Part 2: Applying the mitigation

Microsoft provides a guide for applying the mitigation here. Note: Once applied, the computer will only work with USB boot media using Bootx64.efi signed by Windows UEFI 2023 CA.

GaryTown.com has detailed the remediation and produced a Task Sequence zip here so you dont have to start from scratch. I recommend downloading this Task Sequence and testing it ( will produce a follow up entry breaking this Task Sequence down). After implementation, your computer will be protected from CVE-2023-24932.

However, with Secure Boot enabled, you'll need USB boot media with Bootx64.efi signed by Windows UEFI 2023 CA otherwise it will fail. The mitigation Task Sequence once applied cannot be undone.

I created a script using David Segura's OSD Module to quickly generate a ConfigMgr ready Boot.wim and supported USB files.

Using the Create_WinPE_WindowsUEFI2023CA signed.ps1 script, the New-OSDCloudWorkspace function will create a working directory C:\WinPE_x64_OSDWorkSpace and place all the necessary files including the new Bootx64.efi signed by Windows UEFI 2023 CA.

#Requires PS Module OSD as pre-req
#install-module -Name OSD

#Update these to suit your needs
$WinPE_x64WorkSpace = "C:\WinPE_x64_OSDWorkSpace"
$MountDir = "C:\WinPE_x64_MountDir"
#remove-item $WinPE_x64WorkSpace -Force

#Default ADK Paths
$ADKPath = "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit"
$ADKPathPE = "$ADKPath\Windows Preinstallation Environment"

if (Test-Path -Path $ADKPathPE){
    Write-Host "Found ADK PE: $ADKPathPE" -ForegroundColor Green
    $ADKImage = Get-WindowsImage -ImagePath "$ADKPathPE\amd64\en-us\winpe.wim" -Index 1
}
else {
    Write-Host "Did not detect ADK in path $ADKPathPE"
    throw
}
if (!(test-path -path "$WinPE_x64WorkSpace")){New-Item -Path $WinPE_x64WorkSpace -ItemType Directory | Out-Null}
if (!(test-path -path "$MountDir")){New-Item -Path $MountDir -ItemType Directory | Out-Null}

#Create OSDCloud Template - This will build x64 template
#remove-item C:\ProgramData\OSDCloud\Templates -force
$OSDCloudTemplateName = 'x64'
if ((Get-OSDCloudTemplateNames) -notcontains "$OSDCloudTemplateName"){
    New-OSDCloudTemplate -Name x64 
    
}

#Create the OSDCloud WorkSpace - This will be created based on the template
#This command will mount the winpe.wim file to programdata and apply component cabs. When finished it will copy to directory $WinPE_x64WorkSpace called boot.wim
New-OSDCloudWorkspace -WorkspacePath $WinPE_x64WorkSpace
#Update-OSDCloudWorkspace -WorkspacePath $WinPE_x64WorkSpace

#Create the USBStick - First time
#This will copy the contents of $WinPE_x64WorkSpace to the USB stick.  If you followed the UpdateADK.ps1 script the boot stick will be Windows UEFI 2023 CA signed
New-OSDCloudUSB -WorkspacePath $WinPE_x64WorkSpace

#If you need to boot with Windows UEFI 2011 CA signed  (before applying the Remediation) change the bootx64.efi file back to the 2011 signed file. The UpdateADK.ps1 backed this file up. 
#Assumes D: is your USB drive letter
Copy-Item "$ADKPathPE\amd64\Media\bootmgr.efi.2011" "D:\bootmgr.efi" -Force -Verbose
Copy-Item "$ADKPathPE\amd64\Media\EFI\Boot\bootx64.efi.2011" "D:\EFI\Boot\bootx64.efi" -Force -Verbose

If you need to produce a USB boot image to support a system that has not ran the mitigation see line 40 and 41. This will copy back the bootx64.efi Windows UEFI 2011 CA signed. This line assumes your USB has been allocated the drive letter D:.

Last updated