Summary

To help keep Windows devices secure, Microsoft adds vulnerable bootloader modules to the Secure Boot DBX revocation list to invalidate the vulnerable modules. When the updated DBX revocation list is applied to a device, Windows checks to determine whether one of the vulnerable modules could potentially be used to start the device. If one of the vulnerable modules is detected, the update to the DBX list is deferred. On each restart, the device is rescanned to determine whether the vulnerable module is updated and if it's safe to apply the updated DBX list.

When one of these vulnerable modules is detected on the device, an event log entry is created warning about the situation and includes the name of the detected module. The event log entry contains details similar to the following:

Example event log entry

Potentially revoked boot manager was detected in EFI partition. For more information, please, see https://go.microsoft.com/fwlink/?linkid=2169931

Take Action

In most cases, the vendor of the vulnerable module should have an updated version that addresses the vulnerability. Please contact your vendor to get the update.

Event log information

Event ID 1033 will be logged when a vulnerable Secure Boot based component is detected on your device.

Event log

System

Event source

TPM-WMI

Event ID

1033

Level

Error

Event message text

Potentially revoked boot manager was detected in EFI partition. For more information, please see https://go.microsoft.com/fwlink/?linkid=2169931

Event Data BootMgr

<path and name of vulnerable file>

Need more help?

Expand your skills
Explore Training
Get new features first
Join Microsoft Insiders

Was this information helpful?

What affected your experience?

Thank you for your feedback!

×