As many of you know, CVE-2023-24932 will require Configuration Manager admins to update their boot media before their organization or Microsoft enforces the revocations. If you do not update your boot images before the revocations are applied, you will not be able to load an unpatched WinPE image. Community members like Gary Blok and Sassan Fanai have already shared some excellent scripts that will automatically update your boot image. I just wanted to take it an extra step by automating some of the manual steps that would have to be performed. Using the ConfigMgr Module, we’re able to query the boot images to determine which updates are needed, find the update source URL for the May CU, then eventually update the boot image and reload the boot image properties so the console shows the correct build number. This will hopefully streamline the process for the community.
Credit:
Many thanks to Gary Blok for collaborating with me and helping improve the script!
References:
- https://garytown.com/kb5025885-dealing-with-cve-2023-24932-for-your-configmgr-boot-images
- https://ccmexec.com/2023/05/ps-script-to-update-boot-images-with-cu-cve-2023-24932/
- Microsoft’s Official Documentation
Requirements:
- The Configuration Manager module needs to be loaded before running the script
- If you have a Windows 11 boot image, please run the script on a Windows 11 host. DISM fails to apply the update if you do not.
Parameters:
- WIMFolder
- Local folder that will be used to store the boot image WIM temporarily
- MountFolder
- Local folder where we will mount the boot image.
- DownloadFolder
- Local folder that will be used to store the downloaded May 2023 Cumulative Update
Quinn
Is this to be run on the SCCM site server?
Jose Espitia
I ran it remotely but there is no reason why you can’t run this on the site server.
Jose Espitia
I was testing with 5.1 but I did add a bug fix for this issue.