Updated: 10/31/2023
Importance:
Please note that this statement is to inform you of a critical Security Update issued by Microsoft. Users are advised to review the guidance and take actions recommended by Microsoft and below that may be updated from time to time to enable protections for the Secure Boot bypass and to avoid potential security risks and system failure. Please also note that Microsoft announced its recommended steps must be completed before moving to Final Enforcement, which is tentatively scheduled no sooner than July 9th, 2024. Bootable media may fail to start and result in your Getac devices being unable to start after Microsoft’s Final Enforcement if the required steps are not completed in order. Additionally, please be aware that software distributed by Getac with or without the Getac brand name (including, but not limited to system software) is not covered under Getac’s Warranty. Getac is not responsible for any claims, damages, costs, or expenses arising from failure to follow instructions relating to Microsoft Security Update.
Background
Since the Secure Boot security feature has been bypassed by the BlackLotus UEFI bootkit, which is tracked under CVE-2023-24932, Microsoft took action by releasing KB5025885 and security updates on May 9th, 2023, to manage the Windows Boot Manager revocations.
Microsoft’s Security updates are divided into four phases¹, with the final phase being enforcement. The final enforcement phase, which will implement permanent mitigations on July 9th, 2024.
Risk & Impact
Detailed Instructions by Microsoft
Please check Microsoft’s announcement regarding the latest security update of CVE-2023-24932.
Actions for Getac Users
All bootable media is suggested to be upgraded to the latest version and update with new boot manager. Getac suggests our customers follow the actions outlined below based on different scenarios. Getac will release bootable recovery images (created by Getac Recovery Media Utility (“GRMU”)²) and tools to update the boot manager in the recovery partition.
*For customization projects, shipments after 2023-10-31 will be shipped with a Microsoft security update on May 9th. Please check with your SA for details.
**X600 Server is not supported by GRMU. Please check with the service team or sales for details.
Starting from July 9th, 2024, Microsoft will enforce the revocation through an update. The old Boot Manager will be added to the disallowed signature database. If a device falls into any of the following scenarios involving the use of the old Boot Manager, it will fail to boot after July 9th, 2024.
1. The user swaps their HDD and boots up using an OS that has not been updated with the KB released on May 9th, 2023.
2. The user utilizes the original image of GRMU for USB boot.
3. The user boots to the original WinPE using a USB drive.
4. The device undergoes PXE booting to the original operating system.
5. If the Recovery partition does not have the updated Boot Manager or contains an old Boot Manager.
After applying Microsoft’s May 9th update, users can follow Microsoft’s instructions to voluntarily revoke the old Boot Manager earlier, which will be revoked on July 9th, 2024, as planned by Microsoft.
If you encounter the above scenarios and cannot boot the device, please refer to the following FAQ for remedy.
Please disable the secure boot in the BIOS setup, update to the latest Windows update, and then enable secure boot.
Yes, LTSC will be included as long as it is still within the Microsoft life cycle. The IOT version after Win10 21H2 will get support as well. Please check with Microsoft for detailed support status5.
MSFT will push the accumulated updates once Wi-Fi or Windows Update is enabled. The device will be updated to a version with security updates. However, Getac strongly suggests updating to the latest version with security updates.”
Yes, two sets of protection are required to ensure security. Before final enforcement on July 9th, 2024, please make sure to verify your devices and all bootable media (including offline media) are updated and ready for this security hardening change.
1 Details of revocations and the timing of updates, please refer to Microsoft instructions.
2 The GRMU image of certain Getac models will be updated to incorporate the Microsoft May 9th update.
3 Microsoft security update regarding CVE-2023-24932 only support version after Windows 10 21H2.
4 After recovery with the above recovery images, the recovery partition will be deleted.
5 Information regarding version support is subject to change by Microsoft. For the most up-to-date information, please contact Microsoft directly. Microsoft reserves the right to make changes, and such changes are unrelated to Getac.
6 Once the new GRMU images with the updated Boot Manager are available for download, the older GRMU images will no longer be accessible. They will be replaced by the new images containing the updated Boot Manager.
7 Microsoft’s Knowledge Base (KB) only provides security updates for versions of Windows 10 after 21H2. However, the original recovery media is shipped with the same version as at the time of the order. Therefore, if Microsoft’s security updates do not support the current version, Getac will offer the latest update-capable version, Windows 10 22H2.
8 If you have downgraded Windows 10 Pro from Windows 11 Pro through a Microsoft Volume License, kindly contact Microsoft for recovery assistance and further information.
9 Please check Microsoft’s security page for self-revocation details.
Getac Disclaimer: All content and other information mentioned in this statement or offered arising from the issue described herein are provided on an "as is" basis. Getac hereby expressly disclaims any warranties of any kind, express or implied, including without limitation warranties of merchantability, fitness for any particular purpose, non-infringement of intellectual property. All products, information, and figures specified are preliminary based on current expectations, and Getac reserves the right to change or update any content thereof at any time without prior notice. Getac assessments have been estimated or simulated using Getac internal analysis or architecture simulation or modeling and may not represent the actual risk to the users' local installation and individual environment. Users are recommended to determine the applicability of this statement to their specified environments and take appropriate actions. The use of this statement, and all consequences of such use, is solely at the user's own responsibility, risk, and expense thereof. In no event shall Getac or any of its affiliates be liable for any and all claims, damages, costs or expenses, including without limitation, loss of profits, loss of data, loss of business expectancy, compensatory, direct, indirect, consequential, punitive, special, or incidental damages or business interruption arising out of or in connection with related to the information contained herein or actions that the user decides to take based thereon. Getac reserves the right to interpret this disclaimer and update this disclaimer whenever necessary.
