Apologies for the late reply on this. The Secure Boot DBX update is a very complex thing to detect. The UEFI areas involved are not generally visible in a standard way, and requires running a probe action to detect whether the system is vulnerable / whether the update can be applied. The Task you… Answer from JasonWalker on forum.bigfix.com
🌐
Reddit
reddit.com › r/sysadmin › patch tuesday megathread (2024-02-13)
r/sysadmin on Reddit: Patch Tuesday Megathread (2024-02-13)
September 25, 2023 -

Hello r/sysadmin, I'm u/AutoModerator, and welcome to this month's Patch Megathread!

This is the (mostly) safe location to talk about the latest patches, updates, and releases. We put this thread into place to help gather all the information about this month's updates: What is fixed, what broke, what got released and should have been caught in QA, etc. We do this both to keep clutter out of the subreddit, and provide you, the dear reader, a singular resource to read.

For those of you who wish to review prior Megathreads, you can do so here.

While this thread is timed to coincide with Microsoft's Patch Tuesday, feel free to discuss any patches, updates, and releases, regardless of the company or product. NOTE: This thread is usually posted before the release of Microsoft's updates, which are scheduled to come out at 5:00PM UTC.

Remember the rules of safe patching:

  • Deploy to a test/dev environment before prod.

  • Deploy to a pilot/test group before the whole org.

  • Have a plan to roll back if something doesn't work.

  • Test, test, and test!

Top answer
1 of 5
95
Long day, but ready to kick this shit out to 5000 servers/workstations tonight EDIT1: Everything is looking good this morning. Honestly pretty quiet knocks on wood. Seemed to be a pretty light-weight update. Biggest thing our users are noticing more than anything is Copilot infesting everything now (like in new Teams it is prominently on the top-left, so people are mistakenly clicking on it I think). See y'all at the optionals EDIT2: Optionals all installed correctly. We are getting ready for all users to be getting Windows 11 upgrade notices in April. We have already done most of them, but lots of questions incoming.
2 of 5
67
I can confirm that Win 10 KB5034441 continues to fail. Thanks Microsoft!
🌐
Dell
dell.com › home › support home › knowledge base article
Windows Update KB5025885 Prevents Reinstallation of Microsoft Windows | Dell US
1 month ago - Learn about the impact of KB5025885 on Windows Updates after May 09, 2023 that may prevent the booting of Microsoft Windows. Potential workarounds are also provided.
Videos
11:55
🌐 YouTube
Microsoft SHOCK! STOP IMPROVVISO a queste CPU: Windows 11 24H2 ...
February 18, 2025
08:27
🌐 YouTube
Manutenzione completa e semplice 2025 su Windows 10 e Windows 11!
February 13, 2025
13:25
🌐 YouTube
Windows 10 e Windows 11: La Nuova FOLLIA di Microsoft! Aggiornamenti, ...
February 4, 2025
View all
View all
🌐
BigFix
forum.bigfix.com › usage and config
KB5025885 (Secure boot DBX) fixlet not relevant for 25H2 - Usage and Config - BigFix Forum
October 27, 2025 - What is currently relevance 7 for fixlet ID 502588501 does not include Windows 11 25H2. Is this by design or an oversight? Also relevancies 1-6 are just copies of the same 2 relevancies. ((name of it = "Win2012" AND value "CurrentVersion" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" of native registry as string is "6.2" AND NOT ia64 of it) of operating system OR ((name of it = "Win8" AND value "CurrentVersion" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\...
🌐
2pintsoftware
2pintsoftware.com › news › details › kb5025885-and-boot-wims
KB5025885 and Boot WIMs
However, the community rocks and Gary Blok has already published some blogs on automating these steps for testing purposes (see ConfigMgrTask Sequence – KB5025885: How to manage the Windows Boot Manager revocationsfor Secure Boot changes associated with CVE-2023-24932 – GARYTOWN ConfigMgrBlog).
🌐
Reddit
reddit.com › r/sysadmin › kb5025885 secure boot issues
r/sysadmin on Reddit: KB5025885 Secure Boot issues
April 26, 2024 -

I've gone ahead with Microsoft's recommendations for KB5025885 and have implemented these Secure Boot revocations on a few physical servers. Before doing this I verified I could get recovery partitions and bootable USBs to still work after changing the trusted SB certificates. This worked like Microsoft said it would.

However, time came to actually reinstall Windows Server on a couple machines that have these revocations applied and it is going horribly. The install USBs work after updating the boot files on the USBs, but the Windows install the USB creates fails Secure Boot... it is still signed with their revoked 2011 certificate. What is the point of updating installation media if the Windows install it creates isn't updated and won't boot with Secure Boot enabled?

I've tried placing Secure Boot in Audit mode, where the system will boot, but Microsoft's steps to update the boot EFI files fail. This process hasn't failed on any other systems I've done it on, not sure why it's failing here, but maybe it has to do with Audit mode being enabled.

Anyway, I'm in a pickle with this. Things seemed like they were fine and Microsoft's instructions (while needlessly complicated over 1 year in) worked. But it seems there is a huge hole left in their documentation, which they implied wasn't there. If you know how to get a bootable fresh install after applying KB5025885, please let me know!

Top answer
1 of 1
1
I finally got around this by resetting the Secure Boot database to defaults in the UEFI settings. Initially I couldn't find this setting. Microsoft does recommend doing this if all other options are exhausted. The thing is, though, you'd need to do this every time you reinstall Windows. It makes sense that you'd need to do this, but I think they should offer a second install ISO that's signed with the 2023 certificate.
🌐
Microsoft Community Hub
techcommunity.microsoft.com › microsoft community hub › communities › products › windows › windows security
Applying the fix for KB5025885 (CVE-2023-24932) | Microsoft Community Hub
In reference to this article: KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932 -...
🌐
BigFix
forum.bigfix.com › usage and config
KB5025885 - How to manage/interpret results? - #6 by JasonWalker - Usage and Config - BigFix Forum
Top answer
1 of 1
1
Apologies for the late reply on this. The Secure Boot DBX update is a very complex thing to detect. The UEFI areas involved are not generally visible in a standard way, and requires running a probe action to detect whether the system is vulnerable / whether the update can be applied. The Task you…
🌐
BigFix
forum.bigfix.com › usage and config
KB5025885 - How to manage/interpret results? - Usage and Config - BigFix Forum
Top answer
1 of 1
1
Apologies for the late reply on this. The Secure Boot DBX update is a very complex thing to detect. The UEFI areas involved are not generally visible in a standard way, and requires running a probe action to detect whether the system is vulnerable / whether the update can be applied. The Task you…
Find elsewhere
🌐
Reddit
reddit.com › r/sysadmin › applying the fix for kb5025885 (cve-2023-24932)
r/sysadmin on Reddit: Applying the fix for KB5025885 (CVE-2023-24932)
October 13, 2024 -

https://support.microsoft.com/en-us/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d

The fix outlined in the above article no longer works. I used to have a series of scripts that made the registry changes and ran the verification checks. Those scripts no longer work; however, previously fixed machines still report as fixed. Today, I decided to run the steps as listed (and to not use my scripts). For instance, Step 1b still returns "False".

In addition, the machines in question...

  • Have at least the 2024-10 Cumulative Update (newer than is required).

  • Are Secure Boot enabled.

  • Are rebooted twice before proceeding to the next step. (AvailableUpdates key resets to 0, which is expected.)

I posted something similar over in MS Tech Community a couple weeks ago but haven't gotten a response.

Top answer
1 of 1
1
So, it seems one of my scripts had an error: if (-not **(**(& $Script:SigcheckPath -noBanner -acceptEULA -i "S:\EFI\Microsoft\Boot\bootmgfw.efi") -match "Cert Issuer:\s+Windows UEFI CA 2023")**)** { Write-Error -Message "Insert message here" } Missing the outer parenthesis causing it to compare improperly. This, of course, wasn't the cause. It was simply preventing me from seeing the error, as the boot manager really wasn't signed. TPM-WMI 1798 confirms this: The Secure Boot Dbx update failed as boot manager is not signed with the Windows UEFI CA 2023 certificate While it doesn't solve the issue, I now have something to go on. https://support.microsoft.com/en-us/topic/kb5016061-secure-boot-db-and-dbx-variable-update-events-37e47cf8-608b-4a87-8175-bdead630eb69 was the article that got me to revisit this. (Also, funny that step 3c (Enable the revocation) encourages you to look at the link I posted above. I guess with the sheer amount of the information and insane number of reboots I missed that.)
🌐
Getac
support.getac.com › Portal › NewsDetail
pdate (Windows Update KB5025885)
Since the Secure Boot security feature has been bypassed by the BlackLotus UEFI bootkit, which is tracked under CVE-2023-24932, Microsoft took action by releasing KB5025885 and security updates on May 9th, 2023, to manage the Windows Boot Manager revocations.
🌐
Reddit
reddit.com › r/sysadmin › kb5025885 - blacklotus patching and mitigations - what is everyone doing?
r/sysadmin on Reddit: kb5025885 - BlackLotus Patching and Mitigations - What is everyone doing?
December 6, 2024 -

I've been worrying a lot about this, and I feel there are shockingly few posts here and in other places for something that feels like a major undertaking to me, that is patching for and mitigating the BlackLotus vulnerability:

https://support.microsoft.com/en-us/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d#:~:text=IMPORTANT%20You%20should%20apply%20the,by%20the%20BlackLotus%20UEFI%20bootkit.

My biggest concern, at the yet unannounced enforcement date, will all Windows computers utilizing UEFI/Secure Boot cease booting if the mitigations are not applied? It sounds like once enforcement comes, the old 2011 UEFI cert will be revoked universally.

If that is the case, will all Windows computers need to go through all of the mitigation steps and reboots? Are there any plans for a streamlined/automated fix from Microsoft?

Hoping to hear insights from others who have looked into this. Thanks!

Top answer
1 of 4
2
Have to admit I've not seen much discussion about it either. Last looked at this when updating the ADK for SCCM months back, around that time I read the MS article linked along side the ADK version at the time and patched our boot media/ following that. I believe that's covered us but open to being told im wrong if thats the case. We've been imaging devices slowly over the past few months which I think has that updated cert given we've updated the PE add-on and I copied back the relevant boot files back for the 2023 cert version. Afaik the newest ADK release has these updates already applied so it might just be easier to do that to cover it. There was an article posted alongside it which goes through the steps of creating the media and specifically creating media which is using the 2023 cert. WinPE: Create bootable media | Microsoft Learn there was a few other threads in the SCCM reddit discussing it but from memory there was no onesize fits all resolution at the time, installing the latest ADK is probably the way to go now though. Can't speak for people using intune, i'd like to think their new media available would use that cert though. Personally think this is a huge headache waiting to happen when MS decides to force toggle this on for everyone and it'll catch a lot of people out. Edit: atrocious english
2 of 4
2
I've done a lot of work managing these mitigations. Ultimately, it's been a huge headache. Apply at your own risk. Don't apply at your own risk. Either choice carries risk but if the bad guys get admin on your computers you already have a lot to worry about besides them installing BlackLotus. I bet these reasons are why you haven't seen much discussion about these mitigations. I wrote a custom script to manage the mitigations and make sure nothing went wrong. This in itself took a while. It works pretty well scripted, though. It was tricky to get this working with 8 required reboots. I eventually needed to reinstall Windows Server on some physical hardware that had these mitigations fully applied. Microsoft gives you instructions for updating boot media signed with their new 2023 certificate. This gives you a bootable installer USB. But you aren't out of the woods... The installer USB boots, but the Windows install it creates is still signed by the 2011 certificate Microsoft wants you to revoke. Your new Windows install is then NOT BOOTABLE. You must revert your Secure Boot database to defaults. This took me 1-2 days of pretty constant troubleshooting to figure out. Huge waste of time. This was using Server OS so hopefully it works differently for Windows 11.
🌐
Wikipedia
en.wikipedia.org › wiki › Microshaft_Winblows_98
Microshaft Winblows 98 - Wikipedia
September 30, 2025 - Microshaft Winblows 98 is a 1998 interactive comedy video game for Windows and Classic Mac OS. It parodies the then-upcoming Windows 98 operating system, as well as Microsoft co-founder Bill Gates.
Concept and gameplay
Release and promotion
🌐
bondy.tech
bondytech.uk › kb5025885-black-lotus-making-everything-works-after-it-breaks
KB5025885 (Black Lotus) – Making Everything Work After It Breaks | bondy.tech
December 3, 2024 - The rumours about Microsoft's enforcement of the Black Lotus boot kit mitigations have been around since May 2023 but so far Microsoft have (sensibly) held back enforcement. And with good reason - the mitigations, once applied, are known to ...
🌐
Microsoft Learn
learn.microsoft.com › en-us › answers › questions › 2125401 › kb5025885-is-a-db-dbx-update-(step-1-and-3)-necess
KB5025885: Is a DB/DBX Update (Step 1 and 3) necessary once again, if a machine is reinstalled - Microsoft Q&A
I am following the KB5025885 Article (https://support.microsoft.com/en-us/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d) for a while. As I understood, with the steps 1 and 3, it is possible to manipulate/update the EFI firmware of a computer.
🌐
Dell
dell.com › thuis › supportpagina › knowledge base artikel
Windows Update KB5025885 voorkomt herinstallatie van Microsoft Windows | Dell Nederland
July 31, 2025 - Kan ik de beleidsupdate ongedaan maken om OSRI-media en Windows-back-ups te gebruiken? Nee. Kan ik Secure Boot uitschakelen om OSRI-media te gebruiken? Dell raadt af om de beveiligingsmentaliteit van een apparaat te verminderen. U kunt echter de herstelprocedure in KB5025885 zien om het opstarten van externe media in te schakelen.
🌐
Dell
dell.com › homeoffice › support-startseite › wissensdatenbankartikel
Windows Update KB5025885 verhindert die Neuinstallation von Microsoft Windows | Dell Deutschland
July 31, 2025 - Die Funktionen, die zu Unterbrechungen führen können, werden zu diesem Zeitpunkt als deaktiviert bereitgestellt. Es gibt keine Auswirkungen, bis Microsoft in die Erzwingungsphase eintritt oder bis der Benutzer das Feature gemäß allen in KB5025885 enthaltenen Minderungsmaßnahmen aktiviert.
🌐
Dell
dell.com › inicio › inicio asistencia › artículo de la base de conocimientos
Windows Update KB5025885 evita la reinstalación de Microsoft Windows | Dell España
1 month ago - Las funciones que podrían causar roturas se implementan como deshabilitadas en este momento. No hay ningún impacto hasta que Microsoft entra en la fase de aplicación o hasta que el usuario habilita la característica después de todas las mitigaciones de KB5025885.
🌐
Dell
dell.com › hjem › støttestartside › kunnskapsbaseartikkel
Windows Update KB5025885 forhindrer ny installasjon av Microsoft Windows | Dell Norge
July 31, 2025 - Finn ut mer om innvirkningen KB5025885 har på Windows-oppdateringer etter 9. mai 2023 som kan forhindre oppstart av Microsoft Windows. Potensielle løsninger tilbys også.
🌐
Microshafting
microshafting.com
We cannot provide a description for this page right now