EC2 Windows instances: KB5025885 / CVE-2023-24932

There's no specific AWS guidance unique to EC2 Windows instances regarding the mitigation of CVE-2023-24932 (KB5025885) for the Windows Boot Manager revocations for Secure Boot. Therefore, you can generally follow Microsoft's guidance closely, as it applies to Windows systems, including those running on AWS EC2.

However, a few key considerations and steps from Microsoft should be noted:

1. Manual Intervention Required: Microsoft has released updates to address the CVE-2023-24932 vulnerability, which exploits Secure Boot via the BlackLotus bootkit. These updates require manual activation after installation to fully enable the security features. Microsoft suggests a phased approach to applying these updates to manage disruptions and ensure compatibility across various hardware and firmware configurations.

2. Testing on Individual Devices: Before widespread deployment, it's advised to test the updates on individual devices within each device class in your environment. This helps detect any potential issues with firmware compatibility, as some devices might fail to properly update Secure Boot database values (DB and DBX).

3. Phased Update Rollout: Microsoft plans to enforce these protections in three phases, with final implementation making these protections default in the first quarter of 2024. This phased approach is intended to minimize disruptions by allowing adjustments based on industry feedback and real-world application.

4. Potential Issues: Be aware of known issues with certain hardware configurations where firmware updates are required to apply these mitigations successfully. Devices that do not support the updates or have incompatible firmware may not benefit from the mitigations until those issues are resolved.

5. Intune and Remediation Scripts: For environments managed via Microsoft Intune, remediation scripts are available to automate the application of these updates, specifically the revocations mentioned in KB5025885. These scripts also include checks for Secure Boot status and other dependencies to ensure that the changes are applied only where appropriate.

6. Consider BitLocker Recovery: Ensure that you have access to BitLocker recovery keys before enabling these mitigations, as some devices may enter BitLocker recovery mode following the update.

For managing EC2 Windows instances, the standard best practices for managing Secure Boot in a cloud environment apply. Ensure your instance images are up to date, and manage your EC2 configurations to maintain security compliance. Always back up your data and configurations before applying such updates, especially in a production environment.

You can refer directly to Microsoft's detailed guidance for CVE-2023-24932 for step-by-step instructions on applying these updates and managing potential issues during deployment.