KB5025885: Dealing with CVE-2023-24932 for your ConfigMgr boot images.

I recently wrote a post for how to apply the remediation in Windows after the May updates, this post now goes on to cover how to update your ADK Winpe.wim file then reload your CM Media to allow it to continue to boot. (ADK = Win11 22H2)


High Level Overview:

  • Install Windows 11 22H2 ADK & WinPE Addon on Windows 11 22H2 machine. [LINK]
  • Download: 2023-05 CU for Windows 11 Version 22H2 for x64-based Systems (KB5026372)
  • [Script] Backup the ADK winpe.wim file
  • [Script] Mount the ADK winpe.wim file
  • [Script] Apply the Windows 11 22H2 CU to the mounted media
  • [Script] DISM Cleanup
  • [Script] Dismount Media
  • [Script] Export Image to reduce size
  • Copy your updated winpe.wim to your CM Servers and overwrite the winpe.wim in your servers' adk location
  • Reload your CM boot media.

NOTE: I tried to do this directly on the CM Server, but continued to get errors applying the LCU

Following the Process

Script on GitHub: garytown/UpdateADK_winpe_wim.ps1

NOTE, I've updated the script on GitHub since posting this, so you will get slightly different results. Change Log for the script is in the script.

Default ADK x64 winpe.wim before applying LCU

Get-WindowsImage -ImagePath "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim" -Index 1

Boot Image in CM will still be 10.0.22621.1

Run the Script

Grab the script on GitHub and update your variables then run.

winpe.wim after:

You will see a current date modified and a much larger file.

I then copied that from the Windows 11 device to the CM Server's ADK install

Then in the console, I reload the Media, takes several minutes.

Once completed the boot media will have updated OS Version:

Then I created another Task Sequence Boot Media using the wizard in the console, so now I have my unpatched version and patched version. You can see, the patched version is 150MB larger.

Testing Booting a VM

Test 1: Old Boot Media (unpatched)

Test 2: New Boot Media

Let me know if you run into any issues, but so far, this has been working for my Boot Media in ConfigMgr.


14 thoughts on “KB5025885: Dealing with CVE-2023-24932 for your ConfigMgr boot images.”

  1. Thanks, we are still running an older ADK version 2004 we are still running W10 only in our environment, shouldn't be a problem updating the boot image with this version.?

    • You can deploy Win10 with Win11 ADK
      I typically keep my ADK at the latest version ConfigMgr supports. It also makes deploying newer models easier as it has more support built in.

      • that fine as long as Microsoft support all operating systems they say they do. They don't and the latest doesn't work on some server OS's that still, technically support the site server role.

  2. Hi Gary
    During running this section of the script it errors out due to the -DestinationImagePath is empty . Does something need to be there

    Export-WindowsImage -SourceImagePath $ADK_WINPE_PATH -SourceIndex $IMAGE.ImageIndex -DestinationImagePath "" -ErrorAction stop | Out-Null

    • Sorry, I must have missed a control V, it should be set to: "$ExportPath\winpe_export.wim"
      I've updated the script.

      • Thank you ,

        Microsoft should be releasing an iso with the may update and the Secure Boot bootkit vulnerability fix

  3. Any ideas why I get this:-

    WARNING: Failed to add package C:\temp\windows11.0-kb5026372-x64_d2e542ce70571b093d815adb9013ed467a3e0a85.msu
    WARNING: Add-WindowsPackage failed. Error code = 0x80070032
    08:06:45: Unable to find the Unattend.xml file in the expanded .msu package.

    Add-WindowsPackage : Unable to find the Unattend.xml file in the expanded .msu package.
    At C:\Temp\UpdateADK_winpe_wim.ps1:40 char:11
    + try { Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $LCU_PAT ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [Add-WindowsPackage], COMException
    + FullyQualifiedErrorId : Microsoft.Dism.Commands.AddWindowsPackageCommand

  4. We are still on the last ADK for windows 10 as we had some issues when trying to upgrade to the Windows 11 ADK. I downloaded the appropriate May 2023 KB for windows 10 and patched our boot image using this script. All seemed to be working fine, but builds now fail at the "Setup Windows and ConfigMgr" step. I'm not getting any errors in our OSD task sequence logs, the device just completely fails to reboot. I am using a Windows 10 21H2 image created from the may 2023 Windows 10 ISO, which I assumed would be compatible with the patched Winpe Boot image.

    • Did you apply the May CU to your Windows 21H2 image?
      You'll need to make sure the build of Win10 is at least 1904X.2965 (MAY) or higher

  5. We created a new Image using the Windows 10 ISO Microsoft released a couple days ago, So I assumed that it already has the May CU applied, and if not, our automated Image creation process would have installed the update. I did roll back to our April 2023 Windows image and encountered the same issue, so I would also assume that it is an issue with my WinPE image and not the OS image. To be an the safe side, I refreshed the install of the Windows ADK and WinPE addon, repatched the WinPE image and crated new boot images.

  6. Hi Gary, thank you for this effort. How can I actually see that this .mcu is applied? I can see the modifed date in the .wim file, is there any other options? EFI boot works now, I guess that is the best confirmation?

    • Once it's applied to the WIM, you can run the command to get the build number (as shown earlier in this blog), and you'll see the build number will have been updated.


Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.