KB5025175: Updating the WinRE partition on deployed devices to address security vulnerabilities in CVE-2022-41099
Windows 10 Windows 11
Introduction
Microsoft has developed a sample PowerShell script that can help you automate updating the Windows Recovery Environment (WinRE) on deployed devices to address the security vulnerabilities in
CVE-2022-41099.
Sample PowerShell script
The sample PowerShell script was developed by the Microsoft product team to help automate the updating of WinRE images on Windows 10 and Windows 11 devices. Run the script with Administrator credentials in PowerShell on the affected devices. There are two scripts available—which script you should use depends on the version of Windows you are running. Please use the appropriate version for your environment.
PatchWinREScript_2004plus.ps1 (Recommended)
This script is for Windows 10, version 2004 and later versions, including Windows 11. We recommend that you use this version of the script, because it is more robust but uses features available only on Windows 10, version 2004 and later versions.
PatchWinREScript_General.ps1
This script is for Windows 10, version 1909 and earlier versions, but executes on all versions of Windows 10 and Windows 11.
More information
With the device started up into the running version of Windows installed on the device, the script will perform the following steps:
- Mount the existing WinRE image (WINRE.WIM).
- Update the WinRE image with the specified Safe OS Dynamic Update (Compatibility Update) package available from the Windows Update Catalog. We recommend that you use the latest Safe OS Dynamic Update available for the version of Windows installed on the device.
- Unmount the WinRE image.
- If the BitLocker TPM protector is present, reconfigures WinRE for BitLocker service.
Important This step is not present in most third-party scripts for applying updates to the WinRE image.
Usage
The following parameters can be passed to the script:
Parameter |
Description |
workDir |
<Optional> Specifies the scratch space used to patch WinRE. If not specified, the script will use the default temp folder for the device. |
packagePath |
<Required> Specifies the path and name of the OS-version-specific and processor architecture-specific Safe OS Dynamic update package to be used to update the WinRE image.
Note This can be a local path or a remote UNC path but the Safe OS Dynamic Update must be downloaded and available for the script to use.
Example:
.\PatchWinREScript_2004plus.ps1 -packagePath "\\server\share\windows10.0-kb5021043-x64_efa19d2d431c5e782a59daaf2d.cab |