Microsoft has developed a PowerShell script that can help you automate the updating process of the Windows Recovery Environment (WinRE) on the devices it is deployed on in a bid to address security vulnerabilities in CVE-2022-41099.
PowerShell script to fix WinRE vulnerability released
The folks on the Microsoft product team were the ones who developed the PowerShell script to aid with the automated updating of WinRE images on Windows 11/10 devices. You will have to run the script with Admin credentials in PowerShell via the affected device, and from what we have gathered, two scripts are available.
Now, as for which script you should use, this depends on the version of Windows currently installed on your computer. So, ensure the appropriate script designed for your environment is used.
What are the two scripts?
The recommended script is PatchWinREScript_2004plus.ps1. It was created for Windows 10 version 2004 and later, including support for Windows 11. Microsoft says all must use this version of the script above others.
This script is more robust but takes advantage of features only found in Windows version 2004 or later.
The second script is PatchWinREScript_General.ps1. It was created with Windows 10 version 1909 and earlier in mind. However, it will execute on all versions of Windows 10 and Windows 11 without problems.
The script will perform the following steps, according to Microsoft.
- Mount the existing WinRE image (WINRE.WIM).
- Update the WinRE image with the specified Safe OS Dynamic Update (Compatibility Update) package available from the Windows Update Catalog. We recommend that you use the latest Safe OS Dynamic Update available for the version of Windows installed on the device.
- Unmount the WinRE image.
- If the BitLocker TPM protector is present, reconfigure WinRE for BitLocker service.
An important thing to note: This step is not present in most third-party scripts for applying updates to the WinRE image.
For full details, visit KB5025175.