This will be a short post on how to update WinPE boot images with a Cumulative Update as we need to do that now with the release of May 2023 Cumulative Update to address CVE-2023-24932. Spent all day with colleagues to try to test what happens to OS deployment (and AutoPilot) when deploying the mitigation for CV-2023-24932 and re imaging a computer.
There are still a lot of testing left with this update and the mitigations but one thing that is needed is to update the boot images used in Configuration Manager and MDT for example.
Here is a quick script https://github.com/Ccmexec/MEMCM-OSD-Scripts/blob/master/Update-BootWIM.ps1 that my best colleague Sassan Fanai https://twitter.com/sassan_f?s=20 wrote based on this sample from Microsoft Learn https://learn.microsoft.com/en-us/windows/deployment/update/media-dynamic-update
Note that before implementing the manual steps to mitigate the vulnerability make sure you have all required lifecycle inplace as deploying an unpatched image even if the boot images are updated will fail.
I applied the mitigations on a Virtual Machine and after that PXE boot fails with the following error.
Using the script to update the boot image
Start by downloading the script from the location above.
Then download the latest LCU from Microsoft Update Microsoft Update Catalog
To update the default Boot image do the following, for each custom image update the boot.wim in each source folder as well with the CU = redo the whole process below for each image.
Or update the default WinPe.wim file that was shipped with the ADK installation, it is located in “C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us”
- Create two folders in C: “Boot Image Backup” and “MediaRefresh”
- In the MediaRefresh folder create a Packages folder
- Copy the Cumulative Update to “MediaRefresh\Packages” folder and rename it to LCU.MSU
- Copy the Boot.wim from %Configuration Manager install folder%\OSD\Boot\X64 or the default WinPE.wim to “Boot Image Backup” – For the default boot.wim. Rename it to boot.wim if uppdating the WinPE.wim.
- Run the script and the boot image will be updated with the latest CU.
- It will look like shown below.
- Rename the old boot image used in the to .bak for example and copy the updated Boot.Wim image to the source folder for the boot image.
- If Winpe.wim was updated copy it to the default location, “C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us” and rename it to WinPE.wim.
- Then update the distribution points with the updated boot image. Note: if Winpe.wim was updated select the option to “Reload the boot image with the current Windows PE version from the Windows ADK”.
- In the console open properties on the Boot image and select reload and the new version will show.
Then PXE boot will work again. The updated boot image will work to PXE boot devices that have applied the mitigations steps and those that haven’t.
Next up build an image with the update in it or wait for VLSC to test that out so we can reinstall devices which have the mitigation applied.
If deploying an older image it will fail with the following error if it is an Hyper-V VM.
Now time for more testing!
Ugh. I suppose this means I’m finally going to have to update ADK and get a current boot image.
Hi, Thanks for the script.
However I get this error:-
Export-WindowsImage : Unable to load DLL ‘unattend.dll’: The specified module could not be found. (Exception from HRESULT: 0x8007007E)
At C:\Temp\Update-BootWIM.ps1:80 char:5
+ Export-WindowsImage -SourceImagePath $BOOT_WIM -SourceIndex $IMA …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Export-WindowsImage], DllNotFoundException
+ FullyQualifiedErrorId : System.DllNotFoundException,Microsoft.Dism.Commands.ExportWindowsImageCommand
Any Ideas?
You’ll need to make sure you are running the process in Powershell x64, not x86. And you also need to have the ADK and ADK Winpe installed on the same machine you are running the script from.
I had the same problem. After I corrected, I also had to comment out the lines that only say “Continue” in this script to allow the process to run end to end again. once you get that error, it won’t work unless you do this.
I think according to this article https://learn.microsoft.com/en-us/windows/deployment/update/media-dynamic-update#update-winpe the error: 0x8007007E should be “safe” to ignore, seeing how Microsoft’s scripts handles it: “This failure is a known issue with combined cumulative update, we can ignore.”
As a point of clarification – If someone is using ADK 10.0.22621.0 this is the Win11 ADK. Should we apply the May 9, 2023 LCU for Win11 or Win10 to the winpe.wim from the ADK?
Hi, You should use the matching Windows version that matches the ADK.
10.0.22621 = Windows 11 22H2 which is the version you should download the LCU for and apply.
/Jörgen
I added both Win11 and Win10 LCU.msu to the boot.wim
Did anyone else encounter the error 0x800F0988 (PSFX_E_INVALID_DELTA_COMBINATION) when applying the update(s) from KB5025885 to the WinPE image from the ADK for Windows 11 version 22H2 (10.0.22621.1) ?
can someone please paste a link for an LCU for Windows 10 21H2_10.0.19041.2965?
Trying to make sure i have the correct one applied.
Hi,
We have updated everything properly WinPE for reference image with MDT and boot images. In a patched computer with the right event viewer code 276 Windows boot manager revocation policy version 0x2000000000002 is applied., we did a reimage with our task sequence. Ended up ok, however event viewe is showing code 277 Windows boot manager revocation policy version 0x2000000002 was not found. It is recommended that it be redeployed. Any advice?