has anyone been able to get the Microsoft provided powershell GetWinREversion.ps1 fix for the WinPE vulnerability (CVE-2022-41099) to run via bigfix on end points.
If I run it as system it does not run at all, if I run as current user then it partially runs.
If I run it manually it runs fine.
I don’t see that script, do you have a reference link?
At https://support.microsoft.com/en-us/topic/kb5025175-updating-the-winre-partition-on-deployed-devices-to-address-security-vulnerabilities-in-cve-2022-41099-ba6621fa-5a9f-48f1-9ca3-e13eb56fb589 I do see two other scripts, PatchWinREScript_2004plus.ps1 and PatchWinREScript_General.ps1, are you trying to run one of those?
yes that is the link it is the general one.
here is the contents of the powershell script
################################################################################################
#
# Copyright (c) Microsoft Corporation.
# Licensed under the MIT License.
#
# THE SOFTWARE IS PROVIDED *AS IS*, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
#
################################################################################################
Param (
[Parameter(HelpMessage = "Work Directory for patch WinRE")][string]$workDir = ""
)
# ------------------------------------
# Help functions
# ------------------------------------
# Log message
function LogMessage([string]$message) {
$message = "$([DateTime]::Now) - $message"
Write-Host $message
}
function TargetfileVersionExam([string]$mountDir) {
# Exam target binary
$targetBinary = $mountDir + "\Windows\System32\bootmenuux.dll"
LogMessage("TargetFile: " + $targetBinary)
$realNTVersion = [Diagnostics.FileVersionInfo]::GetVersionInfo($targetBinary).ProductVersion
$versionString = "$($realNTVersion.Split('.')[0]).$($realNTVersion.Split('.')[1])"
$fileVersion = $($realNTVersion.Split('.')[2])
$fileRevision = $($realNTVersion.Split('.')[3])
LogMessage("Target file version: " + $realNTVersion)
if (!($versionString -eq "10.0")) {
LogMessage("Not Windows 10 or later")
return $False
}
$needsUpdate = $False
#Windows 10, version 1507 10240.19567
#Windows 10, version 1607 14393.5499
#Windows 10, version 1809 17763.3646
#Windows 10, version 2004 1904X.2247
#Windows 11, version 21H2 22000.1215
#Windows 11, version 22H2 22621.815
switch ($fileVersion) {
"10240" {
LogMessage("Windows 10, version 1507")
if ($fileRevision -ge 19567) {
LogMessage("Windows 10, version 1507 with revision " + $fileRevision + " >= 19567, updates have been applied")
$needsUpdate = $True
}
break
}
"14393" {
LogMessage("Windows 10, version 1607")
if ($fileRevision -ge 5499) {
LogMessage("Windows 10, version 1607 with revision " + $fileRevision + " >= 5499, updates have been applied")
$needsUpdate = $True
}
break
}
"17763" {
LogMessage("Windows 10, version 1809")
if ($fileRevision -ge 3646) {
LogMessage("Windows 10, version 1809 with revision " + $fileRevision + " >= 3646, updates have been applied")
$needsUpdate = $True
}
break
}
"19041" {
LogMessage("Windows 10, version 2004")
if ($fileRevision -ge 2247) {
LogMessage("Windows 10, version 2004 with revision " + $fileRevision + " >= 2247, updates have been applied")
$needsUpdate = $True
}
break
}
"22000" {
LogMessage("Windows 11, version 21H2")
if ($fileRevision -ge 1215) {
LogMessage("Windows 11, version 21H2 with revision " + $fileRevision + " >= 1215, updates have been applied")
$needsUpdate = $True
}
break
}
"22621" {
LogMessage("Windows 11, version 22H2")
if ($fileRevision -ge 815) {
LogMessage("Windows 11, version 22H2 with revision " + $fileRevision + " >= 815, updates have been applied")
$needsUpdate = $True
}
break
}
default {
LogMessage("Warning: unsupported OS version")
}
}
return $needsUpdate, $fileVersion, $fileRevision
}
# ------------------------------------
# Execution starts
# ------------------------------------
# Check breadcrumb
New-Item "C:\Users\Public\company\Logs" -ItemType Directory | Out-Null
Start-Transcript -Path "C:\Users\Public\company\Logs\WinREversion.log" -Append
if (Test-Path HKLM:\Software\Microsoft\PushButtonReset) {
$values = Get-ItemProperty -Path HKLM:\Software\Microsoft\PushButtonReset
if (!(-not $values)) {
if (Get-Member -InputObject $values -Name WinREPathScriptSucceed) {
$value = Get-ItemProperty -Path HKLM:\Software\Microsoft\PushButtonReset -Name WinREPathScriptSucceed
if ($value.WinREPathScriptSucceed -eq 1) {
LogMessage("This script was previously run successfully")
Stop-Transcript
exit 1
}
}
}
}
if ([string]::IsNullorEmpty($workDir)) {
LogMessage("No input for mount directory")
LogMessage("Use default path from temporary directory")
$workDir = [System.IO.Path]::GetTempPath()
}
LogMessage("Working Dir: " + $workDir)
$name = "CA551926-299B-27A55276EC22_Mount"
$mountDir = Join-Path $workDir $name
LogMessage("MountDir: " + $mountdir)
# Delete existing mount directory
if (Test-Path $mountDir) {
LogMessage("Mount directory: " + $mountDir + " already exists")
LogMessage("Try to unmount it")
Dism /unmount-image /mountDir:$mountDir /discard
if (!($LASTEXITCODE -eq 0)) {
LogMessage("Warning: unmount failed: " + $LASTEXITCODE)
}
LogMessage("Delete existing mount direcotry " + $mountDir)
Remove-Item $mountDir -Recurse
}
# Create mount directory
LogMessage("Create mount directory " + $mountDir)
New-Item -Path $mountDir -ItemType Directory
# Set ACL for mount directory
LogMessage("Set ACL for mount directory")
icacls $mountDir /inheritance:r
icacls $mountDir /grant:r SYSTEM:"(OI)(CI)(F)"
icacls $mountDir /grant:r *S-1-5-32-544:"(OI)(CI)(F)"
# Mount WinRE
LogMessage("Mount WinRE:")
reagentc /mountre /path $mountdir
if ($LASTEXITCODE -eq 0) {
# Check WinRE version and if it needs to be updated
# ----------------------------------------------------
# 3 OUTPUTS: $needsUpdate, $fileVersion, $fileRevision
# ----------------------------------------------------
$needsUpdate, $fileVersion, $fileRevision = TargetfileVersionExam($mountDir)
LogMessage("File version: $fileVersion.$fileRevision" + ", already patched: " + $needsUpdate);
Dism /unmount-image /mountDir:$mountDir /discard
if (!($LASTEXITCODE -eq 0)) {
LogMessage("Unmount failed: " + $LASTEXITCODE)
Stop-Transcript
exit 1
}
}
else {
LogMessage("Mount failed: " + $LASTEXITCODE)
}
# Cleanup Mount directory in the end
LogMessage("Delete mount direcotry")
Remove-Item $mountDir -Recurse
Stop-TranscriptI don’t see this script at that link. The scripts at the site I linked require downloading the correct Windows Update and referencing the update path as part of the command line execution.
The PowerShell script that you’ve pasted here, appears to run ok manually on my test machine but if I run it repeatedly it shows already patched: False each time I run it. Do you have a usage page on this script?
My vulnerability management teams tells me installing the latest cumulative patch resolves this. May be an easier option.
They got that from Rapid7