IMPORTANT Issue to be aware of if you use BitLocker on your OS drive


I am totally confused by this thread - I see statements on internet that imply MS have updated Windows now and it is only an issue for older installations. Then I see others that imply they have not.

Does anybody actually know?
 

My Computer

System One

  • OS
    Windows 10 Pro + others in VHDs
    Computer type
    Laptop
    Manufacturer/Model
    ASUS Vivobook 14
    CPU
    I7
    Motherboard
    Yep, Laptop has one.
    Memory
    16 GB
    Graphics Card(s)
    Integrated Intel Iris XE
    Sound Card
    Realtek built in
    Monitor(s) Displays
    N/A
    Screen Resolution
    1920x1080
    Hard Drives
    1 TB Optane NVME SSD, 1 TB NVME SSD
    PSU
    Yep, got one
    Case
    Yep, got one
    Cooling
    Stella Artois
    Keyboard
    Built in
    Mouse
    Bluetooth , wired
    Internet Speed
    72 Mb/s :-(
    Browser
    Edge mostly
    Antivirus
    Defender
    Other Info
    TPM 2.0
I am totally confused by this thread - I see statements on internet that imply MS have updated Windows now and it is only an issue for older installations. Then I see others that imply they have not.

Does anybody actually know?
In a nutshell the update MS rolls out only updates the files within Windows itself, to update the files on the recovery partition you have to manually follow the procedures as outlined on MS website and on this forum thread.
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell
    CPU
    Intel(R) Core(TM) i7-10700 CPU @ 2.90GHz 2.90 GHz
    Memory
    32Gb
    Browser
    Google Chrome
    Antivirus
    AVG Internet Security
In a nutshell the update MS rolls out only updates the files within Windows itself, to update the files on the recovery partition you have to manually follow the procedures as outlined on MS website and on this forum thread.
Yeah - I get that but my point is some sites say you do not need to do that as MS have already updated the files on recovery partition. Maybe that is garbage.
 

My Computer

System One

  • OS
    Windows 10 Pro + others in VHDs
    Computer type
    Laptop
    Manufacturer/Model
    ASUS Vivobook 14
    CPU
    I7
    Motherboard
    Yep, Laptop has one.
    Memory
    16 GB
    Graphics Card(s)
    Integrated Intel Iris XE
    Sound Card
    Realtek built in
    Monitor(s) Displays
    N/A
    Screen Resolution
    1920x1080
    Hard Drives
    1 TB Optane NVME SSD, 1 TB NVME SSD
    PSU
    Yep, got one
    Case
    Yep, got one
    Cooling
    Stella Artois
    Keyboard
    Built in
    Mouse
    Bluetooth , wired
    Internet Speed
    72 Mb/s :-(
    Browser
    Edge mostly
    Antivirus
    Defender
    Other Info
    TPM 2.0
Yeah - I get that but my point is some sites say you do not need to do that as MS have already updated the files on recovery partition. Maybe that is garbage.
I haven't seen any sites that say that and the official information on MS site still says you have to update the recovery partition manually. Can't see how they can do it automatically to be honest, especially going on how many different issue I hit when trying to do it manually, they was enough of a problem without MS trying some automated method which is more likely to cause more problems to be honest
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell
    CPU
    Intel(R) Core(TM) i7-10700 CPU @ 2.90GHz 2.90 GHz
    Memory
    32Gb
    Browser
    Google Chrome
    Antivirus
    AVG Internet Security
I haven't seen any sites that say that and the official information on MS site still says you have to update the recovery partition manually. Can't see how they can do it automatically to be honest, especially going on how many different issue I hit when trying to do it manually, they was enough of a problem without MS trying some automated method which is more likely to cause more problems to be honest
I've got a support call logged with Microsoft to see if they have any suggestions on how to roll a fix out to a couple thousand machines. Given the complexity of the script on this thread and the issues it randomly throws up, I don't expect them to have a magic fix, but I'm asking the question.

Even deploying with Intune or GPO is going to be problematic.
 

My Computer

System One

  • OS
    WIndows 10
I've got a support call logged with Microsoft to see if they have any suggestions on how to roll a fix out to a couple thousand machines. Given the complexity of the script on this thread and the issues it randomly throws up, I don't expect them to have a magic fix, but I'm asking the question.

Even deploying with Intune or GPO is going to be problematic.
If all of your machines are running the same build of Windows then just follow steps on first machine to create an update winre.wim and then deploy that wim file to the remaining machines, you don't need to follow all the steps on all the machines, that saves a lot of time, that is what I did to roll it out to 350+ machines quite quickly.

Just created updated winre.wim, then with a script connected to each machine using enter-psssession, ran reagentc /disable, copied my updated winre.wim to c:\windows\system32\recovery overwriting existing file and then run reagentc /enable
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell
    CPU
    Intel(R) Core(TM) i7-10700 CPU @ 2.90GHz 2.90 GHz
    Memory
    32Gb
    Browser
    Google Chrome
    Antivirus
    AVG Internet Security
If all of your machines are running the same build of Windows then just follow steps on first machine to create an update winre.wim and then deploy that wim file to the remaining machines, you don't need to follow all the steps on all the machines, that saves a lot of time, that is what I did to roll it out to 350+ machines quite quickly.

Just created updated winre.wim, then with a script connected to each machine using enter-psssession, ran reagentc /disable, copied my updated winre.wim to c:\windows\system32\recovery overwriting existing file and then run reagentc /enable
Ahh - OK, so yeah that certainly helps, thank you.

I think someone else mentioned this earlier in the thread, but it makes you wonder what stops someone wanting to exploit the vulnerability just overwriting the WIM again with an older version when they have physical access.
 

My Computer

System One

  • OS
    WIndows 10
Ahh - OK, so yeah that certainly helps, thank you.

I think someone else mentioned this earlier in the thread, but it makes you wonder what stops someone wanting to exploit the vulnerability just overwriting the WIM again with an older version when they have physical access.
No probs

Yes that is a separate issue, but if they have physical access then they have access to your data anyway potentially so the problem is more than just this vulnerability e.g. if they have physical access and workstation left unlocked etc
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell
    CPU
    Intel(R) Core(TM) i7-10700 CPU @ 2.90GHz 2.90 GHz
    Memory
    32Gb
    Browser
    Google Chrome
    Antivirus
    AVG Internet Security
I work extensivly with DISM and have always made it a habit to first install the ADK to be certain that I am running the latest version. Still, I rather doubt that this is the problem, but it's worth a shot.

A couple tips if you decide to do this:

1) When installing the ADK, you get the option to select from a whole bunch of different components to install. The only option that you need to select is the deployment tools.

2) After installing the ADK, one of the installed items will be Windows Kits > Deployment and Imaging Tools Environment. Use that to run DISM. This is basically a modified command prompt with the correct paths to the ADK version of tools such as DISM.
I continue to get the same error message about path can not be found even when I on a new computer that I just turned BitLocker on just for testing. This is so frustrating. Do you think I could send you my dism.log to see if you can spot something I am missing? Thanks for all your help with this.
 

My Computer

System One

  • OS
    Windows 10
I continue to get the same error message about path can not be found even when I on a new computer that I just turned BitLocker on just for testing. This is so frustrating. Do you think I could send you my dism.log to see if you can spot something I am missing? Thanks for all your help with this.
Sure, that would be fine.
 

My Computers

System One System Two

  • OS
    Win11 Pro 23H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Built
    CPU
    Intel i7-11700K
    Motherboard
    ASUS Prime Z590-A
    Memory
    128GB Crucial Ballistix 3200MHz DRAM
    Graphics Card(s)
    No GPU - CPU graphics only (for now)
    Sound Card
    Realtek (on motherboard)
    Monitor(s) Displays
    HP Envy 32
    Screen Resolution
    2560 x 1440
    Hard Drives
    1 x 1TB NVMe Gen 4 x 4 SSD
    1 x 2TB NVMe Gen 3 x 4 SSD
    2 x 512GB 2.5" SSDs
    2 x 8TB HD
    PSU
    Corsair HX850i
    Case
    Corsair iCue 5000X RGB
    Cooling
    Noctua NH-D15 chromax.black cooler + 10 case fans
    Keyboard
    CODE backlit mechanical keyboard
    Mouse
    Logitech MX Master 3
    Internet Speed
    1Gb Up / 1 Gb Down
    Browser
    Edge
    Antivirus
    Windows Defender
    Other Info
    Additional options installed:
    WiFi 6E PCIe adapter
    ASUS ThunderboltEX 4 PCIe adapter
  • Operating System
    Win11 Pro 23H2
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo ThinkBook 13x Gen 2
    CPU
    Intel i7-1255U
    Memory
    16 GB
    Graphics card(s)
    Intel Iris Xe Graphics
    Sound Card
    Realtek® ALC3306-CG codec
    Monitor(s) Displays
    13.3-inch IPS Display
    Screen Resolution
    WQXGA (2560 x 1600)
    Hard Drives
    2 TB 4 x 4 NVMe SSD
    PSU
    USB-C / Thunderbolt 4 Power / Charging
    Mouse
    Buttonless Glass Precision Touchpad
    Keyboard
    Backlit, spill resistant keyboard
    Internet Speed
    1Gb Up / 1Gb Down
    Browser
    Edge
    Antivirus
    Windows Defender
    Other Info
    WiFi 6e / Bluetooth 5.1 / Facial Recognition / Fingerprint Sensor / ToF (Time of Flight) Human Presence Sensor
Ahh - OK, so yeah that certainly helps, thank you.

I think someone else mentioned this earlier in the thread, but it makes you wonder what stops someone wanting to exploit the vulnerability just overwriting the WIM again with an older version when they have physical access.
Yes, and @wingers comment is not correct, when he writes " if they have physical access then they have access to your data anyway potentially".

The encryption is helping against people with physical access, that's why it's done in the first place. "Potentially accessible" until now meant "it's potentially possible to break the encryption key", but from now on, it means "just give me a machine that is turned on (but locked) or that is startable without preboot authentication and I can defeat Bitlocker (after I have undone the patch) as soon as the undisclosed details how to do it become available".

So while most here worry how to apply the patch, you should just disable WinRE completely to be on the safe side again. No one needs WinRE. All its options are available from a bootable USB-based windows setup as well, so you don't lose a thing doing so.
reagentc.exe /disable
This line, deployed as immediate scheduled task (executor: system) would save your day in the office.
 

My Computer

System One

  • OS
    Win11
Yes, and @wingers comment is not correct, when he writes " if they have physical access then they have access to your data anyway potentially".

The encryption is helping against people with physical access, that's why it's done in the first place. "Potentially accessible" until now meant "it's potentially possible to break the encryption key", but from now on, it means "just give me a machine that is turned on (but locked) or that is startable without preboot authentication and I can defeat Bitlocker (after I have undone the patch) as soon as the undisclosed details how to do it become available".

So while most here worry how to apply the patch, you should just disable WinRE completely to be on the safe side again. No one needs WinRE. All its options are available from a bootable USB-based windows setup as well, so you don't lose a thing doing so.
reagentc.exe /disable
This line, deployed as immediate scheduled task (executor: system) would save your day in the office.
You have only quoted part of what I said - I clearly said "...e.g. if they have physical access AND workstation left unlocked etc".
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell
    CPU
    Intel(R) Core(TM) i7-10700 CPU @ 2.90GHz 2.90 GHz
    Memory
    32Gb
    Browser
    Google Chrome
    Antivirus
    AVG Internet Security
I didn't need to quote that, since it is not what we have here. This is no exploit that needs an unlocked ("etc") machine. It is an exploit that still works against Bitlocker in standard config on a machine that is turned off.
 

My Computer

System One

  • OS
    Win11
I didn't need to quote that, since it is not what we have here. This is no exploit that needs an unlocked ("etc") machine. It is an exploit that still works against Bitlocker in standard config on a machine that is turned off.
I was answering somebody elses point about the vulnerability, just meaning if unlocked and have access then too easy to replace the patched winre.wim with an unpatched one etc. I fully understand how the exploit works and what we have here thanks, been part of the discussion since the start, and have spent enough years working in IT, and enough time fixing this issue on hundreds of computers. Thankfully we use pre-boot authentication with bitlocker so makes everything much more secure - until the next vulnerability.....
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell
    CPU
    Intel(R) Core(TM) i7-10700 CPU @ 2.90GHz 2.90 GHz
    Memory
    32Gb
    Browser
    Google Chrome
    Antivirus
    AVG Internet Security
Ok... I didn't mean to step on your toes. Just saying, don't patch but disable if you care for your data. You have not won a thing if you patch if your opponent has physical access, while your opponent has truly won a thing with this exploit if you patch WinRE but leave it enabled.
 

My Computer

System One

  • OS
    Win11
Ok... I didn't mean to step on your toes. Just saying, don't patch but disable if you care for your data. You have not won a thing if you patch if your opponent has physical access, while your opponent has truly won a thing with this exploit if you patch WinRE but leave it enabled.
Fair enough, but even if you do disable it, what is stopping someone if they gain access somehow (e.g. like I said via a machine which has been left unlocked for example) enabling it again, and copying an unpatched winre.wim - and then you are back to square one - a vulnerable machine. The whole thing is a mess and Microsoft don't seem to know what to do about it.
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell
    CPU
    Intel(R) Core(TM) i7-10700 CPU @ 2.90GHz 2.90 GHz
    Memory
    32Gb
    Browser
    Google Chrome
    Antivirus
    AVG Internet Security
If someone gains access to my unlocked machine, I am an idiot, who should not worry about security - I think anyone should agree.
For all other cases hiding behind "somehow" - to modify WinRE.wim (or to re-enable WInRE) when the machine is online, you need to gain administrative permissions, first. If you gain those, you have passed the bitlocker hurdle already, since you may read the recovery key now or add protectors or decrypt.
 

My Computer

System One

  • OS
    Win11
The amount of times I walk around a workplace and see users leaving machines left unlocked. And we all know of tools that can be run on an unlocked machine whether you have admin rights or not that will allow you to raise privleges or gain access to the file system etc, so re-enabling the recovery partition and copying over a unpatched winre.wim isn't exactly difficult. But whatever we do in IT we can't control users behaviour or stupidity and whenever we fix one vulnerability another one will soon open up, all we can do is protect ourselves as much as possible.
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell
    CPU
    Intel(R) Core(TM) i7-10700 CPU @ 2.90GHz 2.90 GHz
    Memory
    32Gb
    Browser
    Google Chrome
    Antivirus
    AVG Internet Security
If you had exploits to elevate your privs from user to admin handy at any time, you would be winning the Pwn2Own over and over. There's no arsenal of windows internal unpatched exploits commonly available. But this one here allows to tear down the main barrier. "all we can do is protect ourselves as much as possible" -Yes! So let's not downplay this one and discuss scripted patching. Disable it. That's how you protect as much as possible.
 

My Computer

System One

  • OS
    Win11
With it disabled you do lose some useful functionality e.g. startup repair I believe, and with lots of my workforce still working remotely spread over hundreds of miles things like that have often proved useful when a computer fails to boot and it fixes itself etc, without it would mean several hours drive and hours of lost work etc to get laptop fixed, so it is not always just as simple as disabling it for all organizations, hence why we chose to patch it to not lose functionality that has proved useful in the past. This thread was to discuss the threat and how to fix it. If you want to disable it then fine, but we are all free to discuss and make our own decisions, hence why we are on a discussion forum. One solution doesn't always work for everyone. So we chose patch, and make sure all computers using bitlocker with pre-boot. For now that is our choice.
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell
    CPU
    Intel(R) Core(TM) i7-10700 CPU @ 2.90GHz 2.90 GHz
    Memory
    32Gb
    Browser
    Google Chrome
    Antivirus
    AVG Internet Security

Latest Support Threads

Back
Top Bottom