This article describes the protection against the publicly disclosed Secure Boot security feature bypass that uses the BlackLotus UEFI bootkit tracked by CVE-2023-24932, how to enable the mitigations, and guidance on bootable media.

Disabling Secure Boot significantly reduces device protection, removes safeguards against boot‑level malware, and can create new security and compliance risks. The recommended path is to ensure your device receives the updated 2023 Secure Boot certificates and any required OEM firmware updates.

For problems deploying Secure Boot certificates that are not caused by known issues in Windows or Microsoft Intune, please refer to the Secure Boot troubleshooting guide.

Découvrez comment modifier les paramètres afin dʼactiver le démarrage sécurisé si vous ne pouvez pas effectuer la mise à niveau vers Windows 11, et ce, parce que votre PC ne prend actuellement pas en charge le démarrage sécurisé.

The DBX variable is used to untrust Secure Boot components and is typically used to block vulnerable or malicious Secure Boot components such as boot managers and certificates used to sign boot managers.

The Secure Boot Certificate Rollout Automation is a PowerShell-based system that deploys Windows Secure Boot DB certificate updates to domain-joined machines in a controlled, graduated manner.

This method offers a straightforward Secure Boot Group Policy setting that domain administrators can set to deploy Secure Boot updates to all domain-joined Windows clients and servers.

Learn how to change settings to enable Secure Boot if you are not able to upgrade to Windows 11 because your PC is not currently Secure Boot capable.

Devices with Secure Boot disabled will not receive the new Secure Boot certificates in firmware. As a result, they will remain vulnerable to boot-level malware, such as bootkits, because Secure Boot protections are not enforced.

All Windows devices with Secure Boot enabled must be updated to the 2023 certificates before expiration to ensure continued security update support. This guide provides a monitoring-only approach using Microsoft Intune Remediations (Proactive Remediations).