Microsoft PowerShell scripts to fix WinRE bypass on Windows 10 and 11

  • Staff

KB5025175: Updating the WinRE partition on deployed devices to address security vulnerabilities in CVE-2022-41099​

Windows 10 Windows 11


Microsoft has developed a sample PowerShell script that can help you automate updating the Windows Recovery Environment (WinRE) on deployed devices to address the security vulnerabilities in CVE-2022-41099.

Sample PowerShell script

The sample PowerShell script was developed by the Microsoft product team to help automate the updating of WinRE images on Windows 10 and Windows 11 devices. Run the script with Administrator credentials in PowerShell on the affected devices. There are two scripts available—which script you should use depends on the version of Windows you are running. Please use the appropriate version for your environment.

PatchWinREScript_2004plus.ps1 (Recommended)

This script is for Windows 10, version 2004 and later versions, including Windows 11. We recommend that you use this version of the script, because it is more robust but uses features available only on Windows 10, version 2004 and later versions.


This script is for Windows 10, version 1909 and earlier versions, but executes on all versions of Windows 10 and Windows 11.

More information

With the device started up into the running version of Windows installed on the device, the script will perform the following steps:
  1. Mount the existing WinRE image (WINRE.WIM).
  2. Update the WinRE image with the specified Safe OS Dynamic Update (Compatibility Update) package available from the Windows Update Catalog. We recommend that you use the latest Safe OS Dynamic Update available for the version of Windows installed on the device.
  3. Unmount the WinRE image.
  4. If the BitLocker TPM protector is present, reconfigures WinRE for BitLocker service.
    Important This step is not present in most third-party scripts for applying updates to the WinRE image.


The following parameters can be passed to the script:

workDir<Optional> Specifies the scratch space used to patch WinRE. If not specified, the script will use the default temp folder for the device.
packagePath<Required> Specifies the path and name of the OS-version-specific and processor architecture-specific Safe OS Dynamic update package to be used to update the WinRE image.

Note This can be a local path or a remote UNC path but the Safe OS Dynamic Update must be downloaded and available for the script to use.
.\PatchWinREScript_2004plus.ps1 -packagePath "\\server\share\

Read more:


  • Windows_Security.png
    6 KB · Views: 0
Last edited:


Minor Threat
Power User
Local time
1:21 AM
Visit site
Linux-Mint-Cinnamon-20.2 Win-7-10-11Pro's
Does this mess with winpe ?
I do not use re at all.
And by the way this all updates the system reserved partition ?

My Computer

System One

  • OS
    Linux-Mint-Cinnamon-20.2 Win-7-10-11Pro's
    Computer type
    asus x3
    10900k & 9940x & 5930k
    z490-Apex & x299-Apex & x99-Sabertooth
    Trident-Z Royal 4000c16 2x16gb & Trident-Z 3600c16 4x8gb & 3200c14 4x8gb
    Graphics Card(s)
    Titan Xp & 1080ti FTW3 & evga 980ti gaming
    Sound Card
    Onboard Realtek x3
    Monitor(s) Displays
    1-AOC G2460PG 24"G-Sync 144Hz/ 2nd 1-ASUS VG248QE 24"/ 3rd LG 43" series
    Screen Resolution
    1920-1080 not sure what the t.v is besides 43" class scales from 1920-1080 perfectly
    Hard Drives
    To many to list
    1000p2 & 1200p2 & 850p2
    D450 x2 & 1 Test bench in cherry Entertainment center
    Custom water loops x3 with 2x mora 360mm rads only 980ti gaming air cooled
    Redragon x3
    Internet Speed
    xfinity gigabyte
    mbam pro

Latest Tutorials

Latest Support Threads

Top Bottom