Search
HomeGame GuidesMicrosoft Blocks BlackLotus Secure Boot Mitigation on TPM 2.0 Windows Server 2012...

Microsoft Blocks BlackLotus Secure Boot Mitigation on TPM 2.0 Windows Server 2012 PCs

Game Guides

Published on

By admin

Microsoft last week released the April 2024 patch updates for Windows 10 (KB5036892), Windows 11 (KB5036893) and more. As is often the case, users encountered various issues and problems while trying to install the updates.

Regardless, the updates address some critical security issues. Earlier today, we covered several Kerberos PAC authentication security vulnerabilities tracked under CVE-2024-26248 and CVE-2024-29056.

Meanwhile, Patch Tuesday April 2024 is also updated for the BlackLotus security vulnerability that bypasses secure boot and is identified by CVE ID “CVE-2023-24932”. However, an updated Secure Boot won’t help you with the LogoFAIL vulnerability we covered recently.

Like that for Kerberos PAC authentication, mitigations are not enabled by default and must be enforced.

Microsoft also warned about the various known issues. For example, mitigations are blocked on Windows Server 2012 and Server 2012 R2 systems due to incompatibility with TPM (Trusted Platform Module) 2.0.

Microsoft explains:

TPM 2.0 based systems: Those systems running Windows Server 2012 and Windows Server 2012 R2 cannot deploy the mitigations published in the April 9, 2024 security update because of known compatibility issues with TPM measurements. The April 9, 2024 security updates will block mitigations #2 (Boot Manager) and #3 (DBX Update) on affected systems.

Microsoft is aware of the problem and in the future an update will be released to unblock TPM 2.0 based systems.

The full list of known issues is provided below:

  • HP: HP has identified an issue with the installation of switching on HP Z4G4 Workstation computers and will release an updated Z4G4 UEFI firmware (BIOS) in the coming weeks. To ensure successful installation of the mitigation, it will be blocked on desktop workstations until the update is available.
  • HP devices with Sure Start Security: These devices need the latest HP firmware updates to install the fixes. The reliefs are blocked until the firmware is updated.
  • Arm64 based devices: Mitigation is blocked due to known UEFI firmware issues on Qualcomm-based devices. Microsoft is working with Qualcomm to address this issue. Qualcomm will provide the fix to device manufacturers.
  • Apple: Macs that have the Apple T2 Security Chip support Secure Boot. However, updating UEFI security variables is only available as part of a macOS update. Boot Camp users are expected to see a Windows Event ID 1795 event log entry associated with these variables.

  • VMware: In VMware-based virtualization environments, a VM using an x86-based processor with secure boot enabled will fail to boot after the mitigations are applied. Microsoft is coordinating with VMware to address this issue.

  • Symantec endpoint encryption: Secure Boot mitigations cannot be applied to systems that have Symantec Endpoint Encryption installed. Microsoft and Symantec are aware of the issue and will address it in a future update.

You can find more technical details alongside the full release timeline in support document on Microsoft’s website.

Latest articles

More like this

We here at steamplayers.com are a team of hard working gaming enthusiasts. We make every effort to bring the best of the gaming world to you in the form of game guides and blogs.

© All Right Reserved | Steam Players