Microsoft PowerShell scripts to fix WinRE bypass on Windows 10 and 11

Staff

KB5025175: Updating the WinRE partition on deployed devices to address security vulnerabilities in CVE-2022-41099
Windows 10 Windows 11

Introduction
Microsoft has developed a sample PowerShell script that can help you automate updating the Windows Recovery Environment (WinRE) on deployed devices to address the security vulnerabilities in CVE-2022-41099.

Sample PowerShell script
The sample PowerShell script was developed by the Microsoft product team to help automate the updating of WinRE images on Windows 10 and Windows 11 devices. Run the script with Administrator credentials in PowerShell on the affected devices. There are two scripts available—which script you should use depends on the version of Windows you are running. Please use the appropriate version for your environment.

PatchWinREScript_2004plus.ps1 (Recommended)
This script is for Windows 10, version 2004 and later versions, including Windows 11. We recommend that you use this version of the script, because it is more robust but uses features available only on Windows 10, version 2004 and later versions.

PatchWinREScript_General.ps1
This script is for Windows 10, version 1909 and earlier versions, but executes on all versions of Windows 10 and Windows 11.

More information
With the device started up into the running version of Windows installed on the device, the script will perform the following steps:

Mount the existing WinRE image (WINRE.WIM).

Update the WinRE image with the specified Safe OS Dynamic Update (Compatibility Update) package available from the Windows Update Catalog. We recommend that you use the latest Safe OS Dynamic Update available for the version of Windows installed on the device.

Unmount the WinRE image.

If the BitLocker TPM protector is present, reconfigures WinRE for BitLocker service.
Important This step is not present in most third-party scripts for applying updates to the WinRE image.

Usage
The following parameters can be passed to the script:

Parameter Description
workDir <Optional> Specifies the scratch space used to patch WinRE. If not specified, the script will use the default temp folder for the device.
packagePath <Required> Specifies the path and name of the OS-version-specific and processor architecture-specific Safe OS Dynamic update package to be used to update the WinRE image.

Note This can be a local path or a remote UNC path but the Safe OS Dynamic Update must be downloaded and available for the script to use.
Example:
.\PatchWinREScript_2004plus.ps1 -packagePath "\\server\share\windows10.0-kb5021043-x64_efa19d2d431c5e782a59daaf2d.cab

Parameter	Description
workDir	<Optional> Specifies the scratch space used to patch WinRE. If not specified, the script will use the default temp folder for the device.
packagePath	<Required> Specifies the path and name of the OS-version-specific and processor architecture-specific Safe OS Dynamic update package to be used to update the WinRE image. Note This can be a local path or a remote UNC path but the Safe OS Dynamic Update must be downloaded and available for the script to use. Example: .\PatchWinREScript_2004plus.ps1 -packagePath "\\server\share\windows10.0-kb5021043-x64_efa19d2d431c5e782a59daaf2d.cab

Read more:

KB5025175: Updating the WinRE partition on deployed devices to address security vulnerabilities in CVE-2022-41099 - Microsoft Support

support.microsoft.com

Last edited: Mar 17, 2023

Click to expand...

ThrashZone

Minor Threat

Power User

VIP

Mar 17, 2023

#2

Hi,
Does this mess with winpe ?
I do not use re at all.
And by the way this all updates the system reserved partition ?

My Computer

System One

OS

Win-7-10-11Pro's

Computer type

PC/Desktop

Manufacturer/Model

Acer 17" Nitro 7840sn/ 2x16gb 5600c40/ 4060/ stock 1tb-os/ 4tb sn850x

CPU

10900k & 9940x & 5930k

Motherboard

z490-Apex & x299-Apex & x99-Sabertooth

Memory

Trident-Z Royal 4000c16 2x16gb & Trident-Z 3600c16 4x8gb & 3200c14 4x8gb

Graphics Card(s)

Titan Xp & 1080ti FTW3 & evga 980ti gaming

Sound Card

Onboard Realtek x3

Monitor(s) Displays

1-AOC G2460PG 24"G-Sync 144Hz/ 2nd 1-ASUS VG248QE 24"/ 3rd LG 43" series

Screen Resolution

1920-1080 not sure what the t.v is besides 43" class scales from 1920-1080 perfectly

Hard Drives

2-WD-sn850x 4tb/ 970evo+500gb/ 980 pro 2tb.

PSU

1000p2 & 1200p2 & 850p2

Case

D450 x2 & 1 Test bench in cherry Entertainment center

Cooling

Custom water loops x3 with 2x mora 360mm rads only 980ti gaming air cooled

Keyboard

G710+x3

Mouse

Redragon x3

Internet Speed

xfinity gigabyte

Browser

Firefox

Antivirus

mbam pro

You must log in or register to reply here.

Similar threads

Article

Win Update KB5034440 Security Update for Windows 11 (21H2) - Jan. 9

Replies: 0

Views: 729

Jan 10, 2024

Brink

Article

Configuring weather and more on the lock screen in Windows 10 and 11

Replies: 5

Views: 1K

Mar 30, 2024

cute two

C

Article

Microsoft Copilot in Windows starts to roll out to more Windows 11 and 10 devices

Replies: 2

Views: 800

Apr 11, 2024

Ghot

Article

Microsoft Expanding invitations to move to Windows 11 to more people

Replies: 2

Views: 751

Feb 28, 2024

PerpetualCycle

Article

Microsoft will automatically update Windows 11 22H2/21H2 to 23H2

Replies: 2

Views: 1K

Feb 21, 2024

Ghot

Completely Disable and Remove Copilot in Windows 11

This tutorial will show you how to completely disable the Windows Copilot feature and remove Copilot from the taskbar, Windows Search, and Microsoft Edge...
Brink

Mar 7, 2024
Enable or Disable Sudo Command in Windows 11

This tutorial will show you how to enable or disable the Sudo command for all users in Windows 11. Starting with Windows 11 build 26052 (Canary and Dev)...
Brink

Feb 8, 2024
Enable or Disable Feeds on Widgets Board in Windows 11

This tutorial will show you how to enable or disable news feeds on the widgets board for your account in Windows 11. Widgets are small windows that display...
Brink

Dec 4, 2023
Use ViVeTool to Enable or Disable Hidden Features in Windows 11

This tutorial will show you how to use ViVeTool to enable or disable hidden features in Windows 10 and Windows 11. ViVeTool is an open source tool that can...
Brink

Dec 1, 2023
Always or Never Combine Taskbar buttons and Hide Labels in Windows 11

This tutorial will show you how to always, when the taskbar is full, or never combine taskbar buttons and hide labels for your account, specific users, or...
Brink

May 24, 2023
Disable Modern Standby in Windows 10 and Windows 11

This tutorial will show you how to disable Modern Standby (S0 Low Power Idle) to enable S3 support on a Windows 10 and Windows 11 device. In Windows 10 and...
Brink

Jan 11, 2022
Disable "Show more options" context menu in Windows 11

This tutorial will show you how to enable or disable having to click on "Show more options" to see the full context menu for your account or all users in...
Brink

Oct 4, 2021
Download Official Windows 11 ISO file from Microsoft

This tutorial will show you how to download an official Windows 11 ISO file from Microsoft. Microsoft provides ISO files for Windows 11 to download. You...
Brink

Aug 19, 2021
Restore Classic File Explorer with Ribbon in Windows 11

This tutorial will show you how to restore the classic File Explorer with Ribbon for your account or all users in Windows 11. File Explorer in Windows 10...
Brink

Jul 19, 2021
Repair Install Windows 11 with an In-place Upgrade

This tutorial will show you how to do a repair install of Windows 11 by performing an in-place upgrade without losing anything. If you need to repair or...
Brink

Jul 5, 2021
Enable or Disable Windows Sandbox in Windows 11

This tutorial will show you how to enable or disable the Windows Sandbox feature for all users in Windows 11 Pro, Enterprise, or Education. Windows Sandbox...
Brink

Jun 30, 2021
Clean Install Windows 11

This tutorial will show you step by step on how to clean install Windows 11 at boot on your PC with or without an Internet connection and setup with a local...
Brink

Jun 22, 2021