Microsoft Secure Boot Certificate Transition (2023 CA) and BlackLotus Mitigation
Getac is committed to providing robust security for our rugged computing solutions. This advisory outlines our proactive strategy for transitioning to the Microsoft 2023 Secure Boot Certificate Authority (CA) chain to ensure system integrity, compliance, and ongoing protection against evolving boot-level threats.
Importance:
Microsoft requires completion of the Microsoft Secure Boot Certificate Transition (2023 CA) before June 2026. Missing this transition will not prevent booting, will not be able to receive DBX update, so it will be vulnerable to revoked binaries going forward.
Additionally, please be aware that software distributed by Getac with or without the Getac brand name (including, but not limited to system software) is not covered under Getac’s Warranty. Getac is not responsible for any claims, damages, costs, or expenses arising from failure to follow instructions relating to Microsoft Security Update.
1. Background and The Root Cause: CVE-2023-24932
The transition to the 2023 Secure Boot CA is essential for maintaining long-term system integrity. Driven by the June 2026 expiration of the 2011 KEK CA and the need to mitigate the BlackLotus UEFI Bootkit vulnerability (CVE-2023-24932), this action ensures that devices remain compliant with Microsoft security standards and retain the capability to receive DBX update post-2026."
2. Getac's Planning for 2023 CA Deployment
Getac is implementing the new 2023 CA certificates across our product portfolio through two phases: Default in BIOS for new platforms and Windows Update for in-market devices.
Phase A: New Platforms with Windows 11 Pro (2023 CA Default in BIOS)
Projects developed on and after the following platforms will have the 2023 CA embedded as the default setting in the factory BIOS:
Platform Name | Affected Projects (Examples) | Status |
Raptor Lake | F110G7, K120G3, UX10G4 (not yet launched) | Default in BIOS |
Meteor Lake | S510 | Default in BIOS |
Lunar Lake | B360G3 Plus, F120, UX10G5 | Default in BIOS |
Arrow Lake | B360G3, S510 ARL, UX10G5 ARL, V120 | Default in BIOS |
Phase B: In-Market Platforms Windows 11 Pro (Windows Update)
Earlier platforms that are already in the market will receive the 2023 CA update through standard Windows Update mechanisms.
Platform Name | Affected Projects (Examples) | Update Mechanism |
Comet Lake | A140G2, V110G6, B360, UX10G2, S410G4 | Windows 11 Update |
Tiger Lake | F110G6, K120G2, S410G4, X600 | Windows 11 Update |
Alder Lake | B360G2, UX10G3, V110G7 | Windows 11 Update |
Raptor Lake | S410G5, B360G2 RPL (project base) | Windows 11 Update |
Technical Basis: Leveraging Microsoft guidance (Windows Secure Boot Key Creation and Management Guidance), in-market devices will receive the new 2023 KEK CA via standard Windows Update to maintain vital DB/DBX updates post-2026.
3. Action Required & Out-of-Scope Platforms
⚠️ Security and Operational Advisory
While most platforms are covered, to ensure long-term system security and boot integrity: systems that do not complete the certificate update in time will be unable to receive DBX update post-2026.
We strongly advise customers to take the following actions:
Update BIOS: Keep your platform BIOS updated to the latest version provided by Getac.
Enable Windows Update: Ensure Windows Update is enabled and functioning to receive the necessary certificate updates directly from Microsoft.
Avoid Resetting Secure Boot: As a precaution, avoid resetting the BIOS to default settings or disabling Secure Boot.
Managed, troubleshooting and verify if DB has been successfully updated via Microsoft Support: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932 - Microsoft Support
Critical Note on Legacy & Windows 10 Platforms
Windows 10 Devices: As Windows 10 approaches End-of-Service, we highly recommend upgrading Windows 11 for continuous security coverage.
Out-of-Scope Platforms: Devices not covered by the above plan must transition to Windows 11 or enroll in the New Consumer ESU (Extended Security Updates) Program for self-managed security maintenance, due to Windows 10 has officially End of Service.
Disclaimer:
Getac Disclaimer: All content and other information mentioned in this statement or offered arising from the issue described herein are provided on an "as is" basis. Getac hereby expressly disclaims any warranties of any kind, express or implied, including without limitation warranties of merchantability, fitness for any particular purpose, non-infringement of intellectual property. All products, information, and figures specified are preliminary based on current expectations, and Getac reserves the right to change or update any content thereof at any time without prior notice. Getac assessments have been estimated or simulated using Getac internal analysis or architecture simulation or modeling and may not represent the actual risk to the users' local installation and individual environment. Users are recommended to determine the applicability of this statement to their specified environments and take appropriate actions. The use of this statement, and all consequences of such use, is solely at the user's own responsibility, risk, and expense thereof. In no event shall Getac or any of its affiliates be liable for any and all claims, damages, costs or expenses, including without limitation, loss of profits, loss of data, loss of business expectancy, compensatory, direct, indirect, consequential, punitive, special, or incidental damages or business interruption arising out of or in connection with related to the information contained herein or actions that the user decides to take based thereon. Getac reserves the right to interpret this disclaimer and update this disclaimer whenever necessary.