After applying and enabling the 9th May CVE-2023-24932 (BlackLotus) machine fails to boot into WinPE preboot or load after Ghost imaging.

According to Microsoft KB5025885 - the changes this CVE brings would affect both Deployment Solution and Ghost Solution products, where Secure Boot is enabled on devices.

Deployment Solution 8x

Ghost Solution Suite 3.x

Applying and enabling the WinPE security update in Microsoft KB5025885 prevents previously created Windows OS and WinPE preboots (PXE boot, USB boot, Automation Folders) from loading when secure boot is enabled.

The software update included in KB5025885 addresses the BlackLotus vulnerability (CVE-2023-24932).

1. While Microsoft may release a new ADK with the fixes from KB5025885 applied and enabled, you can update the current WinPE sources and then re-create preboot environments

2. Update WinPE Preboot images (PXE/Automation Folders/ISOs and USB bootsticks), manually update/copy new updated *.efi bootloaders (bootx64.efi) for WinPE 5, and bootloader and .wim file for WinPE 10/11.

• Alternatively, follow Microsoft guidance at Microsoft Support site for applying security update using DISM to offline service the boot media. Detailed instruction on doing are posted on Microsoft post here.
• If you would manually update the boot.wim image, the location for WinPE 11 imported ADK files on GSS is \Altiris\eXpress\Deployment Server\waik_winpe11\Tools\PETools\amd64 
• and the location for DS is \Altiris\Deployment\BDC\waik_winpe11\Tools\PETools\amd64\

3. Exiting Ghost Images would no longer be able to be restored (both Sysprepped and Backup images). And new images would be required to be captured. You may want to consider deleting previous Ghost images because they will be no longer useful.

4. Update/Replace OS packages for Scripted OS Install (SOI) tasks with new ISO in which the security update from KB5025885 has been applied.

• In Ghost Solution Suite you can just copy the new updated ISO file content into the SOI package location on the GSS eXpress share.
• For Deployment Solution - you can find the path on SMP Server in Scripted Install Files - Package location - and then copy over files from new updated ISO - so it would keep existing SOI package guid and would not break existing jobs.

After copying new content, please select Update Distribution Points, and run NS.Package Refresh task to distribute updated package to all Package Servers:

Additional information:

An example of WinPE 11 files that need to be updated in GSS:

• \eXpress\Deployment Server\waik_winpe11\Tools\PETools\amd64\efi\boot\bootx64.efi
• \eXpress\Deployment Server\waik_winpe11\Tools\PETools\amd64\bootmgr.efi
• \eXpress\Deployment Server\waik_winpe11\Tools\PETools\amd64\winpe.wim

In Deployment Solution:

• \Deployment\BDC\waik_winpe11\Tools\PETools\amd64\efi\boot\bootx64.efi
• \Deployment\BDC\waik_winpe11\Tools\PETools\amd64\bootmgr.efi
• \Deployment\BDC\waik_winpe11\Tools\PETools\amd64\winpe.wim

As workaround, temporarily disabling Secure Boot would allow you to use existing Ghost images but this would enable the risks posed by BlackLotus, and should be only considered if you have a specific ackup Image of the machine where new backup image is not possible to create.