MS-DEFCON 3: Secure Boot triggers recovery keys

By Susan Bradley

It’s time to check whether your boot drive is encrypted.

As I predicted, Microsoft’s July 2024 security update may trigger a request for recovery keys among those who enabled BitLocker or drive encryption. That’s because the update included a change to Secure Boot.

This is problematic enough that I’m lowering the MS-DEFCON level to just 3, rather than the more common level 4 I usually suggest at the end of the month. I think you should install updates, but don’t install and then review. Instead, understand this problem ahead of time, prepare as needed, and then update.

In the Learn post Devices might boot into BitLocker recovery with the July 2024 security update, Microsoft acknowledges that the condition might occur. It adds:

You are more likely to face this issue if you have the Device Encryption option enabled in Settings under Privacy & Security -> Device encryption. Resulting from this issue, you might be prompted to enter the recovery key from your Microsoft account to unlock your drive.

There is also a Windows 10 version of the Learn post.

Before installing the July updates on either Windows 10 or 11, perform a few preventive steps:

I will say this once again: If you want BitLocker or encryption, that’s fine. But it should be an explicit choice on your part, and you must know where your recovery keys are.

There are rumors that Windows 11 24H2 will enable encryption by default, to increase security. In business settings, I can understand the need. In a consumer setting, where BitLocker and recovery keys may not be understood, I’m not convinced this should be mandated. I’ll be testing to see whether Microsoft pushes this out to existing machines or merely mandates it in new releases.

Once again, I strongly recommend that you disable BitLocker (in the case of Windows Professional edition), or Drive encryption (in the case of Home Edition) unless you really want it. Follow those linked instructions to disable encryption.

I, for one, am glad to see this issue bubbling up on Microsoft’s radar. Since BitLocker first was introduced, I’ve used it (especially on my Surface devices). At times I’ve been asked for the recovery key. So you must have another computer or phone to get into the recovery screen. It can be stressful if you aren’t aware of where the recovery key is located.

Microsoft indicates it will be following up with a fix, but I want Redmond to understand that this is not the first time that asking for the key has occurred. It is very disruptive. If you don’t have the recovery key, or don’t have a backup, you will be reinstalling your complete system. Therefore, make sure you know where your recovery key is — or turn off encryption.

I urge you to install updates, but make sure that you review your encryption status as noted above before installing the July updates.

Looking forward to next month’s updates, Microsoft will be fixing issues with desktop icons, as noted in the preview release KB5040527 for Windows 11 23H2. It will include a fix for an issue with desktop icons where “Spacing between them might become very wide.” I have not seen this behavior — but then again, I tend to use third-party menu options such as Fences to corral my icons.

The upcoming update will also fix the following issues:

The Windows 10 22H2 preview release (KB5040525) includes a fix for printers connected via USB. As noted:

When you use the app with a USB device, the app stops responding and does not print. This issue also limits the functions of the user interface.

Remember, I do not recommend installing these updates now. I am just letting you know they are coming next month.

This month, the CrowdStrike issue made more headlines than anything else. But that doesn’t mean we haven’t seen other issues here and there. Some users have reported the following issues, which we are tracking:

For the latter, Microsoft issued the following warning in a Health release bulletin mailed to Microsoft 365 administrators:

Windows Servers which have installed Windows security updates released July 9, 2024 ([ImpactstartKB]) might affect Remote Desktop Connectivity across an organization if legacy protocol (Remote Procedure Call over HTTP) is used in Remote Desktop Gateway. This can affect Remote Desktop (RD) Connectivity if the connection is going through an RD Gateway. Resulting from this, remote desktop connections might be interrupted. This issue might occur intermittently, such as repeating every 30 minutes. At this interval, logon sessions are lost and users will need to reconnect to the server. IT admins can track this as a termination of the TSGateway service which becomes unresponsive with exception code 0xc0000005.

Two options can be used to mitigate this issue ahead of a future Microsoft update.

The first is to disallow connections over pipe, and port \pipe\RpcProxy\3388 through the RD Gateway.

This process will require the use of connection applications, such as firewall software. Consult the documentation for your connection and firewall software for guidance on disallowing and porting connections.

The second is to edit the registry of client devices by removing a key related to RDGClientTransport.

Secure Boot is starting to become known as, well, not so secure. In its recent research report PKfail: Untrusted Platform Keys Undermine Secure Boot on UEFI Ecosystem, supply-chain security firm Binarly reported:

Earlier this year, we noticed that the private key from American Megatrends International (AMI) related to the Secure Boot “master key”, called Platform Key (PK), was publicly exposed in a data leak. The incident occurred at an ODM responsible for firmware development for multiple device vendors, including US-based enterprise device manufacturers. The devices corresponding to this key are still deployed in the field, and the key is also being used in recently released enterprise devices.

An attacker with access to the private part of the PK can easily bypass Secure Boot by manipulating the Key Exchange Key database, the Signature Database, and the Forbidden Signature Database. Binarly has provided a tool that scans an uploaded firmware binary and reports whether it is vulnerable.

If you haven’t updated your firmware on computer systems since you deployed them, you may want to review your firmware code, using that tool.

Resources

Source