I recently wrote a post for how to apply the remediation in Windows after the May updates, this post now goes on to cover how to update your ADK Winpe.wim file then reload your CM Media to allow it to continue to boot. (ADK = Win11 22H2)
References:
- KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932 - Microsoft Support
- KB5025885: Dealing with CVE-2023-24932 via Proactive Remediation & Configuration Items
- David Segura | MVP on Twitter: Here's some of my notes on CVE-2023-24932
- Automatically update your Configuration Manager boot images for CVE-2023-24932 - Jose Espitia
High Level Overview:
- Install Windows 11 22H2 ADK & WinPE Addon on Windows 11 22H2 machine. [LINK]
- Download: 2023-05 CU for Windows 11 Version 22H2 for x64-based Systems (KB5026372)
- [Script] Backup the ADK winpe.wim file
- [Script] Mount the ADK winpe.wim file
- [Script] Apply the Windows 11 22H2 CU to the mounted media
- [Script] DISM Cleanup
- [Script] Dismount Media
- [Script] Export Image to reduce size
- Copy your updated winpe.wim to your CM Servers and overwrite the winpe.wim in your servers' adk location
- Reload your CM boot media.
NOTE: I tried to do this directly on the CM Server, but continued to get errors applying the LCU
Following the Process
Script on GitHub: garytown/UpdateADK_winpe_wim.ps1
NOTE, I've updated the script on GitHub since posting this, so you will get slightly different results. Change Log for the script is in the script.
Default ADK x64 winpe.wim before applying LCU
Get-WindowsImage -ImagePath "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim" -Index 1
Boot Image in CM will still be 10.0.22621.1
Run the Script
Grab the script on GitHub and update your variables then run.
winpe.wim after:
You will see a current date modified and a much larger file.
I then copied that from the Windows 11 device to the CM Server's ADK install
Then in the console, I reload the Media, takes several minutes.
Once completed the boot media will have updated OS Version:
Then I created another Task Sequence Boot Media using the wizard in the console, so now I have my unpatched version and patched version. You can see, the patched version is 150MB larger.
Testing Booting a VM
Test 1: Old Boot Media (unpatched)
Test 2: New Boot Media
Let me know if you run into any issues, but so far, this has been working for my Boot Media in ConfigMgr.
GARYTOWN.COM
Thanks, we are still running an older ADK version 2004 we are still running W10 only in our environment, shouldn't be a problem updating the boot image with this version.?
You can deploy Win10 with Win11 ADK
I typically keep my ADK at the latest version ConfigMgr supports. It also makes deploying newer models easier as it has more support built in.
that fine as long as Microsoft support all operating systems they say they do. They don't and the latest doesn't work on some server OS's that still, technically support the site server role.
Hi Gary
During running this section of the script it errors out due to the -DestinationImagePath is empty . Does something need to be there
Export-WindowsImage -SourceImagePath $ADK_WINPE_PATH -SourceIndex $IMAGE.ImageIndex -DestinationImagePath "" -ErrorAction stop | Out-Null
Sorry, I must have missed a control V, it should be set to: "$ExportPath\winpe_export.wim"
I've updated the script.
Thank you ,
Microsoft should be releasing an iso with the may update and the Secure Boot bootkit vulnerability fix
Any ideas why I get this:-
WARNING: Failed to add package C:\temp\windows11.0-kb5026372-x64_d2e542ce70571b093d815adb9013ed467a3e0a85.msu
WARNING: Add-WindowsPackage failed. Error code = 0x80070032
08:06:45: Unable to find the Unattend.xml file in the expanded .msu package.
Add-WindowsPackage : Unable to find the Unattend.xml file in the expanded .msu package.
At C:\Temp\UpdateADK_winpe_wim.ps1:40 char:11
+ try { Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $LCU_PAT ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Add-WindowsPackage], COMException
+ FullyQualifiedErrorId : Microsoft.Dism.Commands.AddWindowsPackageCommand
Are you doing this on a Windows 11 22H2 device? I had similar issues trying to run it on Server OS.
We are still on the last ADK for windows 10 as we had some issues when trying to upgrade to the Windows 11 ADK. I downloaded the appropriate May 2023 KB for windows 10 and patched our boot image using this script. All seemed to be working fine, but builds now fail at the "Setup Windows and ConfigMgr" step. I'm not getting any errors in our OSD task sequence logs, the device just completely fails to reboot. I am using a Windows 10 21H2 image created from the may 2023 Windows 10 ISO, which I assumed would be compatible with the patched Winpe Boot image.
Did you apply the May CU to your Windows 21H2 image?
You'll need to make sure the build of Win10 is at least 1904X.2965 (MAY) or higher
We created a new Image using the Windows 10 ISO Microsoft released a couple days ago, So I assumed that it already has the May CU applied, and if not, our automated Image creation process would have installed the update. I did roll back to our April 2023 Windows image and encountered the same issue, so I would also assume that it is an issue with my WinPE image and not the OS image. To be an the safe side, I refreshed the install of the Windows ADK and WinPE addon, repatched the WinPE image and crated new boot images.
Hi Gary, thank you for this effort. How can I actually see that this .mcu is applied? I can see the modifed date in the .wim file, is there any other options? EFI boot works now, I guess that is the best confirmation?
Once it's applied to the WIM, you can run the command to get the build number (as shown earlier in this blog), and you'll see the build number will have been updated.