The Black Lotus virus has revealed a vulnerability in Secure Boot. Since the patch may prevent your device from booting, Microsoft should proceed with caution.

In April, Microsoft warned of Black Lotus, which experts say is unique malware. Black Lotus sneaks so deeply into the infected device’s UEFI that it manages to bypass the Windows Secure Boot feature. Secure Boot is a security feature that nips malicious software in the bud when the device starts up and is required by Microsoft to upgrade to Windows 11. Black Lotus is the first known malware to trick Secure Boot.

Now Microsoft has also started to fix the Secure Boot vulnerability exploited by BlackLotus. A patch was released on May 9th, but stocks are far from over. Another update with additional support options will follow in two months. Only in the first quarter of 2024 will Microsoft configure the Secure Boot fix by default on every device.

Now you might be wondering why the whole process has to take a year. The patch makes changes to what boot media can be loaded when you start Windows. Therefore, the bootable media must be updated carefully, otherwise their boot permissions will be revoked by the update, which may cause problems when restarting Windows. For this reason, Microsoft is not yet rigorously enforcing the changes to Secure Boot.

Updating Secure Boot: Here’s how

It should be clear that this patch is not the weekly security update that you can install blindly. That’s why Microsoft also provides a detailed manual with the necessary steps. First install the latest maintenance update via the update menu in the settings. Now you can restart the device before continuing with steps two and three.

Now you need to check all the bootable media if the update files are installed correctly. Microsoft strongly recommends that enterprise customers review the following programs: Deployment Toolkit, Endpoint Configuration Manager, Deployment Services, PxE Boot, and HTTPS Boot Scenarios. Backups created before May 9th will also need to be reconfigured.

Only in the third and final phase do you apply the lock files. To do this, follow these five steps:

• Apply the launch code integrity policy (SKUSiPolicy.p7b).
• Apply UEFI Banned List (DBX) for Secure Boot.
• Restart your device.
• Make sure that the install and blacklist has been correctly applied in the Windows log.
• An additional reboot is required to fully initialize lock protection. Wait at least 5 minutes and then restart the device.