Microsoft last week released its April 2024 Patch Tuesday updates for Windows 10 (KB5036892), Windows 11 (KB5036893), and more. As is often the case, users encountered various issues and problems when trying to install the updates.
Regardless, the updates address several critical security issues. Earlier today we covered a few Kerberos PAC authentication security vulnerabilities tracked under CVE-2024-26248 and CVE-2024-29056.
Meanwhile, April 2024 Patch Tuesday also updated mitigations for the BlackLotus security vulnerability which bypasses Secure Boot and is identified by CVE ID “CVE-2023-24932”. However, updating Secure Boot won’t help you with the LogoFAIL vulnerability that we recently covered.
As with Kerberos PAC validation, mitigations are not enabled by default and must be applied.
Microsoft also warned of various known issues. For example, mitigations are blocked on Windows Server 2012 and Server 2012 R2 systems due to incompatibility with Trusted Platform Module (TPM) 2.0.
Microsoft explains:
Systems based on TPM 2.0: These systems running Windows Server 2012 and Windows Server 2012 R2 cannot deploy the mitigations released in the April 9, 2024 security update due to known compatibility issues with TPM measures. The April 9, 2024 security updates will block mitigations #2 (Boot Manager) and #3 (DBX Update) on affected systems.
Microsoft is aware of the issue and an update will be released soon to unblock TPM 2.0 based systems.
The full list of known issues is given below:
- HP: HP has identified a mitigation installation issue on HP Z4G4 workstation computers and will release a Z4G4 UEFI firmware (BIOS) update in the coming weeks. To ensure successful installation of the mitigation, it will be blocked on desktop workstations until the update is available.
- HP devices with Sure Start Security: These devices require the latest firmware updates from HP to install mitigations. Mitigation is blocked until the firmware is updated.
- Arm64-based devices: Mitigation is blocked due to known UEFI firmware issues with Qualcomm-based devices. Microsoft is working with Qualcomm to resolve this issue. Qualcomm will provide the patch to device manufacturers.
- Apple: Mac computers with the Apple T2 security chip support Secure Boot. However, updating UEFI security-related variables is only available as part of macOS updates. Boot Camp users should see an event log entry for Event ID 1795 in Windows related to these variables.
VMware: In VMware-based virtualization environments, a virtual machine using an x86 processor with Secure Boot enabled will fail to boot after mitigations are applied. Microsoft is coordinating with VMware to resolve this issue.
Symantec endpoint encryption: Secure Boot mitigations cannot be applied to systems with Symantec Endpoint Encryption installed. Microsoft and Symantec are aware of the issue and will be fixed in a future update.
You can find more technical details as well as the full release schedule on the support document on the Microsoft website.
