So this was a pain in bum, but I think I have a decent method to making this work for USB Boot Media.
Words of Warning
Once you’ve applied the mitigations outlined in the KB, the device is difficult to work with when it comes to boot media / reimaging. Personally, I’d only do this on some lab test machines, and not rollout to larger groups until MS provides a better story for managing post mitigated machines. My assumption is that this will be a horror story until October when 24H2 is released.
My Thoughts, take it or leave it…
Get a couple test devices and apply all 3 steps. Learn the pain firsthand! Get a few more test devices and only apply steps 1 & 2. I’ve updated my TS to only do steps 1 & 2 for now.
After some testing, start to roll out Steps 1 & 2 (NOT 3) to a broader scope of devices. Since it takes so many reboots (if you don’t push with a TS), you can let these changes slowly filter out as end users naturally reboot. Recommend #ConfigMgr Baseline / #Intune Remediation
When (if) MS releases 24H2 ADK (Hopefully July based on the KB), start updating your boot media and continue testing on the couple devices you have applied all 3 steps on.
Then for Step 3 wide deployment, wait for MS to ensure PXE is working, and you have your Windows Media Updated & your Boot Images all updated, and everything is working smoothly on your few test devices, then slowly rollout step 3 to rest of your devices.
On to the Post
Requirements:
TLDR, the step that got it working for me was copying the system files from a machine that was already updated with the remediations and overwriting them on the flash drive. I have yet to get this to work in a PXE scenario.
- ADK: Windows 11 22H2 ADK (22621).
- CU: April 2024 CU or later
- OSD PowerShell Module – Local Setup | OSDCloud.com
- Windows 11 machine (23H2 / 22H2) machine already fully patched to April with Remediations – Feel free to use my TS to apply the remediation. ConfigMgr Task Sequence – KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932 – GARYTOWN ConfigMgr Blog
Why am I leveraging the OSD Module, it makes life simple. David Segura did a lot of work on this, and figured out some annoying things, so I’m leveraging his work so I don’t have to reinvent the wheel.
I’ll assume you have your ADK installed and setup, I’m not going to cover that.
Working Machine
All of the things I’m doing are on a machine that I’ve already applied April CU and applied the Remediation steps (using the Config Mgr TS provided in my previous post). To create the proper boot media, we’ll need to steal some files from this machine.
Getting the Update
Using the Windows 11 22H2 history page, find the latest CU: Windows 11, version 22H2 update history – Microsoft Support. For today, it’s ‘April 9, 2024—KB5036893 (OS Builds 22621.3447 and 22631.3447)’
Going to the catalog, I search for KB5036893 and download the Windows 11 22H2 x64 version
Applying Update
I’m going to be using OSD Module, so I’ll assume you have the OSD Module installed. First thing I’m going to do with the module is create a new Template and reference up downloaded update naming it WinPE22621.
New-OSDCloudTemplate -Name WinPE22621 -CumulativeUpdate "C:\Users\gary.blok\Downloads\windows11.0-kb5036893-x64_f8c0bdc5888eb65b1d68b220b0b87535735f1795.msu"
I’m going to hit enter and wait about 15 minutes.
Once it’s done, you’ll see that your template is created:
Now it’s time to create a Workspace, were we’ll start creating edits to things.
New-OSDCloudWorkspace -WorkspacePath c:\WinPE22621
Once that is done, I go ahead and copy the host machines system files over to the media directory. There are a couple errors during copy, but that didn’t seem to matter.
mountvol s: /s
Copy-Item s:\* C:\WinPE22621\Media\ -Force -Recurse -Verbose
Now Let’s build the USB Drive:
New-OSDCloudUSBThis will prompt you to format your drive and build it for OSDCloud
Using that USB, go give it a try on a device you’ve applied the remediation on.
Configuration Manager USB Boot
I’ll take the boot.wim from the c:\WinPE22621\Media\Sources location and import that into ConfigMgr.
I then add the drivers I want from my HP Driver WinPE Pack
I do a few other things, but DO NOT TOUCH the Optional Components, those are already there, they just don’t register.
I distribute to my DP, then I run the Update DP… do NOT check “Reload”, that will remove your CU and optional Components.
I then create TS Media, an ISO
Then back on my working pc that has the April update and remediations applied, I extract the ISO to the flash drive
I then run the command to copy the system files to the flash drive.
mountvol s: /s
Copy-Item s:\* e:\ -Force -Recurse -VerboseThen you can take your USB Drive for ConfigMgr and boot a machine that has already been updated with the April Patches & has the remediations applied.
I have yet to test reimages, as I don’t have any updated Windows Media that has April updates installed. I’m really hoping that MS releases updated media to deal with that part.