3 Windows vulnerabilities that may not be worth patching

/in


Devices that don’t meet this requirement may be unable to access work or school resources. In firms, often you are purchasing computers and laptops that have Windows 11 preloaded. As a result, these systems come with Secure Boot enabled and a TPM chip.

Furthermore, many of you are mandated to deploy Bitlocker to provide for disk encryption. While Bitlocker does not provide protection and encryption for data while the computer system is running, it does provide protection for data at rest and often is mandated by policy and cyber insurance mandates.

Yet managing and maintaining secure boot is turning into a headache and a near full-time project. For example, there are a plethora of steps a patching team needs to take to proactively patch and protect from the BlackLotus bootkit (KB5025885 details the process).

First, you must install security updates to supported Windows machines that are included in security updates released after April 9, 2024 (and later). Then you need to ensure that machines have their firmware up to date before taking the next actions. Failure to install firmware updates may make machines ranging from laptops to servers to virtual machines fail to boot, triggering additional workload for your security staff.

You’ll need to first ensure that recovery media is up to date with fixed or patched media because if you need to reboot or recover the machine, you’ll need media that matches the system you are attempting to recover. Microsoft notes that at this time they have not tested all interactions with the mitigations with vendor configurations. As the note in the KB, “Please first test these mitigations on a single device per device class in your environment to detect possible firmware issues. Do not deploy broadly before confirming all the device classes in your environment have been evaluated.”

In my own firm, where I have machines with HP Sure start deployed, Microsoft notes that “these devices need the latest firmware updates from HP to install the mitigations. The mitigations are blocked until the firmware is updated.”

Source…