As many of you know, CVE-2023-24932 will require Configuration Manager admins to update their boot media before their organization or Microsoft enforces the revocations. If you do not update your boot images before the revocations are applied, you will not be able to load an unpatched WinPE image. Community members like Gary Blok and Sassan Fanai have already shared some excellent scripts that will automatically update your boot image. I just wanted to take it an extra step by automating some of the manual steps that would have to be performed. Using the ConfigMgr Module, we’re able to query the boot images to determine which updates are needed, find the update source URL for the May CU, then eventually update the boot image and reload the boot image properties so the console shows the correct build number. This will hopefully streamline the process for the community.
Credit:
Many thanks to Gary Blok for collaborating with me and helping improve the script!
References:
- https://garytown.com/kb5025885-dealing-with-cve-2023-24932-for-your-configmgr-boot-images
- https://ccmexec.com/2023/05/ps-script-to-update-boot-images-with-cu-cve-2023-24932/
- Microsoft’s Official Documentation
Requirements:
- The Configuration Manager module needs to be loaded before running the script
- If you have a Windows 11 boot image, please run the script on a Windows 11 host. DISM fails to apply the update if you do not.
Parameters:
- WIMFolder
- Local folder that will be used to store the boot image WIM temporarily
- MountFolder
- Local folder where we will mount the boot image.
- DownloadFolder
- Local folder that will be used to store the downloaded May 2023 Cumulative Update
Quinn
Is this to be run on the SCCM site server?
Jose Espitia
I ran it remotely but there is no reason why you can’t run this on the site server.
Alejandro
Which version of Powershell did you test this script on? On Powershell 5.1, when comparing the boot media OS version versus the target version, the operator is returning true which makes the script not continue as expected. I can’t post a screenshot here but this is basically what is on my console:
Detected Windows 10 ADK
Media already updated: 10.0.19041.1
Cleaning up directories
PS SITECODE:\> [System.Version]10.0.19041.1 -ge [System.Version]10.0.19041.2965
True
Jose Espitia
I was testing with 5.1 but I did add a bug fix for this issue.
Peter
I’m getting this error. Any ideas?
Detected Windows 10 ADK
Image Architecture: x86
Get-CMSoftwareUpdateContentInfo : Cannot bind argument to parameter ‘Id’ because it is null.
sappho
I don’t wish to update cmboot images directly. Is there a version that will just update wim files, including winre.wim if needed?
I tried a powershell from MS, but I just keep getting error 87 no matter what I try, it is telling me the target file is wrong, etc. Have the newest adk etc.