Microsoft earlier this week released July 2024 Patch Tuesday updates for Windows 10 (KB5040427 / KB5040430 / KB5040434 / KB5040448), Windows 11 21H2/ 22H2 / 23H2 (KB5040442 / KB5040431) and Windows 11 24H2 (KB5040435). The one for Windows 11 fixes a broken Taskbar.
Besides those, Microsoft also quietly made an update to a major issue that has been plaguing Windows 10 and 11 users for a long while. The company issued an update adding detailed requirements regarding the installation of Windows Recovery Environment (WinRE) updates KB5034441 (on Windows 10) and KB5034440 (on Windows 11). These are different from the WinRE update Microsoft published last week for Windows 11 24H2 under KB5041137.
Microsoft has also announced the deployment phase of mitigation for the BlackLotus UEFI Secure Boot vulnerability, which is tracked under CVE-2023-24932. The tech giant has recommended organisations and enterprises to start deploying the mitigations with the latest Patch Tuesday updates that were released on July 9. The previous update for BlackLotus patches was released in April 2024, which was defined as the Evaluation Phase.
July 9, 2024 or later -- Deployment phase
This phase is when we encourage customers to begin deploying the mitigations and managing any media updates. The updates includes the following change:
Added support for Secure Version Number (SVN) and setting the updated SVN in the firmware.
The following is an outline of the steps to deploy in an Enterprise.
Note Additional guidance to come with later updates to this article.
Deploy the first mitigation to all devices in the Enterprise or a managed group of devices in the Enterprise. This includes:
Opting in to the first mitigation that adds the “Windows UEFI CA 2023” signing certificate to the device firmware.
Monitoring that devices have successfully added the “Windows UEFI CA 2023” signing certificate.
Deploy the second mitigation that applies the updated boot manager to the device.
Update any recovery or external bootable media used with these devices.
Deploy the third mitigation that enables the revocation of the “Windows Production CA 2011” certificate by adding it to the DBX in the firmware.
Deploy the fourth mitigation that updates the Secure Version Number (SVN) to the firmware.
Since the support document is fairly large with lots of details to go through, Microsoft has published a changelog so that admins and users can quickly spot the alterations made by the company.
July 9, 2024
- Updated "Step 2: Evaluate the changes" to remove the July 9, 2024 date.
- Updated all occurrences of the April 9, 2024 date to July 9, 2024 except in the "Timing of updates" section.
- Updated the "bootable media" section and replaced the content with "Guidance for updating bootable media is coming with future updates."
- Updated "July 9, 2024 or later – Deployment Phase Begins" in the "Timing of updates" section.
- Added Step 4 "Apply the SVN update to the firmware" in the "Mitigation deployment guidelines" section.
You can find full details about it in the support document here on Microsoft"s official website.