MHimken / WinRE-Customization

WinRE Customization to apply patches, drivers and soon™ language packs
https://manima.de/2023/01/modify-winre-patches-drivers-and-cve-2022-41099/
MIT License
61 stars 8 forks source link
customization powershell winre

WinRE-Customization

Customizes WinRE - recent updates can be found in the changelog. This script applies patches and drivers. Will resize and create recovery partition if required.

This script was initially created to automate remediation of CVE-2022-41099, however it can be used to patch WinRE monthly and automated as well. The script will verify the size of your recovery partition and resize it if required.

Please read https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/add-update-to-winre to learn which patches you should apply! GDR-DU and LCU should only be applied to fix major issues, they take about 8-10 minutes. SOS and DUs are extremly small and take seconds to apply (less than a minute).

Applies to

As of 15.08.24 this script can be used to remidiate issues around the following KBs that require manual interaction:

Prerequisites

The script generally tries to detect states that it can not handle. Please consult the log (CMTrace compatible). If you encounter a scenario, that needs fixing please contact me or open an issue so I can investigate.

Attention This can only be done in an automated fashion, if the disk:

A description of each parameter comes with the script.

Adressing the script offered by Microsoft

Microsoft released their own script officially on https://support.microsoft.com/en-us/topic/kb5025175-updating-the-winre-partition-on-deployed-devices-to-address-security-vulnerabilities-in-cve-2022-41099-ba6621fa-5a9f-48f1-9ca3-e13eb56fb589.

In it the following information is given:

If the BitLocker TPM protector is present, reconfigures WinRE for BitLocker service. Important This step is not present in most third-party scripts for applying updates to the WinRE image.

Which most likely refers to this snippet from their code (trimmed empty lines)

                if (IsTPMBasedProtector)
                {
                    # Disable WinRE and re-enable it to let new WinRE be trusted by BitLocker
                    LogMessage("Disable WinRE")
                    reagentc /disable
                    LogMessage("Re-enable WinRE")
                    reagentc /enable
                    reagentc /info
                }

The order for this script is (because it made the most sense to me)

  1. Backup WinRE - the script does this even if you specify to delete the backup later.
    • This disables the Recovery Agent so that the .wim file can be backed up elsewhere.
    • This also verifies that the Recovery Agent can be safely disabled and that the .wim is accessible.
  2. Mount the WinRE using the new method that was provided here https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/add-update-to-winre?view=windows-11#apply-the-update-to-a-running-pc
  3. Apply whatever you provided to the script (as of writing drivers or patches)
  4. Dismount the image and try to commit the changes
  5. Enable the Recovery Agent

All in all, the script does exactly the same thing. Although by accident, because it seems to re-sign the partition or the .wim, so that Secure Boot/BitLocker can still trust the recovery partition. If you think about it, this makes sense because otherwise an attacker could just replace the .wim in the unprotected partition.

So far, I haven't received any reports of Secure Boot or BitLocker itself acting up (unless the script never fully ran!). If you used this script to apply your patches, you should be fine. The obvious caveat here is that I'm not an MS employee and cannot vouch for the accuracy of the information provided by what I have just described. You still use this script at your own risk!

Noteworthy content

Relevant CVEs: CVE-2022-41099 CVE-2024-20666

Relevant patches:

Thanks to everyone that helped build this, especially https://homotechsual.dev/