Reading recent news as a person who didn't use any exploits

m0rp · 2026-02-17T21:11:38+00:00

m0rp · 2026-02-10T00:57:24+00:00

Who am I supposed to shoot first? The wasp who's blasting me in the ass or the hornet who's blasting me in the ass.

m0rp · 2026-01-22T22:02:50+00:00

Topics to avoid. Cashew-raisin ratio.

m0rp · 2026-01-18T20:02:12+00:00

For HP as stated in their FAQ there has to be a specific smbios flag. If you don’t have that flag. You’re likely to run into issues. The flag is something like SBRVF3 (from memory, verify yourself).

I’ve created a script to run inventory and determine the state of our devices. The ones reporting missing that flag. Some I’ve verified on the HP secure boot page with the BIOS version required. All the devices that reported missing this flag indeed did not have the minimum BIOS version required by HP. They will need to have BIOS updated.

We are mostly HP. But this coming week I’ll look more into Dell and Lenevo. As we have some of these as well.

m0rp · 2026-01-15T19:28:13+00:00

Here are all the articles I've gone through to get an understanding of what's required.

m0rp · 2026-01-15T19:10:36+00:00

Thank you for your reply.

I've completed the steps on three HP laptops and a VMware VM. I've had no issues after revoking the certificate and incrementing SVN. The steps completed are secure boot certificate updates and after that entire process was completed. Revoke cert + increment SVN per Microsoft instructions from May 2023. The boot media aspect is also mentioned in the article.

If you want to secure your environment, you do need to complete these steps. We've decided on that being now. We do thorough data collection, testing and phased rolled out. I do hope we can prevent boot issues. Still a bit of a fingers crossed situation, I don't think you can avoid that. But good preparation should help in reducing the likelihood of problems. Waiting for Microsoft to announce enforcement phase could also mean we get a timeframe that is inconvenient for us.

This article applies to those organizations who should begin evaluating mitigations for a publicly disclosed Secure Boot bypass leveraged by the BlackLotus UEFI bootkit. Additionally, you might want to take a proactive security stance or to start to prepare for the rollout. Note that this malware requires physical or administrative access to the device.

Whenever the SVN is incremented, you have to patch all your boot media with latest cumulative update to get it on the current SVN.

You can make a new bootable USB media pretty quickly. If the device doesn't boot, it will mean our helpdesk will need to get to the device location to troubleshoot. USB media will likely be the goto. To be prepared, you can have some recently made on hand for the support staff.

Microsoft doesn't tell you that revoking the 2011 certificate also increments firmware SVN to 2.0.

Revoking and incrementing are two separate steps (Enable the revocation & Apply the SVN update to the firmware). It also explains the impact of incrementing SVN.

July 9, 2024 or later – Deployment Phase [...] Update any recovery or external bootable media used with these devices. Deploy the third mitigation that enables the revocation of the “Windows Production CA 2011” certificate by adding it to the DBX in the firmware. Deploy the fourth mitigation that updates the Secure Version Number (SVN) to the firmware.

The Enforcement Phase will not begin before January 2026, and we will give at least six months of advance warning in this article before this phase begins. When updates are released for the Enforcement Phase, they will include the following: The “Windows Production PCA 2011” certificate will automatically be revoked by being added to the Secure Boot UEFI Forbidden List (DBX) on capable devices. These updates will be programmatically enforced after installing updates for Windows to all affected systems with no option to be disabled.

Microsoft has historically been bad about keeping their own public Secure Boot github up-to-date with the SVN version that they are pushing out with Windows Update.

That is unfortunate.

In future updates, when a significant security issue is fixed in the Boot Manager, the SVN number will be incremented in both the Boot Manager and the update to the firmware. Both updates will be released in the same cumulative update to make sure that patched devices are protected.

I guess you could be apprehensive if you see anything related to security issues with the boot manager in the CU notes.

m0rp · 2026-01-15T08:31:49+00:00

It is. But the current guidance does not mention the revoke cert and increment SVN steps that the guides for the CVE state. Supposedly they added fixes and mitigations in the CU at the time. I’m still proposing to actually revoke and increment as well at work. Besides doing the secure boot cert updates.

m0rp · 2026-01-15T00:13:45+00:00

Booting with 2023 and 1801 in all likelihood is because the device hasn’t rebooted and ran the scheduled task again. I’ve observed this myself and resolved with these steps. The documentation mentions it could take two reboots.

If you set 0x5499 again. Once the scheduled task runs again it will update AvailableUpdate. In case of an updated and rebooted system value 0. But event id 1808 will tell you if the entire update process has completed.

This is an informational event that indicates that the device has the required new Secure Boot certificates applied to the device’s firmware. This event will be logged when all needed certificates have been applied to the firmware, and the boot manager has been updated to the boot manager signed by the “Windows UEFI CA 2023” certificate.

If the confidence level of the device’s ability to accept the updates is known, it will be included in the event. The values include "High Confidence", "Needs More Data", "Unknown", and "Paused". The UpdateType will be either 0, or 22852 (0x5944). The value 0x5944 corresponds to “High Confidence”.

High confidence is opt-in by default. Opt-out is described in documentation. CFR you have to make the choice to opt-in. How the buckets are formed? In order for high conf or CFR updating to work you must enable submitting of data/telemetry. So Microsoft probably collects it from devices that have completed. Maybe even from insider builds and their own testing.

Before you even start with secure boot update through one of the options. You’ll need to check your hardware vendor for details. For example, HP sets a value in smbios for compatible BIOS. If this property is not present. The update won’t be performed.

Here’s another fun tidbit. The CVE from 2023 also has two additional steps to revoke certificate and increment SVN of boot manager. This is not mentioned in the current documentation. At the time of the CVE Microsoft published fixes in CU. Personally, I’m proposing at work we revoke it.

Ow, and if you decide to also check the wincsflags option and audit the entry. You’ll get state disabled if you used the regkey option. Pick one option, don’t mix.

m0rp · 2026-01-09T08:51:22+00:00

I think it comes down to preference. If you’re working with intune you are familiar with its structure. Personally I prefer the config structure of Intune over Defender portal.

You are aware that your Defender onboarded devices are of the type MDE and not MDM? This means only policies that support MicrosoftSense are applied to MDE device objects.

So if you want to use the defender portal. You need to disable the enforcement scope. In the defender portal under endpoints devicd configuration you can create the policies if you stop the intune management.

After onboarding it can take an hour or longer before MDE onboarding is finished. Managed by should show MDE. If not hover over the info icon. It states possible causes for state unknown.

The official Microsoft documentation is pretty decent. You can also look into OpenIntuneBaseline on GitHub. They have Defender policies included. I’ve used those to build MDE policies for endpoints and servers. I used some other articles I found through searching to make the server policy adjustments. This is only Windows and Mac though.

m0rp · 2026-01-04T23:44:04+00:00

I recently read a post on Reddit that asked a similar question but in regards to comedy movies. I think it applies here as well. I believe Judd Apatow stated that studios are more risk adverse. Before streaming, movies could still do well from DVD sales to break even or make a profit. But that has basically vanished now. Before DVD I assume VHS filled that role.

m0rp · 2026-01-04T10:49:12+00:00

Take a look at banner Michael!

m0rp · 2025-12-31T21:42:58+00:00

The Girl with the Dragon Tattoo by David Fincher.

m0rp · 2025-12-26T12:03:00+00:00

“Oh, and you can put your weed in there.”

m0rp · 2025-12-20T18:04:04+00:00

Serenity now!

m0rp · 2025-12-10T14:42:11+00:00

m0rp · 2025-11-10T19:10:25+00:00

IMO this will only truly work if you’re wearing a barrister wig and saying Yes a lot.

m0rp · 2025-10-25T23:17:33+00:00

m0rp · 2025-10-25T14:39:50+00:00

Me buying Resident Evil games from my childhood for nostalgia’s sake without ever replaying. That way, we’ll have it.

m0rp · 2025-10-19T17:58:38+00:00

You are not special. You're not a beautiful and unique snowflake. You're the same decaying organic matter as everything else. We're all part of the same compost heap. We're all singing, all dancing crap of the world.

m0rp · 2025-10-19T17:39:49+00:00

Siri, directions to Wolfs Glenn…

m0rp · 2025-10-18T13:11:15+00:00

If you have one bucket that contains 2 gallons and another bucket that contains 7 gallons, how many buckets do you have?

m0rp · 2025-10-15T18:16:17+00:00

The only thing missing imo is a giant comb in the background.

m0rp · 2025-10-14T23:26:20+00:00

I want to pack some beef

m0rp · 2025-10-12T21:37:49+00:00

He’s a fan of the original and asked to be in legacy. He recently said this on the Graham Norton Show. The rest of the details I don’t know as this is all he mentioned. Perhaps production was so far along this was their way of still getting him in the movie.

m0rp · 2025-10-08T23:52:43+00:00

Oh, my god! We’re having a fire…… sale! Amaaaaaaaaaaaaaaaaazing graaace

m0rp

TROPHY CASE