The code for this worklet can be found below:
Evaluation Code
<#
.SYNOPSIS
Windows - Security - Mitigate BlackLotus
.PREREQUISITES
Microsoft's May 2023 Security Updates must be installed on the device.
Only devices with Secure Boot enabled are applicable to this mitigation.
For eligible devices, the remediation code will trigger a restart after the mitigation has been applied.
Per Microsoft, a second restart is then required to finalize the revocation steps.
The second restart will not be triggered via this worklet, and should be performed by another worklet or by manual intervention.
.WARNING
Per Microsoft:
Once the mitigation for this issue is enabled on a device, meaning the revocations have been applied, it cannot be reverted if you continue to use Secure Boot on that device.
Even reformatting of the disk will not remove the revocations if they have already been applied.
You should not remove the SKUSiPolicy.p7b revocation file after it is deployed. Your device might no longer be able to start if the file is removed.
Please be aware of all the possible implications and test thoroughly before applying the revocations that are outlined in this article to your device.
.DESCRIPTION
This worklet mitigates the BlackLotus vulnerability (CVE-2023-24932) by applying Microsoft's guided revocation steps.
Source: https://support.microsoft.com/en-us/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d
The worklet consists of three primary functions:
1. Get-DeviceEligibility - Determines whether or not the device is in scope for the BlackLotus mitigation.
2. Get-MitigationEvent - Determines whether the mitigation has already been applied or not.
3. Initialize-Migitation - Applies the mitigation.
The evaluation code will run the Get-DeviceEligibility function.
If the device is in scope for the mitigation and requires it, it will flag the device for remediation.
If the device is not in scope for the mitigation or does not require it, the script run will end.
The remediation code will re-run the Get-DeviceEligibility function to confirm the device is eligible for the mitigation.
It will then run the Get-MitigationEvent function to determine whether the device already has the mitigation applied.
If the device is not compliant with these two functions, it will run the Initialize-Mitigation function to apply the revocation steps.
The device will automatically reboot within 60 seconds after the revocation steps are applied.
.NOTES
Author: John Guarracino
Date: May 11, 2023
.USAGE
All variables are predefined.
The device will automatically restart per the remediation code, and restart should therefore be turned off within the worklet.
#>
# Using scriptblock to relaunch in native environment for 64bit detection.
$scriptBlock = {
#Predefined variables
$RevocationFileSource = 'C:\Windows\System32\SecureBootUpdates\SKUSiPolicy.p7b'
$RevocationFileTarget = 'q:\EFI\Microsoft\Boot\SKUSiPolicy.p7b'
$eventlog = Get-EventLog -LogName System | Where-Object { $_.Message -like "*Secure Boot Dbx update applied successfully*" }
#Declaring functions
function Get-DeviceEligibility
{
#Validate device eligibility
if ((Confirm-SecureBootUEFI) -eq $true)
{
#Secure Boot is enabled.
#Checking to see if the May 2023 Security Updates are applied.
if ((Test-Path $RevocationFileSource) -ne $true)
{
#The revocation payload was not found on this device.
#Ensure that the device has the May 2023 Security Updates installed and try again.
#The device is not in scope for this worklet. Now exiting.
return 0
}
#Checking to see if the mitigation has already ran against this device.
if ($eventlog)
{
#Secure Boot Dbx events were found.
#Mounting EFI partition to check for revocation files.
mountvol Q: /S | Out-Null
if (Test-Path $RevocationFileTarget)
{
#The revocation files are already applied.
#This device already has the BlackLotus mitigation in place and is compliant. Now Exiting.
return 0
}
else
{
#The revocation files are not applied.
#Flagging for remediation.
return 1
}
}
else
{
#No event for the Secure Boot Dbx update was found.
#Flagging for remediation.
return 1
}
}
if ((Confirm-SecureBootUEFI) -eq $false)
{
#Secure Boot is not enabled. The device is not in scope for this worklet.
return 0
}
}
#Initiating Evaluation
Get-DeviceEligibility
}
# Execution of $scriptBlock
$exitCode = & "$env:SystemRoot\sysnative\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -NonInteractive -Command $scriptblock
# Exit with value provided by evaluation.
Exit $exitCode
Remediation Code
<#
.SYNOPSIS
Windows - Security - Mitigate BlackLotus
.PREREQUISITES
Microsoft's May 2023 Security Updates must be installed on the device.
Only devices with Secure Boot enabled are applicable to this mitigation.
For eligible devices, the remediation code will trigger a restart after the mitigation has been applied.
Per Microsoft, a second restart is then required to finalize the revocation steps.
The second restart will not be triggered via this worklet, and should be performed by another worklet or by manual intervention.
.WARNING
Per Microsoft:
Once the mitigation for this issue is enabled on a device, meaning the revocations have been applied, it cannot be reverted if you continue to use Secure Boot on that device.
Even reformatting of the disk will not remove the revocations if they have already been applied.
You should not remove the SKUSiPolicy.p7b revocation file after it is deployed. Your device might no longer be able to start if the file is removed.
Please be aware of all the possible implications and test thoroughly before applying the revocations that are outlined in this article to your device.
.DESCRIPTION
This worklet mitigates the BlackLotus vulnerability (CVE-2023-24932) by applying Microsoft's guided revocation steps.
Source: https://support.microsoft.com/en-us/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d
The worklet consists of three primary functions:
1. Get-DeviceEligibility - Determines whether or not the device is in scope for the BlackLotus mitigation.
2. Get-MitigationEvent - Determines whether the mitigation has already been applied or not.
3. Initialize-Migitation - Applies the mitigation.
The evaluation code will run the Get-DeviceEligibility function.
If the device is in scope for the mitigation and requires it, it will flag the device for remediation.
If the device is not in scope for the mitigation or does not require it, the script run will end.
The remediation code will re-run the Get-DeviceEligibility function to confirm the device is eligible for the mitigation.
It will then run the Get-MitigationEvent function to determine whether the device already has the mitigation applied.
If the device is not compliant with these two functions, it will run the Initialize-Mitigation function to apply the revocation steps.
The device will automatically reboot within 60 seconds after the revocation steps are applied.
.NOTES
Author: John Guarracino
Date: May 11, 2023
.USAGE
All variables are predefined.
The device will automatically restart per the remediation code, and restart should therefore be turned off within the worklet.
#>
# Using scriptblock to relaunch in native environment for 64bit detection.
$scriptBlock = {
#Predefined variables
$RevocationFileSource = 'C:\Windows\System32\SecureBootUpdates\SKUSiPolicy.p7b'
$RevocationFileTarget = 'q:\EFI\Microsoft\Boot\SKUSiPolicy.p7b'
$regPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Secureboot"
$regName = "AvailableUpdates"
$regValue = "10"
$exists = (Get-ItemProperty -Path "$regPath" -Name "$regName" -ErrorAction SilentlyContinue).$regName
$eventlog = Get-EventLog -LogName System | Where-Object { $_.Message -like "*Secure Boot Dbx update applied successfully*" }
#Declaring functions
function Get-MitigationEvent
{
if ($eventlog)
{
Write-Output "The following Secure Boot Dbx events were found:"
Write-Output $eventlog
Write-Output ""
Write-Output "Checking for revocation files."
mountvol Q: /S
if (Test-Path $RevocationFileTarget)
{
Write-Output "The revocation files are already applied."
Write-Output "This device already has the BlackLotus mitigation in place. Now Exiting."
Exit 0
}
else
{
Write-Output "The Revocation files were not found."
Write-Output "Proceeding with the mitigation."
Initialize-Migitation
}
}
else
{
Write-Output "No event for the Secure Boot Dbx update was found."
Write-Output "Proceeding with the mitigation."
Initialize-Migitation
}
}
function Initialize-Migitation
{
try
{
Write-Output "Mounting the EFI Partition."
mountvol Q: /S
if (Test-Path $RevocationFileSource)
{
Write-Output "Copying the revocation files to the EFI volume."
Copy-Item -Path $RevocationFileSource -Destination $RevocationFileTarget -Force
if (Test-Path $RevocationFileTarget)
{
Write-Output "Revocation file copied successfully."
}
else
{
Write-Output "Revocation failed to copy. Now exiting."
Exit 1
}
}
else
{
Write-Output "The revocation payload was not found on this device."
Write-Output "Ensure that the device has the May 2023 Security Updates installed and try again."
Write-Output "Now exiting."
Exit 1
}
#Setting Registry key
if ($exists -eq $regValue)
{
Write-Output "The SecureBooot UEFI Forbidden List Registry key is already set and is the correct value."
Write-Output "Proceeding with the remainder of the script run."
}
else
{
Write-Output "The registry key does not exist or is not equal to $regValue."
Write-Output "Creating the Secure Boot UEFI Forbidden List registry key with a value of $regValue."
Set-ItemProperty $regPath -Name $regName -Value $regValue -Type Dword | Out-Null
}
#Declare end of mitigation steps and restart the computer.
Write-Output "All actions performed. Restarting the computer in 60 seconds."
Shutdown /r /t 60 /d p:4:1 /c 'Your device will reboot in 60 seconds for a security update. Please save all of your work.'
}
catch
{
Write-Output "An error has occured:"
$Exception = $errorr0].Exception.Message + "`nAt Line " + $errorr0].InvocationInfo.ScriptLineNumber
Write-Output $Exception
Exit 1
}
}
function Get-DeviceEligibility
{
#Validate device eligibility
if ((Confirm-SecureBootUEFI) -eq $true)
{
Write-Output "Secure Boot is enabled. The device is in scope."
Write-Output "Checking to see if the May 2023 Security Updates are applied."
if ((Test-Path $RevocationFileSource) -ne $true)
{
Write-Output "The revocation payload was not found on this device."
Write-Output "Ensure that the device has the May 2023 Security Updates installed and try again."
Write-Output "Now exiting."
Exit 0
}
Write-Output "Checking to see if the mitigation has already ran against this device."
Get-MitigationEvent
}
if ((Confirm-SecureBootUEFI) -eq $false)
{
Write-Output "Secure Boot is not enabled. The device is not in scope for this worklet."
Exit 0
}
}
Get-DeviceEligibility
}
& "$env:SystemRoot\sysnative\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -NonInteractive -Command $scriptBlock