
The latest Windows Assessment and Deployment Kit (Windows ADK) can be found on the Download and install the Windows ADK page and is necessary for this script to work properly.
- The Make2023BootableMedia.ps1 script should be run from an elevated PowerShell prompt.
- You must provide the script with a media source (-MediaPath) that has the latest servicing updates applied.
Further Information
For comprehensive instructions and additional details, users can access the full support article maintained by Microsoft here, which pertains to knowledge base article KB5053484.
For further insights and to explore related content, visit the source link here.
Leave a Reply