Part 2: Applying the mitigation

Microsoft provides a guide for applying the mitigation here. Note: Once applied, the computer will only work with USB boot media using Bootx64.efi signed by Windows UEFI 2023 CA.

GaryTown.com has detailed the remediation and produced a Task Sequence zip here so you dont have to start from scratch. I recommend downloading this Task Sequence and testing it ( will produce a follow up entry breaking this Task Sequence down). After implementation, your computer will be protected from CVE-2023-24932.

However, with Secure Boot enabled, you'll need USB boot media with Bootx64.efi signed by Windows UEFI 2023 CA otherwise it will fail. The mitigation Task Sequence once applied cannot be undone.

I created a script using David Segura's OSD Module to quickly generate a ConfigMgr ready Boot.wim and supported USB files.

Using the Create_WinPE_WindowsUEFI2023CA signed.ps1 script, the New-OSDCloudWorkspace function will create a working directory C:\WinPE_x64_OSDWorkSpace and place all the necessary files including the new Bootx64.efi signed by Windows UEFI 2023 CA.

#Requires PS Module OSD as pre-req
#install-module -Name OSD

#Update these to suit your needs
$WinPE_x64WorkSpace = "C:\WinPE_x64_OSDWorkSpace"
$MountDir = "C:\WinPE_x64_MountDir"
#remove-item $WinPE_x64WorkSpace -Force

#Default ADK Paths
$ADKPath = "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit"
$ADKPathPE = "$ADKPath\Windows Preinstallation Environment"

if (Test-Path -Path $ADKPathPE){
    Write-Host "Found ADK PE: $ADKPathPE" -ForegroundColor Green
    $ADKImage = Get-WindowsImage -ImagePath "$ADKPathPE\amd64\en-us\winpe.wim" -Index 1
}
else {
    Write-Host "Did not detect ADK in path $ADKPathPE"
    throw
}
if (!(test-path -path "$WinPE_x64WorkSpace")){New-Item -Path $WinPE_x64WorkSpace -ItemType Directory | Out-Null}
if (!(test-path -path "$MountDir")){New-Item -Path $MountDir -ItemType Directory | Out-Null}

#Create OSDCloud Template - This will build x64 template
#remove-item C:\ProgramData\OSDCloud\Templates -force
$OSDCloudTemplateName = 'x64'
if ((Get-OSDCloudTemplateNames) -notcontains "$OSDCloudTemplateName"){
    New-OSDCloudTemplate -Name x64 
    
}

#Create the OSDCloud WorkSpace - This will be created based on the template
#This command will mount the winpe.wim file to programdata and apply component cabs. When finished it will copy to directory $WinPE_x64WorkSpace called boot.wim
New-OSDCloudWorkspace -WorkspacePath $WinPE_x64WorkSpace
#Update-OSDCloudWorkspace -WorkspacePath $WinPE_x64WorkSpace

#Create the USBStick - First time
#This will copy the contents of $WinPE_x64WorkSpace to the USB stick.  If you followed the UpdateADK.ps1 script the boot stick will be Windows UEFI 2023 CA signed
New-OSDCloudUSB -WorkspacePath $WinPE_x64WorkSpace

#If you need to boot with Windows UEFI 2011 CA signed  (before applying the Remediation) change the bootx64.efi file back to the 2011 signed file. The UpdateADK.ps1 backed this file up. 
#Assumes D: is your USB drive letter
Copy-Item "$ADKPathPE\amd64\Media\bootmgr.efi.2011" "D:\bootmgr.efi" -Force -Verbose
Copy-Item "$ADKPathPE\amd64\Media\EFI\Boot\bootx64.efi.2011" "D:\EFI\Boot\bootx64.efi" -Force -Verbose

If you need to produce a USB boot image to support a system that has not ran the mitigation see line 40 and 41. This will copy back the bootx64.efi Windows UEFI 2011 CA signed. This line assumes your USB has been allocated the drive letter D:.

https://github.com/systemcenterblog/Blog/blob/master/ConfigMgr/Baselines/CVE-2023-24932/Create_WinPE_WindowsUEFI2023CA%20signed.ps1

#Ensure you have you have updated your ADK directory; https://github.com/systemcenterblog/Blog/blob/master/ConfigMgr/Baselines/CVE-2023-24932/UpdateADK.ps1

#Update these to suit your needs
$WinPE_x64WorkSpace = "C:\WinPE_x64_OSDWorkSpace"
$MountDir = "C:\WinPE_x64_MountDir"
#remove-item $WinPE_x64WorkSpace -Force

#Default ADK Paths
$ADKPath = "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit"
$ADKPathPE = "$ADKPath\Windows Preinstallation Environment"

if (Test-Path -Path $ADKPathPE){
    Write-Host "Found ADK PE: $ADKPathPE" -ForegroundColor Green
    $ADKImage = Get-WindowsImage -ImagePath "$ADKPathPE\amd64\en-us\winpe.wim" -Index 1
}
else {
    Write-Host "Did not detect ADK in path $ADKPathPE"
    throw
}
if (!(test-path -path "$WinPE_x64WorkSpace")){New-Item -Path $WinPE_x64WorkSpace -ItemType Directory | Out-Null}
if (!(test-path -path "$MountDir")){New-Item -Path $MountDir -ItemType Directory | Out-Null}

#Create OSDCloud Template - This will build x64 template
#remove-item C:\ProgramData\OSDCloud\Templates -force
$OSDCloudTemplateName = 'x64'
if ((Get-OSDCloudTemplateNames) -notcontains "$OSDCloudTemplateName"){
    New-OSDCloudTemplate -Name x64 
    
}

#Create the OSDCloud WorkSpace - This will be created based on the template
#This command will mount the winpe.wim file to programdata and apply component cabs. When finished it will copy to directory $WinPE_x64WorkSpace called boot.wim
New-OSDCloudWorkspace -WorkspacePath $WinPE_x64WorkSpace
#Update-OSDCloudWorkspace -WorkspacePath $WinPE_x64WorkSpace

#Create the USBStick - First time
#This will copy the contents of $WinPE_x64WorkSpace to the USB stick.  If you followed the UpdateADK.ps1 script the boot stick will be Windows UEFI 2023 CA signed
New-OSDCloudUSB -WorkspacePath $WinPE_x64WorkSpace

#If you need to boot with Windows UEFI 2011 CA signed  (before applying the Remediation) change the bootx64.efi file back to the 2011 signed file. The UpdateADK.ps1 backed this file up. 
#Assumes D: is your USB drive letter
Copy-Item "$ADKPathPE\amd64\Media\bootmgr.efi.2011" "D:\bootmgr.efi" -Force -Verbose
Copy-Item "$ADKPathPE\amd64\Media\EFI\Boot\bootx64.efi.2011" "D:\EFI\Boot\bootx64.efi" -Force -Verbose


#Add Modules to the finished OSDCloudWorkspace boot.wim if required.
<#
#Mount-WindowsImage -Path $MountDir -ImagePath "$WinPE_ARM64WorkSpace\media\sources\boot.wim" -Index 1 | out-null
Add PS Modules to the Boot Image
write-host "Saving PowerShell Modules to boot.wim" -ForegroundColor Green
Save-Module -Name PowerShellGet -Path "$MountDir\Program Files\WindowsPowerShell\Modules"
Save-Module -Name PackageManagement -Path "$MountDir\Program Files\WindowsPowerShell\Modules"
Save-Module -Name DellBIOSProvider -Path "$MountDir\Program Files\WindowsPowerShell\Modules" -AcceptLicense
Save-Module -name OSD -Path "$MountDir\Program Files\WindowsPowerShell\Modules"
#

#Add Drivers 
# Add-WindowsDriver -Path "c:\offline" -Driver "c:\test\drivers" -Recurse
if (Test-Path "$WinPE_x64WorkSpace\Drivers"){
    write-host "Adding Drivers from $WinPE_x64WorkSpace\Drivers to boot image" -ForegroundColor Green
    Mount-WindowsImage -Path $MountDir -ImagePath "$WinPE_x64WorkSpace\media\sources\boot.wim" -Index 1 | out-null
    Add-WindowsDriver -Path $MountDir -Driver "$WinPE_x64WorkSpace\Drivers" -Recurse | out-null #This will be a folder of drivers you collect to add to your WinPE... good luck
    Dismount-WindowsImage -Path $MountDir -Save | out-null
    write-host "Adding Drivers Complete" -ForegroundColor Green
}


#>

#Update (for if you add drivers or modify your boot.wim file, which you'll do when you want to update the PS Modules)
Update-OSDCloudUSB


#MakeWinPEMedia /UFD C:\WinPE_arm64 P:
#MakeWinPEMedia /UFD C:\WinPe P:
#>

PreviousPart 1: Bootx64.efi: Windows UEFI 2023 CA signed NextMicrosoft 365 App Authentication

Last updated 1 year ago