What is the effect of July update for BlackLotus if PC has no Memory Integrity?

Topic

New Reply

[Paul T]

Do you know of anyone who has installed the (BlackLotus mitigation) July 2023 update, on a PC with Secure Boot but no Memory Integrity?

I have a Windows 10 (home) PC with Secure Boot, but no TPM and no Code Integrity.
I hope to update it with the July 11 2023 Windows updates:
https://support.microsoft.com/en-au/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d

I read that Memory Integrity, Code integrity, and HVCI (Hypervisor-Protected Code Integrity) can refer to the same thing. https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-hvci-enablement

On the kb5025885 page (1st link above), it says that SKUSiPolicy.p7b uses Code Integrity (when Secure Boot is on) to prevent some boot managers loading.

• What happens in a PC that has no Code Integrity?
• Would the update just not function?
• Would secure boot still work, or would it need to be disabled in order to boot?
• Would the remaining parts of the update do anything (i.e. the DBX)?
• Could the PC be unbootable?

I am asking for information here from anyone who has any thoughts or experience of a similar situation.
I would like to add this update so that the PC is as protected as it can be.
I think it is also important to keep secure boot.
The update cannot be reverted (it is ‘locked’ to the UEFI https://support.microsoft.com/en-gb/topic/kb5027455-guidance-for-blocking-vulnerable-windows-boot-managers-522bb851-0a61-44ad-aa94-ad11119c5e91 )

Facts and Information:

• My PC says “Standard hardware security not supported” on the Device Security page.
• It does say Secure Boot is on.
• I would get updated Windows 10 media before updating.
• There are no other operating systems on the PC.
• It has been off since the beginning of July ’23.

Please post your thoughts or experiences on this, especially if you know of a Windows 10 PC without Memory Integrity, that has Secure Boot switched on and the above updates applied (optional at the moment) many thanks.

• This topic was modified 1 year, 4 months ago by Paul T.
• This topic was modified 1 year, 4 months ago by Eric946. Reason: To make easier to read

Reply | Quote

Replies

I’ve installed this on several computers without a tpm with no side effects.

 

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Thank you for your fast reply, that is helpful.
In the ‘Device Security’ section of Security Center, does it say if the PCs have Memory integrity, despite not having a TPM?

I ask this as I believe it is possible to not have a TPM and still have Memory integrity.
I think this because I have a second PC that has no Secure Boot, no TPM, yet under Device Security it says:

“Core isolation
Virtualisation-based security protects the core parts of your device.”

The “Core isolation details” link underneath goes to a page that says

“Memory integrity…”

The PC I’m wanting to update is the first one, that has Secure Boot, but not Memory integrity.
It says instead “Standard hardware security not supported”.

Thanks in advance.

Reply | Quote