Applies to: Windows client and server media
On May 9, 2023, Microsoft started to push KB5025885 to all impacted devices. The update is marked as critical or automatic, and Windows automatically consume and install the update.
Only after the manual remediation, all OSRI media that have been created prior to the policy update will become unbootable including:
For full mitigation see Microsoft Security Advisor KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932
Existing OSRI media and Windows Backups continue to work.
When will Dell and Microsoft provide updated OSRI images or media?Dell is actively working on updating OSRI media. We will update this article as we progress, and updated images become available.
Can I revert the policy update in order to use OSRI media and Windows Backups?No.
Can I disable Secure Boot to use OSRI media?Dell does not recommend reducing the security posture of a device.
What error message will I see when the OSRI media fails to boot?Windows Boot Manager may stop the boot process with error 0xC0000428: Windows cannot verify the digital signature when OSRI was performed from media.
(Figure 1. Boot Manager Error)
Windows may stop with error 0xC0e90002 when Windows Recovery (WinRE) is invoked.
(Figure 2. Error when Push-Button Reset or Windows Reset was used)
How can I verify that the revocation was activated?If the revocation is installed, operating system reinstall media may not work.