With the release of todays Windows Updates (July 11, 2023) Microsoft have updated their guidance for managing the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932.
I’ve prepared some Intune Remediation scripts that can be used to apply the “revocations” mentioned in that KB – which is simply a registry key update. The device then needs to be rebooted twice (yes twice) to fully apply the revocations.
The reg key change should only be made on devices that have the July monthly CU installed and the detection script will check for that, as well as checking that SecureBoot is supported and enabled on the device. The remediation script will not force any reboot – it will simply apply the registry key.
Please do read the KB before deploying this though, and understand the risks. According to the KB, the tentative enforcement date for the revocations is Q1 2024, so you have room to test before then.
MEM/Proactive remediations/KB5025885 – CVE-2023-24932 at main · SMSAgentSoftware/MEM · GitHub
