They blacklist some bootloaders, but it takes them forever. CVE-2023-24932 (from May 2023) had a fix available a year later (June 2024), had the update broadly made available through standard updates in 2025 (2 years later) and doesn't automatically install it today.

You might think the 2025 update will solve the problem, but:

> Before following these steps for applying the mitigations, install the Windows monthly servicing update released on July 8, 2025, or a later update on supported Windows devices. This update includes mitigations for CVE-2023-24932 but they are not enabled by default. All Windows devices should complete this step regardless of your plan to enable the mitigations.

The current status for the update (https://support.microsoft.com/en-us/topic/how-to-manage-the-...) says:

> The Enforcement Phase will not begin before January 2026, and we will give at least six months of advance warning in this article before this phase begins. When updates are released for the Enforcement Phase, they will include the following:

Basically, unless your company and sysadmin have enforced this fix (i.e. you're a home user), Microsoft hasn't revoked their keys.

Then there's CVE-2024-38058, a similar attack. Microsoft tried to roll out a fix, but that broke compatibility, and the fix was then rolled back. Again, that problem can be fixed with the solution for the previous CVE, but that is still not deployed by default.

https://neodyme.io/en/blog/bitlocker_screwed_without_a_screw... describes the TPM2 attack in detail as well as mitigations and solutions much better than I can.

Exploiting signed bootloaders to circumvent UEFI Secure Boot