Microsoft PowerShell scripts to fix WinRE bypass on Windows 10 and 11

    Microsoft PowerShell scripts to fix WinRE bypass on Windows 10 and 11

    Microsoft PowerShell scripts to fix WinRE bypass on Windows 10 and 11

    KB5025175: Updating WinRE partition on deployed devices to address security vulnerabilities in CVE-2022-41099

    Posted: 17 Mar 2023

    KB5025175: Updating the WinRE partition on deployed devices to address security vulnerabilities in CVE-2022-41099

    Windows 10 Windows 11

    Introduction

    Microsoft has developed a sample PowerShell script that can help you automate updating the Windows Recovery Environment (WinRE) on deployed devices to address the security vulnerabilities in CVE-2022-41099.

    Sample PowerShell script

    The sample PowerShell script was developed by the Microsoft product team to help automate the updating of WinRE images on Windows 10 and Windows 11 devices. Run the script with Administrator credentials in PowerShell on the affected devices. There are two scripts available—which script you should use depends on the version of Windows you are running. Please use the appropriate version for your environment.

    PatchWinREScript_2004plus.ps1 (Recommended)

    This script is for Windows 10, version 2004 and later versions, including Windows 11. We recommend that you use this version of the script, because it is more robust but uses features available only on Windows 10, version 2004 and later versions.

    PatchWinREScript_General.ps1

    This script is for Windows 10, version 1909 and earlier versions, but executes on all versions of Windows 10 and Windows 11.

    More information

    With the device started up into the running version of Windows installed on the device, the script will perform the following steps:

    1. Mount the existing WinRE image (WINRE.WIM).
    2. Update the WinRE image with the specified Safe OS Dynamic Update (Compatibility Update) package available from the Windows Update Catalog. We recommend that you use the latest Safe OS Dynamic Update available for the version of Windows installed on the device.
    3. Unmount the WinRE image.
    4. If the BitLocker TPM protector is present, reconfigures WinRE for BitLocker service.
      Important This step is not present in most third-party scripts for applying updates to the WinRE image.

    Usage

    The following parameters can be passed to the script:
    Parameter Description
    workDir <Optional> Specifies the scratch space used to patch WinRE. If not specified, the script will use the default temp folder for the device.
    packagePath <Required> Specifies the path and name of the OS-version-specific and processor architecture-specific Safe OS Dynamic update package to be used to update the WinRE image.

    Note This can be a local path or a remote UNC path but the Safe OS Dynamic Update must be downloaded and available for the script to use.
    Example:
    .\PatchWinREScript_2004plus.ps1 -packagePath "\\server\share\windows10.0-kb5021043-x64_efa19d2d431c5e782a59daaf2d.cab

    Source: https://support.microsoft.com/en-us/...3-e13eb56fb589
    Brink's Avatar Posted By: Brink
    17 Mar 2023


  1. Posts : 86
    Windows 10
       #1

    Hi @Brink,

    I'm not very good with PS, so I'd really appreciate to know the proper way to do this ?

    Do I have to install the .cab file before executing the PS script ?

    Or do I have to include the path of this KB in the PS script, and if so, where do I insert it ?

    Or do I simply execute the script ?

    Thank You for your answer
      My Computer


  2. Posts : 68,264
    64-bit Windows 11 Pro for Workstations
    Thread Starter
       #2

    JAY B said:
    Hi @Brink,

    I'm not very good with PS, so I'd really appreciate to know the proper way to do this ?

    Do I have to install the .cab file before executing the PS script ?

    Or do I have to include the path of this KB in the PS script, and if so, where do I insert it ?

    Or do I simply execute the script ?

    Thank You for your answer
    Got me as well since this is for deployed devices.
      My Computers


  3. Posts : 86
    Windows 10
       #3

    Brink said:
    Got me as well since this is for deployed devices.
    Well, I really don't know what to do with this one !

    If You have any suggestion, I am all ears !!
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 02:05.
Find Us




Windows 10 Forums