Automatically update your Configuration Manager boot images for CVE-2023-24932

As many of you know, CVE-2023-24932 will require Configuration Manager admins to update their boot media before their organization or Microsoft enforces the revocations. If you do not update your boot images before the revocations are applied, you will not be able to load an unpatched WinPE image. Community members like Gary Blok and Sassan Fanai have already shared some excellent scripts that will automatically update your boot image. I just wanted to take it an extra step by automating some of the manual steps that would have to be performed. Using the ConfigMgr Module, we’re able to query the boot images to determine which updates are needed, find the update source URL for the May CU, then eventually update the boot image and reload the boot image properties so the console shows the correct build number. This will hopefully streamline the process for the community.


Many thanks to Gary Blok for collaborating with me and helping improve the script!



  • The Configuration Manager module needs to be loaded before running the script
  • If you have a Windows 11 boot image, please run the script on a Windows 11 host. DISM fails to apply the update if you do not.


  • WIMFolder
    • Local folder that will be used to store the boot image WIM temporarily
  • MountFolder
    • Local folder where we will mount the boot image.
  • DownloadFolder
    • Local folder that will be used to store the downloaded May 2023 Cumulative Update



  1. Is this to be run on the SCCM site server?

    • Jose Espitia

      May 17, 2023 at 1:33 pm

      I ran it remotely but there is no reason why you can’t run this on the site server.

  2. Which version of Powershell did you test this script on? On Powershell 5.1, when comparing the boot media OS version versus the target version, the operator is returning true which makes the script not continue as expected. I can’t post a screenshot here but this is basically what is on my console:

    Detected Windows 10 ADK
    Media already updated: 10.0.19041.1
    Cleaning up directories
    PS SITECODE:\> [System.Version]10.0.19041.1 -ge [System.Version]10.0.19041.2965

Leave a Reply