Microsoft Releases PowerShell Script to Counter BlackLotus UEFI Bootkit Threat

Microsoft has released a new PowerShell script that enables administrators to update bootable media with the “Windows UEFI CA 2023” certificate to boost system security. This update specifically targets vulnerabilities exploited by the BlackLotus UEFI bootkit, which is a sophisticated threat capable of bypassing Secure Boot protections.

What is BlackLotus UEFI?

BlackLotus UEFI is a bootkit designed to target Windows systems by exploiting vulnerabilities in the Unified Extensible Firmware Interface (UEFI). It can bypass Secure Boot and gain control over the boot process of the operating system. BlackLotus can disable Windows security features such as Microsoft Defender Antivirus, BitLocker, and Hypervisor-Protected Code Integrity (HVCI). It operates at the kernel level, which makes it harder for traditional antivirus software to remove it from Windows machines.

Microsoft released security updates to address the Secure Boot bypass vulnerability (tracked as CVE-2023-24932) back in March 2023 and July 2024. Secure Boot is a security feature that ensures only trusted software runs during the boot process to protect Windows PCs against malicious software such as rootkits.

These security updates block certain vulnerable boot managers that BlackLotus could exploit. However, the fix is not enabled by default, because applying it incorrectly or facing compatibility issues could prevent the operating system from starting properly.

To address this issue, Microsoft is rolling out the update gradually to give Windows administrators time to test it in enterprise environments before full enforcement by 2026. This update will add the “Windows UEFI CA 2023” certificate to the UEFI Secure Boot Signature Database. Secure Boot uses this certificate to verify boot managers and other critical components during startup. Once added to the database, IT admins can install new boot managers signed with this certificate.

The process also involves modifying the Secure Boot Forbidden Signature Database (DBX) to revoke the “Windows Production CA 2011” certificate to prevent the use of vulnerable boot managers. If boot issues occur after these changes, administrators should update their bootable media with the Windows UEFI CA 2023 certificate to fix them.

Updating bootable media with the PowerShell script for enhanced security

The new PowerShell script is designed to help IT admins update their bootable media to use the “Windows UEFI CA 2023” certificate. This script helps to ensure that the bootable media is compatible with systems that trust this new certificate for enhanced security during the boot process.

“The Make2023BootableMedia.ps1 PowerShell script updates boot manager support on Windows media to the boot manager signed by the new “Windows UEFI CA 2023” certificate. The input and output can be bootable media of the following type: ISO CD/DVD image file, USB flash drive, a local drive path, or a network drive path,” Microsoft explained.

Administrators can download the PowerShell script from Microsoft’s official website. Once downloaded, they can use the script to update bootable media files, including ISO CD/DVD image files, a USB flash drive, a local drive path, or a network drive path.

To use the PowerShell script, administrators will need to download and install the Windows ADK. Microsoft recommends running the Make2023BootableMedia.ps1 script from an elevated PowerShell prompt and providing the script with a media source (-MediaPath) that includes the latest updates.

Microsoft advises administrators to thoroughly test the security update process on Windows machines within their organizations. The company will provide a six-month advance notice before enforcement begins by the end of 2026.