As many of you know, CVE-2023-24932 will require Configuration Manager admins to update their boot media before their organization or Microsoft enforces the revocations. If you do not update your boot images before the revocations are applied, you will not be able to load an unpatched WinPE image. Community members like Gary Blok and Sassan Fanai have already shared some excellent scripts that will automatically update your boot image. I just wanted to take it an extra step by automating some of the manual steps that would have to be performed. Using the ConfigMgr Module, we’re able to query the boot images to determine which updates are needed, find the update source URL for the May CU, then eventually update the boot image and reload the boot image properties so the console shows the correct build number. This will hopefully streamline the process for the community.
Many thanks to Gary Blok for collaborating with me and helping improve the script!
- Microsoft’s Official Documentation
- The Configuration Manager module needs to be loaded before running the script
- If you have a Windows 11 boot image, please run the script on a Windows 11 host. DISM fails to apply the update if you do not.
- Local folder that will be used to store the boot image WIM temporarily
- Local folder where we will mount the boot image.
- Local folder that will be used to store the downloaded May 2023 Cumulative Update