The BlackLotus UEFI bootkit malware exploit is able to bypass the Secure Boot feature of UEFI equipped computers. Applying the May 9, 2023 Windows updates, detailed in KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932 - Microsoft Support, fixes this bypass. However, once applied, the updates have the effect of rendering any operating system boot manager created before the application of the updates unable to boot. This manifests itself in a variety of ways, but typically you will see a blue screen with the message “Your PC/Device needs to be repaired”. Error codes vary, but typically you might see error code 0xc0e90002.
Typical Problem Scenarios
- You restore a backup of a previous version of Microsoft Windows. After the restore, your PC fails to boot
- You attempt to boot your PC using previously created Macrium Reflect Rescue Media, for example using a USB flash drive. Your Rescue Media fails to boot.
Problem Resolution for Windows RE
- Make sure that you have the Microsoft July 11, 2023 Windows Update (OS Build 22621.1992) or later installed on your PC
- Start Macrium Rescue Media Builder
- If the Rescue Media Settings at the top of the dialog do not show Windows RE, click the Advanced button, then the Choose Base WIM tab, select Windows RE, then click OK
- Check that the Settings at the top of the dialog show Windows RE Build 22621, or later
- Select your preferred Device – USB, ISO file etc
- Hold down the Control key and click the down arrow on the Build button. Click Force WIM Rebuild
Problem Resolution for Windows PE 11
Temporarily Turn Off Secure Boot
- Go into your computer’s UEFI settings, typically by pressing a function key while your system restarts, and turn off Secure Boot
- Restart your computer; it will now boot.
- Apply the latest updates using Windows Update
- Apply the Secure Boot Revocations as detailed in How to manage the Windows Boot Manager revocations for Secure Boot changes
- Restart your computer, go back into your UEFI settings and turn Secure Boot back on
- Windows will now boot successfully with Secure Boot enabled
Create New Macrium Reflect Rescue Media
Macrium has released an update to 64-bit Windows PE 11 Rescue Media to enable the creation of new Rescue Media that works with the May 9 Secure Boot updates. This
- You must first remove all previous saved Rescue Media files. To do this, go to Windows Control Panel, Programs and Features (or Programs -> Uninstall a program, if you have the Control Panel Category view), select your Macrium Reflect installation, then click Uninstall
- Deselect the Uninstall Macrium Reflect option and select Remove Windows PE component files. Click OK
- Start Macrium Reflect Rescue Media Builder. Click the Advanced button, then click the Choose Base WIM tab. Select the Windows PE 11 option and click OK
- Select the device, for example Removable USB Flash Drive, and click the Build button to create new Rescue Media.
Note: The Advanced Option Enable legacy EFI screen resolution support is not supported when the Windows PE 11 (WADK) base WIM is selected.