Misinterpretation of the Secure Boot revocation alert of Rufus 4.6

[Creeper2042]

Hi, I downloader the Windows 10 ISO from the official website, but when I try to start the installation it tells me that the ISO may not be official. I checked the SHA code and it is the same instead with the 4.5p version the problem does not arise.

[JonnyTech]

Please do not ignore the issue checklist, especially:

3. If you are reporting an issue when trying to run Rufus, or when trying to
   boot a media created by Rufus, you *MUST* provide a log, period. Please do
   not assume that the developer(s) will be able to "guess" the specifics of
   your environment, what image you used, what type of media you used it with
   or the many many other critical parameters that the log provides data for.
   To investigate an issue, a log from Rufus is ALWAYS required.

4. If you still *choose* not to provide a log when reporting a problem, you
   agree that your issue will be closed without any further investigation.

[pineapple63]

If Rufus gave you a warning about the boot manager, its because the current Windows 10 ISO uses an older, vulnerable boot manager

[pbatard]

To add on @pineapple63's reply:

it tells me that the ISO may not be official.

It is NOT telling you this at all. Instead it is telling you that, on a fully up to date system in terms of Secure Boot security, you may get a Security Violation when booting with Secure Boot enabled, on account that the bootloader has been revoked.

ALL of the official Windows 10 retails ISOs have that issue because they all use a bootloader that is vulnerable to the BlackLotus vulnerability, and Microsoft has not released any updated ISOs for Windows 10 which means that they still use UEFI bootloaders from before when that vulnerability was discovered.

The warning about Secure Boot revocation from Rufus were improved in version 4.6, but please make sure that you read them carefully and do not interpret them to mean something they aren't stating at all.

For more information, see #2244 as well as KB5025885.

[Creeper2042]

So can I safely use that version, I disable secure boot and ignore the warning?

[pbatard]

Yes. Once Windows is installed with Secure Boot disabled, it will update its bootloaders to non-vulnerable versions and you can turn Secure Boot back on again.

[DrStrange]

Yes. Once Windows is installed with Secure Boot disabled, it will update its bootloaders to non-vulnerable versions and you can turn Secure Boot back on again.

I didn't think that Windows automatically updated the bootloader to the CA 2023 certificate? The guidance at https://support.microsoft.com/en-us/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d states that the date for the Enforcement Phase for permanent mitigation will be issued at a later date, so until then, if you want to install the CA 2023 cert to the secure boot database, sign the bootloader with the CA 2023 cert then add the CA 2011 cert to the UEFI Forbidden List, don't you have to perform these steps yourself as per this guidance?

[pbatard]

don't you have to perform these steps yourself as per this guidance?

Yes. And Rufus does not yet warn about the revocation of the 2011 certificate enacted by following all the steps from KB5025885, otherwise, since Microsoft has not yet produced a single public ISO signed by anything else but the 2011 cert, every single Windows ISO would produce a warning.

So, please be mindful that there are quite a few revocation conditions that Rufus will warn you about, and that despite what many people may think, Rufus does not yet warn about all the revocations it could warn you about, as we are also waiting for the date when enforcement will be mandatory.