Automatically update your Configuration Manager boot images for CVE-2023-24932

As many of you know, CVE-2023-24932 will require Configuration Manager admins to update their boot media before their organization or Microsoft enforces the revocations. If you do not update your boot images before the revocations are applied, you will not be able to load an unpatched WinPE image. Community members like Gary Blok and Sassan Fanai have already shared some excellent scripts that will automatically update your boot image. I just wanted to take it an extra step by automating some of the manual steps that would have to be performed. Using the ConfigMgr Module, we’re able to query the boot images to determine which updates are needed, find the update source URL for the May CU, then eventually update the boot image and reload the boot image properties so the console shows the correct build number. This will hopefully streamline the process for the community.

Credit:

Many thanks to Gary Blok for collaborating with me and helping improve the script!

References:

Requirements:

  • The Configuration Manager module needs to be loaded before running the script
  • If you have a Windows 11 boot image, please run the script on a Windows 11 host. DISM fails to apply the update if you do not.

Parameters:

  • WIMFolder
    • Local folder that will be used to store the boot image WIM temporarily
  • MountFolder
    • Local folder where we will mount the boot image.
  • DownloadFolder
    • Local folder that will be used to store the downloaded May 2023 Cumulative Update

Script:

3 Comments

  1. Is this to be run on the SCCM site server?

    • Jose Espitia

      May 17, 2023 at 1:33 pm

      I ran it remotely but there is no reason why you can’t run this on the site server.

  2. Jose Espitia

    June 12, 2023 at 7:23 pm

    I was testing with 5.1 but I did add a bug fix for this issue.

Leave a Reply