Getac Technology Corporation Disclaimer on Microsoft Security Update (Windows Update KB5025885 for Secure Boot Changes Associated with CVE-2023-24932)

Microsoft Security Update (Windows Update KB5025885)

Getac Technology Corporation Disclaimer on Microsoft Security Update (Windows Update KB5025885 for Secure Boot Changes Associated with CVE-2023-24932)

Updated: October 31^th, 2023

Importance:

Please note that this statement is to inform you of a critical Security Update issued by Microsoft. Users are advised to review the guidance and take actions recommended by Microsoft and below that may be updated from time to time to enable protections for the Secure Boot bypass and to avoid potential security risks and system failure. Please also note that Microsoft announced its recommended steps must be completed before moving to Final Enforcement, which is tentatively scheduled no sooner than July 9^th, 2024. Bootable media may fail to start and result in your Getac devices being unable to start after Microsoft's Final Enforcement if the required steps are not completed in order. Additionally, please be aware that software distributed by Getac with or without the Getac brand name (including, but not limited to system software) is not covered under Getac’s Warranty. Getac is not responsible for any claims, damages, costs, or expenses arising from failure to follow instructions relating to Microsoft Security Update.

Background

Since the Secure Boot security feature has been bypassed by the BlackLotus UEFI bootkit, which is tracked under CVE-2023-24932, Microsoft took action by releasing KB5025885 and security updates on May 9^th, 2023, to manage the Windows Boot Manager revocations.

Microsoft's Security updates are divided into four phases *¹, with the final phase being enforcement. The final enforcement phase, which will implement permanent mitigations on July 9^th, 2024

Risk & Impact

1.           The BlackLotus UEFI bootkit vulnerability allows attackers to maintain control over and potentially manipulate the device. It is strongly recommended that all customers apply the Windows security updates released on May 9^th 2023 (1st protection) & January 9^th 2024 (2nd protection), to implement necessary security mitigations.

2.           The revocations will be programmatically enforced on July 9^th, 2024. *¹ Therefore, if a device replaces its hard disk retained by the old Boot Manager, it may not be able to boot after the enforcement date.

Detailed Instructions by Microsoft

Please check Microsoft’s announcement regarding latest security update of CVE-2023-24932

KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932 - Microsoft Support

Actions for Getac Users

All bootable media is suggested to be upgraded to the latest version and update with new boot-manager. Getac suggests our customers follow the actions outlined below based on different scenarios. Getac will release bootable recovery images (created by Getac Recovery Media Utility ("GRMU")*²) and tools to update boot-manager in recovery partition.

1.     Image of new shipment with the latest security updates *³ and boot manager will be released in Table A. New shipment with January 9^th, 2024, the security update will be ready after Microsoft’s release. Getac will announce the image schedule status after it is released. For a detailed list please refer to Table A: <Updated HDI Implementation Date>

2.       For current customers using Getac devices (Shipped before Jul 31^th, 2023)

Please ensure that the MIS department is aware of the information outlined below and confirm that the old boot manager has been either removed or updated. This is crucial to prevent any issues with booting after Microsoft's enforcement stage on July 9^th, 2024.

l   Please proceed with the Windows upgrade to install the latest version of Windows updates and consult with your MIS department for detailed mitigation action. Please make sure to update all updates released by Microsoft. Currently, there are 2 announced update versions (May 9^th 2023 and January 9^th 2024 versions)

l   Recovery partition: Please update the boot manager in the recovery partition using the Getac Recovery Partition Patch Tool available on Getac service portal. Before utilizing the Getac Recovery Partition Patch Tool, ensure that you have completed the Microsoft security update with a version released after May 9th. This step is crucial to ensure proper facilitation of the boot manager within the recovery partition. If the customer decides to ENABLE the revocations *⁹, please repeat this step every time you update with Microsoft's update to ensure the recovery partition contains the latest boot loader.

3.       Scenario of system recovery via recovery image or hard disk replacement after revocations enforced:

Please make sure to utilize the recovery images below for system recovery *⁶.

l   Using GRMU *⁸:

Please download the latest Windows image *⁷ with security update via GRMU *² from https://support.getac.com/Service/FileReader/Index?fileid=109165&cateid=100038 to generate recovery media and perform the system recovery *⁴.

Support model list as Table A: <Updated Image Implementation Date>.

Both May 9^th 2023 & January 9^th 2024 versions are required to ensure security. For customization project, which is not on the list, please contact your account manager & FAE.

Table A: < Updated Image Implementation Date>

*For customization projects, shipments after October 31^th ,2023 will all be shipped with a Microsoft security update on May 9^th ,2023. Please check with your SA for details.

**X600 Server is not supported by GRMU, please check with the service team or sales for details.

FAQ

1. Under what circumstances would the system fail to boot?

Starting from July 9^th, 2024, Microsoft will enforce the revocation through an update. The old Boot Manager will be added to the disallowed signature database. If a device falls into any of the following scenarios involving the use of the old Boot Manager, it will fail to boot after July 9^th, 2024.

1.The user swaps their HDD and boots up using an OS that has not been updated with the KB released on May 9^th, 2023.
2.The user utilizes the original image of GRMU for USB boot.
3.The user boots to the original WinPE using a USB drive.
4.The device undergoes PXE booting to the original operating system.
5.If the Recovery partition does not have the updated Boot Manager or contains an old Boot Manager.

2. Can users voluntarily revoke the old boot manager before the first quarter of 2024?

After applying Microsoft's May 9th update, users can follow Microsoft's instructions to voluntarily revoke the old Boot Manager earlier, which will be revoked on July 9^th, 2024, as planned by Microsoft.

3. What scenarios should we anticipate in the event of boot failure caused by either "the final phase of enforcement on July 9, 2024" or "the manual revocation of the old Boot Manager" by a user?

Boot Manager: If the user selects the old Boot Manager to boot, it will flash a black screen and return to Boot Manager.

Recovery Partition: The system will halt at the beginning of the Recovery Partition.

System boot: The system will skip this boot device with the old Boot Manager and boot the next boot device.

If you encounter the scenario mentioned above and are unable to boot the device, please refer to the next FAQ for assistance.

4. What should I do if the system fails to boot after the final phase of enforcement on July 9^th, 2024?

Please disable the secure boot in the BIOS setup, update to the latest Windows update, and then enable secure boot.

5. Will IOT LTSC version get support from these Security Update?

Yes, LTSC will be included as long as it is still within the Microsoft life cycle. The IOT version after Win10 21H2 will get support as well. Please check with Microsoft for detailed support status⁵.

6. What if an IOT LTSC customer disable Windows update (Or disable internet), will the device not be able to boot after July 9^th, 2024?

MSFT will push the accumulated updates once Wi-Fi or Windows Update is enabled. The device will be updated to a version with security updates. However, Getac strongly suggests updating to the latest version with security updates."

7. Do I have to update both releases on May 9^th, 2023, and January 9^th, 2024?

Yes,2 sets of protection are required to ensure security. Before final enforcement on July 9^th, 2024, please make sure to verify your devices and all bootable media (including offline media) are updated and ready for this security hardening change. 

¹ Details of revocations and the timing of updates, please refer to Microsoft instructions.

² The GRMU image of certain Getac models will be updated to incorporate the Microsoft May 9th update.

³ Microsoft security update regarding CVE-2023-24932 only support version after Windows 10 21H2.

⁴ After recovery with above recovery images, recovery partition will be deleted.

⁵ Information regarding version support is subject to change by Microsoft. For the most up-to-date information, please contact Microsoft directly. Microsoft reserves the right to make changes and such changes are unrelated to Getac.

⁶ Once the new GRMU images with the updated Boot Manager are available for download, the older GRMU images will no longer be accessible for download. They will be replaced by the new images containing the updated Boot Manager.

⁷ Microsoft's Knowledge Base (KB) only provides security updates for versions of Windows 10 after 21H2. However, the original recovery media is shipped with the same version as at the time of the order. Therefore, if the current version is not supported by Microsoft's security updates, Getac will offer the latest update-capable version, Windows 10 22H2.

⁸ If you have downgraded Windows 10 Pro from Windows 11 Pro through a Microsoft Volume License, kindly reach out to Microsoft for recovery assistance and further information.

⁹ Please check Microsoft’s security page for self-revocation detail

Getac Disclaimer:

All content and other information mentioned in this statement or offered arising from the issue described herein are provided on an "as is" basis. Getac hereby expressly disclaims any warranties of any kind, express or implied, including without limitation warranties of merchantability, fitness for any particular purpose, non-infringement of intellectual property. All products, information, and figures specified are preliminary based on current expectations, and Getac reserves the right to change or update any content thereof at any time without prior notice. Getac assessments have been estimated or simulated using Getac internal analysis or architecture simulation or modeling and may not represent the actual risk to the users' local installation and individual environment. Users are recommended to determine the applicability of this statement to their specified environments and take appropriate actions. The use of this statement, and all consequences of such use, is solely at the user's own responsibility, risk, and expense thereof. In no event shall Getac or any of its affiliates be liable for any and all claims, damages, costs or expenses, including without limitation, loss of profits, loss of data, loss of business expectancy, compensatory, direct, indirect, consequential, punitive, special, or incidental damages or business interruption arising out of or in connection with related to the information contained herein or actions that the user decides to take based thereon. Getac reserves the right to interpret this disclaimer and update this disclaimer whenever necessary.