Issues with Dell Optiplex after Release KB5025885: Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932

B. Guinea 0 Reputation points
2024-06-11T07:55:09.9933333+00:00

Hello all,

We have noticed changes in the Bitlocker Event Manager on some Optiplex from Dell after the update release.

Several reboots were performed and the system goes into Bitlocker recovery mode, we also had cases where the boot order was changed.

After we started investigating this issue, we found the release based on the Microsoft link (see link)

Microsoft says that this is not enabled by default. (see link)

https://support.microsoft.com/en-us/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d#bkmk_timing

I have also posted the logs with the issue ID from the Bitlocker Event Manger.

Any ideeas?

BitlockerEvt

Thanks for the support.

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
11,059 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,818 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Wesley Li 6,190 Reputation points
    2024-06-21T15:26:20.4766667+00:00

    Hello

    The main issue is that the machine with bitlocker will go into recovery mode after an update, right?

    I have checked the link you have shared. It seems the contents shared in that link is not applied to the machine automatically.

    We could check the following steps:

    1. I noticed you have shared the event log here. I would assume you have backup the bitlcoker reocvery key and you still gain access to the bitlocker drive though it is in recovery mode.
    2. Check the "Event Viewer\Windows Logs\Setup" for the latest update installed on the machine to verify the exact update kb number been applied to the problematic machine.
    3. As far as I know, the firmware or bios update would trigger the bitlocker to get into recovery mode. We could open powershell administrator command line and run "get-windowsupdatelog" then verify whether we have got firmware or bios update recently.
    4. As the link shared, there should be event 1037 recorded if we have applied the changes.

    Verify installation and revocation list was successfully applied by looking for event 1037 in the event log.

    For information about Event 1037, see KB5016061: Secure Boot DB and DBX variable update events. Or, run the following PowerShell command as Administrator and make sure it returns True:

    [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI dbx).bytes) -match 'Microsoft Windows Production PCA 2011'

    0 comments No comments