# Secure Boot Mitigation Orchestrator Script
## Overview
This PowerShell script automates the Secure Boot mitigation steps for **CVE-2023-24932**, as outlined in the [Microsoft Security Guidance](https://support.microsoft.com/en-us/topic/how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d). It handles the entire process, including registry updates, reboots, and event log validation, to ensure your system is protected against the BlackLotus UEFI bootkit.
---
## Features
- **Fully Automated Orchestration**: The script guides you through each step, including multiple reboots, and resumes automatically after each reboot.
- **Event Log Validation**: Checks for specific Event IDs (e.g., 1799, 1037) to confirm successful updates.
- **BitLocker Awareness**: Warns if BitLocker is active and ensures you have the recovery key.
- **Hardware Compatibility Checks**: Blocks execution on unsupported configurations (e.g., TPM 2.0 on Windows Server 2012/R2).
- **Manual Verification Options**: Allows manual checks of the Boot Manager signature and Secure Boot databases.
---
## Steps Covered
The script follows the official Microsoft guidance, executing the following steps in sequence:
1. **DB-Update (0x40)**
- Adds the "Windows UEFI CA 2023" certificate to the Secure Boot database (DB).
- Requires **2 reboots**.
2. **Boot-Manager Update (0x100)**
- Updates the Boot Manager to a version signed with the "Windows UEFI CA 2023" certificate.
- Requires **2 reboots**.
3. **Manual Verification (Optional)**
- Copies the Boot Manager (`bootmgfw.efi`) for manual signature verification.
- Checks if the "Windows UEFI CA 2023" certificate is present in the DB.
4. **DBX-Update (0x80)**
- Adds the "Windows Production PCA 2011" certificate to the Secure Boot Forbidden Signature Database (DBX).
- Blocks older Boot Managers signed with this certificate.
- Requires **2 reboots**.
5. **SVN-Update (0x200)**
- Updates the Secure Boot Secure Version Number (SVN) to prevent rollback attacks.
- Requires **2 reboots**.
6. **Final Report**
- Displays a summary of the Secure Boot configuration and Event Log entries.
---
## Prerequisites
- **Windows Version**: Windows 10/11, Windows Server 2016/2019/2022, or later.
- **Administrator Privileges**: The script must be run as an administrator.
- **Secure Boot Enabled**: Ensure Secure Boot is enabled in your system's UEFI firmware.
- **BitLocker Recovery Key**: If BitLocker is active, ensure you have the recovery key.
---
## Usage
1. Download the script:
```powershell
Invoke-WebRequest -Uri "https://raw.githubusercontent.com/helleflo1312/Orchestrated-Powerhell-for-CVE-2023-24932/refs/heads/main/CVE-2023-24932-automation.ps1" -OutFile "CVE-2023-24932-automation.ps1"
```
2. Run the script as an administrator:
```powershell
.\CVE-2023-24932-automation.ps1
```
3. Follow the on-screen prompts. The script will guide you through each step, including reboots.
---
## Hardware Checks:
The Script will check for Hardware Vendors and compatiblity according to [Microsoft Security Guidance](https://support.microsoft.com/en-us/topic/how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d)
## Event Log Validation
The script checks for the following Event IDs to confirm successful updates:
- **1036**: DB Update (0x40) successful.
- **1799**: Boot Manager Update (0x100) successful.
- **1037**: DBX Update (0x80) successful.
If an event is not found, the script will display a warning but continue execution. You can manually verify the logs using the Event Viewer.
Example after the successful run of this script:
<img width="827" alt="image" src="https://github.com/user-attachments/assets/ea73d5b7-8064-4428-8f5a-8e2054c1d628" />
---
## Notes
- **Irreversible Changes**: Once the DBX update (0x80) is applied, it cannot be reverted without resetting Secure Boot.
- **Recovery Media**: Ensure you have updated recovery media before applying the DBX update. Older media may not boot after the update.
- **Testing**: Test the script in a non-production environment before deploying it widely.
---
## Troubleshooting
- **Event Log Errors**: If the script fails to find the expected Event IDs, check the system logs manually for errors.
- **BitLocker Recovery**: If the system enters BitLocker recovery mode, use the recovery key to unlock the drive.
- **Firmware Issues**: Some UEFI firmware may not support the required updates. Contact your hardware vendor for updates.
---
## References
- [Microsoft Security Guidance for CVE-2023-24932](https://support.microsoft.com/en-us/topic/how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d)
- [KB5025885: Secure Boot DB and DBX Variable Update Events](https://support.microsoft.com/en-us/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d)
---
## License
This script is provided under the MIT License. Use at your own risk.
---
## Contributing
If you encounter issues or have suggestions for improvement, please open an issue or submit a pull request on [GitHub](https://github.com/helleflo1312/Orchestrated-Powerhell-for-CVE-2023-24932).
---
## Disclaimer
This script is provided as-is, without warranty of any kind. Always test in a non-production environment before deploying to live systems.
Log in to view the POC file snapshot cached by Shenlong Bot
Log in to view