This will be a short post on how to update WinPE boot images with a Cumulative Update as we need to do that now with the release of May 2023 Cumulative Update to address CVE-2023-24932. Spent all day with colleagues to try to test what happens to OS deployment (and AutoPilot) when deploying the mitigation for CV-2023-24932 and re imaging a computer.
There are still a lot of testing left with this update and the mitigations but one thing that is needed is to update the boot images used in Configuration Manager and MDT for example.
Here is a quick script https://github.com/Ccmexec/MEMCM-OSD-Scripts/blob/master/Update-BootWIM.ps1 that my best colleague Sassan Fanai https://twitter.com/sassan_f?s=20 wrote based on this sample from Microsoft Learn https://learn.microsoft.com/en-us/windows/deployment/update/media-dynamic-update
Note that before implementing the manual steps to mitigate the vulnerability make sure you have all required lifecycle inplace as deploying an unpatched image even if the boot images are updated will fail.
I applied the mitigations on a Virtual Machine and after that PXE boot fails with the following error.
Using the script to update the boot image
Start by downloading the script from the location above.
Then download the latest LCU from Microsoft Update Microsoft Update Catalog
To update the default Boot image do the following, for each custom image update the boot.wim in each source folder as well with the CU = redo the whole process below for each image.
Or update the default WinPe.wim file that was shipped with the ADK installation, it is located in “C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us”
- Create two folders in C: “Boot Image Backup” and “MediaRefresh”
- In the MediaRefresh folder create a Packages folder
- Copy the Cumulative Update to “MediaRefresh\Packages” folder and rename it to LCU.MSU
- Copy the Boot.wim from %Configuration Manager install folder%\OSD\Boot\X64 or the default WinPE.wim to “Boot Image Backup” – For the default boot.wim. Rename it to boot.wim if uppdating the WinPE.wim.
- Run the script and the boot image will be updated with the latest CU.
- It will look like shown below.
- Rename the old boot image used in the to .bak for example and copy the updated Boot.Wim image to the source folder for the boot image.
- If Winpe.wim was updated copy it to the default location, “C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us” and rename it to WinPE.wim.
- Then update the distribution points with the updated boot image. Note: if Winpe.wim was updated select the option to “Reload the boot image with the current Windows PE version from the Windows ADK”.
- In the console open properties on the Boot image and select reload and the new version will show.
Then PXE boot will work again. The updated boot image will work to PXE boot devices that have applied the mitigations steps and those that haven’t.
Next up build an image with the update in it or wait for VLSC to test that out so we can reinstall devices which have the mitigation applied.
If deploying an older image it will fail with the following error if it is an Hyper-V VM.
Now time for more testing!