Menu
CCMEXEC.COM – Enterprise Mobility
  • Home
  • General
  • Configuration Manager
  • Windows 10
  • Intune
  • GitHub
  • Windows 11
  • About the author
CCMEXEC.COM – Enterprise Mobility

PS Script to Update Boot images with CU-CVE-2023-24932

Posted on May 10, 2023May 19, 2023 by Jörgen Nilsson

This will be a short post on how to update WinPE boot images with a Cumulative Update as we need to do that now with the release of May 2023 Cumulative Update to address CVE-2023-24932. Spent all day with colleagues to try to test what happens to OS deployment (and AutoPilot) when deploying the mitigation for CV-2023-24932 and re imaging a computer.
There are still a lot of testing left with this update and the mitigations but one thing that is needed is to update the boot images used in Configuration Manager and MDT for example.

Here is a quick script https://github.com/Ccmexec/MEMCM-OSD-Scripts/blob/master/Update-BootWIM.ps1 that my best colleague Sassan Fanai https://twitter.com/sassan_f?s=20 wrote based on this sample from Microsoft Learn https://learn.microsoft.com/en-us/windows/deployment/update/media-dynamic-update

Note that before implementing the manual steps to mitigate the vulnerability make sure you have all required lifecycle inplace as deploying an unpatched image even if the boot images are updated will fail.

I applied the mitigations on a Virtual Machine and after that PXE boot fails with the following error.

Using the script to update the boot image

Start by downloading the script from the location above.
Then download the latest LCU from Microsoft Update Microsoft Update Catalog

To update the default Boot image do the following, for each custom image update the boot.wim in each source folder as well with the CU = redo the whole process below for each image.

Or update the default WinPe.wim file that was shipped with the ADK installation, it is located in “C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us”

  • Create two folders in C: “Boot Image Backup” and “MediaRefresh”
  • In the MediaRefresh folder create a Packages folder
  • Copy the Cumulative Update to “MediaRefresh\Packages” folder and rename it to LCU.MSU
  • Copy the Boot.wim from %Configuration Manager install folder%\OSD\Boot\X64 or the default WinPE.wim to “Boot Image Backup” – For the default boot.wim. Rename it to boot.wim if uppdating the WinPE.wim.

  • Run the script and the boot image will be updated with the latest CU.
  • It will look like shown below.
  • Rename the old boot image used in the to .bak for example and copy the updated Boot.Wim image to the source folder for the boot image.
  • If Winpe.wim was updated copy it to the default location, “C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us” and rename it to WinPE.wim.
  • Then update the distribution points with the updated boot image. Note: if Winpe.wim was updated select the option to “Reload the boot image with the current Windows PE version from the Windows ADK”.
  • In the console open properties on the Boot image and select reload and the new version will show.

Then PXE boot will work again. The updated boot image will work to PXE boot devices that have applied the mitigations steps and those that haven’t.
Next up build an image with the update in it or wait for VLSC to test that out so we can reinstall devices which have the mitigation applied.
If deploying an older image it will fail with the following error if it is an Hyper-V VM.

Now time for more testing!

  • BootImage
  • CVE-2023-24932
  • Update WinPE
  • 8 thoughts on “PS Script to Update Boot images with CU-CVE-2023-24932”

    1. Steve Whitcher says:
      May 12, 2023 at 6:47 pm

      Ugh. I suppose this means I’m finally going to have to update ADK and get a current boot image.

      Reply
    2. Nik says:
      May 16, 2023 at 12:20 pm

      Hi, Thanks for the script.

      However I get this error:-

      Export-WindowsImage : Unable to load DLL ‘unattend.dll’: The specified module could not be found. (Exception from HRESULT: 0x8007007E)
      At C:\Temp\Update-BootWIM.ps1:80 char:5
      + Export-WindowsImage -SourceImagePath $BOOT_WIM -SourceIndex $IMA …
      + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo : NotSpecified: (:) [Export-WindowsImage], DllNotFoundException
      + FullyQualifiedErrorId : System.DllNotFoundException,Microsoft.Dism.Commands.ExportWindowsImageCommand

      Any Ideas?

      Reply
      1. Jeff Pollock says:
        June 15, 2023 at 4:27 pm

        You’ll need to make sure you are running the process in Powershell x64, not x86. And you also need to have the ADK and ADK Winpe installed on the same machine you are running the script from.

        I had the same problem. After I corrected, I also had to comment out the lines that only say “Continue” in this script to allow the process to run end to end again. once you get that error, it won’t work unless you do this.

        Reply
      2. Alexander says:
        June 19, 2023 at 11:09 am

        I think according to this article https://learn.microsoft.com/en-us/windows/deployment/update/media-dynamic-update#update-winpe the error: 0x8007007E should be “safe” to ignore, seeing how Microsoft’s scripts handles it: “This failure is a known issue with combined cumulative update, we can ignore.”

        Reply
    3. MSD_GUY says:
      June 1, 2023 at 6:42 pm

      As a point of clarification – If someone is using ADK 10.0.22621.0 this is the Win11 ADK. Should we apply the May 9, 2023 LCU for Win11 or Win10 to the winpe.wim from the ADK?

      Reply
      1. admin says:
        June 2, 2023 at 10:25 am

        Hi, You should use the matching Windows version that matches the ADK.
        10.0.22621 = Windows 11 22H2 which is the version you should download the LCU for and apply.

        /Jörgen

        Reply
    4. Alexander says:
      June 19, 2023 at 11:15 am

      Did anyone else encounter the error 0x800F0988 (PSFX_E_INVALID_DELTA_COMBINATION) when applying the update(s) from KB5025885 to the WinPE image from the ADK for Windows 11 version 22H2 (10.0.22621.1) ?

      Reply
    5. Mike says:
      June 20, 2023 at 12:46 am

      can someone please paste a link for an LCU for Windows 10 21H2_10.0.19041.2965?
      Trying to make sure i have the correct one applied.

      Reply

    Leave a Reply Cancel reply

    Your email address will not be published. Required fields are marked *

    This site uses Akismet to reduce spam. Learn how your comment data is processed.

    My name is Jörgen Nilsson and I work as a Senior Consultant at Onevinn in Malmö, Sweden. This is my blog where I will share tips and stuff for my own and everyone elses use on Enterprise Mobility and Windows related topics.
    All code is provided "AS-IS" with no warranties.

    Recent Posts

    • Community tools demoed at WPNinjas 2023
    • PowerShell script to keep Personal Teams away in Windows 11
    • Windows 11 Multi-App kiosk – a first look
    • Playing around with Driver Updates in Intune
    • MMUGSE – Summer Meetup 8th of June 2023

    ©2023 CCMEXEC.COM – Enterprise Mobility | WordPress Theme by Superb Themes
    This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish.Accept Reject Read More
    Privacy & Cookies Policy

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT