IMPORTANT Issue to be aware of if you use BitLocker on your OS drive

wingers · Jan 14, 2023

SIW2 said:
same sort of idea, I usually make my own pe which is a bit laborious. The end result is probably not massively different from using a builder

nice, would be curious on a separate thread how you do it as always used those tools but would prefer the power to do it myself without, even if more laborious as at least you can make it your own then

SIW2 · Jan 14, 2023

A lot of trial and error and using ideas from elsewhere. Each new os and build involves more fiddling around. Been doing it a long while. Quite time consuming. A lot of people spend hours every day gaming. I do this kind of thing instead. It is often very frustrating.

wingers · Jan 14, 2023

SIW2 said:
This implies that a separate recov partition isn't needed:

BitLocker overview - Windows Security

Learn about BitLocker practical applications and requirements.

learn.microsoft.com

Yes confirmed by real world test, you DON'T need a recovery partition. Just deleted one on a computer here with bitlocker enabled (with preboot authentication) and it works fine, could even press escape at pre-boot PIN prompt and enter bitlocker recovery key and it booted fine

So that is another option then, on all new deployments don't create a recovery partition, and on all existing deployments remotely delete the recovery partition

hsehestedt · Jan 14, 2023

Just tried it in two ways:

1) Installed Windows clean, recovery partition last. Deleted the recovery partition and extended the Win partition. Enabled BitLocker. That worked perfectly.

2) Installed Windows clean, recovery partition last. Enabled BitLocker first and allowed it to finish encryption. Then I Deleted the recovery partition and extended the Win partition. This also worked perfectly.

In both cases I installed Win 11 22H2 which I have fully updated. The install.wim, winre.wim, boot.wim, and all other parts of the ISO outside of the WIM images have been updated to build 1105 (the Jan 2023 patch Tuesday updates).

I may have to seriously consider going that route from now on. After all, I ALWAYS have a bootable UFD with which takes the place of that anyway.

hsehestedt · Jan 14, 2023

Sorry, I responded before I saw your post

. At least we both confirmed it

hsehestedt · Jan 14, 2023

Can I ask a question? What the heck is wrong with us that we are playing with this stuff on a Saturday?

wingers · Jan 14, 2023

hsehestedt said:
Sorry, I responded before I saw your post . At least we both confirmed it

Was definitely worth testing just to prove the point, as you say it gives us options now. And like you I would always boot from a UFD to solve problems anyway so never need the RE anyway.

wingers · Jan 14, 2023

hsehestedt said:
Can I ask a question? What the heck is wrong with us that we are playing with this stuff on a Saturday?

Good question! sadly I don't have an answer

hsehestedt · Jan 14, 2023

SIW2 said:
A lot of trial and error and using ideas from elsewhere. Each new os and build involves more fiddling around. Been doing it a long while. Quite time consuming. A lot of people spend hours every day gaming. I do this kind of thing instead. It is often very frustrating.

Man, you ain't kidding. But there's also a heck of a lot of satisfaction when you resolve a complex riddle.

mccnavy · Jan 14, 2023

I was successfully able to update my non-Bitlocker desktop using the method on page 2...thanks! Since it seems to be working...I was able to boot into Windows RE (i.e. advanced startup options)...I'll likely do the same with my laptop. The difference is that my recovery image on my desktop is on a Recovery partition and my laptop has the image on the C:drive...hidden Recovery folder. At first I thought I'd deleted the partition when I was setting up my laptop after clean install a while ago. I later found that some more recent installs are doing away with the Recovery Partition (at least I read that somewhere)...I originally thought I was wrong and made a new Recovery partition...i later restored it back to being on the C: drive where I found it. That at least prevents me from having to make periodic partition size changes. I recall Windows would actually do this during major updates. Anyways...I suspect that the RE image doesn't get updated often because they don't expect people to be working in it much...and therefore require the bug and security fixes?

hsehestedt · Jan 14, 2023

There are occasional updates to the WinRE.wim via the "Safe OS Updates", but those get applied to your installation media. This is the first time ever that I recall needing to update the Recovery Environment on installed systems.

It usually only gets updated when a major Windows version update (such as going from Win 11 original release to 22H2) takes place.

But, even in this instance, there is no need to update it unless you are using BitLocker on the OS drive.

SIW2 · Jan 14, 2023

hsehestedt said:
Just tried it in two ways:

1) Installed Windows clean, recovery partition last. Deleted the recovery partition and extended the Win partition. Enabled BitLocker. That worked perfectly.

2) Installed Windows clean, recovery partition last. Enabled BitLocker first and allowed it to finish encryption. Then I Deleted the recovery partition and extended the Win partition. This also worked perfectly.

In both cases I installed Win 11 22H2 which I have fully updated. The install.wim, winre.wim, boot.wim, and all other parts of the ISO outside of the WIM images have been updated to build 1105 (the Jan 2023 patch Tuesday updates).

I may have to seriously consider going that route from now on. After all, I ALWAYS have a bootable UFD with which takes the place of that anyway.

It means there won't be autofailover in case of problems with startup etc.

I ALWAYS have a bootable UFD with which takes the place of that anyway.

can use that instead.

Not sure if that matters for wingers machines. Just noticed he said it doesnt.

wingers · Jan 14, 2023

SIW2 said:
Not sure if that matters for wingers machines

if we have issues where a computer won't even boot then we boot from a UFD with various tools on to fix any basic issues or if terminal to recover any data (although technically they shouldn't be saving data locally!), but usually we just reapply our custom image again as usually it is just quicker to do this than it is to spend time fixing problems if files etc corrupt

mccnavy · Jan 14, 2023

hsehestedt said:
There are occasional updates to the WinRE.wim via the "Safe OS Updates", but those get applied to your installation media. This is the first time ever that I recall needing to update the Recovery Environment on installed systems.

It usually only gets updated when a major Windows version update (such as going from Win 11 original release to 22H2) takes place.

But, even in this instance, there is no need to update it unless you are using BitLocker on the OS drive.

Makes sense...I did mine anyways...at least I know that if I decide to encrypt my OS drives, that the RE image is somewhat updated. As for the installation media, is that done when you got to create it and it stalls for a little bit to "download" and install updates?

glasskuter · Jan 14, 2023

Bree said:
just thinking out loud, I don't need to as I don't use bitlocker

Nor do I, and I never will, but I still want to understand it and I do not. I had read the gobbly-gook MS instructions in the release notes on the cumulative before this thread was even opened and this thread has provoked even more confusion for me.

Someone please help me get straight on a few points.
1. If one does not use bitlocker, this update does not have to be applied to WinRE...correct? Any recovery media created by one's backup program gets created as usual without this vulnerability being patched in the recovery media.

2. If one does not use bitlocker and and does not apply this update to WinRE and one resets his PC, the PC will reset as usual with no ill results...correct? If this update is NOT part of WinRe, will the resulting live environment have the patch applied?

What troubles me the most is Joe Blow user does not read release notes nor are they a member of this forum. For many their only method of recovery is WinRE. They have bitlocked their drives and sit fat and happy thinking their data is protected. Not! Maybe I'm too simple minded here, but if the folks at MS are smart enough to write these updates, one would think they would also be smart enough to mirror the update into WinRE.

Yeah, I know I am dense.

hsehestedt · Jan 14, 2023

glasskuter said:
Nor do I, and I never will, but I still want to understand it and I do not. I had read the gobbly-gook MS instructions in the release notes on the cumulative before this thread was even opened and this thread has provoked even more confusion for me.

Someone please help me get straight on a few points.
1. If one does not use bitlocker, this update does not have to be applied to WinRE...correct? Any recovery media created by one's backup program gets created as usual without this vulnerability being patched in the recovery media.

2. If one does not use bitlocker and and does not apply this update to WinRE and one resets his PC, the PC will reset as usual with no ill results...correct? If this update is NOT part of WinRe, will the resulting live environment have the patch applied?

What troubles me the most is Joe Blow user does not read release notes nor are they a member of this forum. For many their only method of recovery is WinRE. They have bitlocked their drives and sit fat and happy thinking their data is protected. Not! Maybe I'm too simple minded here, but if the folks at MS are smart enough to write these updates, one would think they would also be smart enough to mirror the update into WinRE.

Yeah, I know I am dense.

1 - You are dead on correct. No need for any of this if you are not using BitLocker. The whole issue is that the Recovery Environment can be exploited so that someone with physical access to the machine could potentially gain access to the BitLocker encrypted data.

2 - As for a PC reset, I'm making some assumptions here. I don't think that a reset affects the recovery partition at all. If that's true, then an unpatched recovery partition would remain unpatched, while a patched recovery partition would stay patched. I guess I should test this to be sure. Maybe I'll try that this evening.

JustRebootit · Jan 14, 2023

Maybe someone can shed some light for me. As a test, I mounted a Windows 10 22H2 ISO and ran the DISM commands to grab the WIM's info. Before updating the WIM, the Version show 10.0.19041 and the Service Pack Build 1. After updating the WIM, the Version is still 10.019041 and the Service Pack Build is now 2251. Why is the version 10.0.19041 when I am using a 22H2 ISO? I thought 22H2 build number is 19045 and 2004 is 19041. Would this just be WinPE and the version just does not update with new Windows builds?

The VM used when running this test was a fresh imaged Win 10 22H2 as well. Also getting information from the following site.

Add an update to Windows RE

Add an update package to Windows RE.

learn.microsoft.com

wingers · Jan 14, 2023

JustRebootit said:
Maybe someone can shed some light for me. As a test, I mounted a Windows 10 22H2 ISO and ran the DISM commands to grab the WIM's info. Before updating the WIM, the Version show 10.0.19041 and the Service Pack Build 1. After updating the WIM, the Version is still 10.019041 and the Service Pack Build is now 2251. Why is the version 10.0.19041 when I am using a 22H2 ISO? I thought 22H2 build number is 19045 and 2004 is 19041. Would this just be WinPE and the version just does not update with new Windows builds?

I think that is spot on - it is simply that Microsoft don't always update WinRE everytime they release a new build / ISO of Windows

wingers · Jan 14, 2023

Useful links for scripts to check if machine has updated WinRE.wim on recovery partition and also to deploy a patched WIM - thought might be useful as script also does check to ensure partition big enough to hold the WIM

Deployment Code for Patching Winre.wim for CVE-2022-41099

Deployment Code for Patching Winre.wim for CVE-2022-41099 - Deploy_Winre.ps1

gist.github.com

Detect Compliance for CVE-2022-41099

Detect Compliance for CVE-2022-41099. GitHub Gist: instantly share code, notes, and snippets.

gist.github.com

Bree · Jan 14, 2023

JustRebootit said:
I thought 22H2 build number is 19045 and 2004 is 19041.

2004 and all versions up to 22H2 share a common set of system files. From 2004 up to 22H2 all new features have been delivered in the cumulative updates, but in a dormant state. Each Feature Update was done by means of installing an Enablement Package that turned on the new features and bumps up the major build number by 1, the 22H2 update taking it to 19045.

The ISO for 19045 contains the 19041 system files, plus the 22H2 Enablement Package which it will install at the same time.