Microsoft has released a script to help fix a BitLocker bypass security vulnerability in Windows Recovery Environment (WinRE).
This PowerShell script simplifies the process of securing WinRE images against attempts to exploit the CVE-2022-41099 flaw that allows attackers to bypass BitLocker Device Encryption feature system storage devices.
Successfully exploiting this allows threat actors with physical access to access encrypted data in low complexity attacks.
According to Microsoft, the vulnerability cannot be exploited if the user has enabled BitLocker TPM+PIN protection.
“The sample PowerShell script was developed by Microsoft’s product team to help automate updating WinRE images on Windows 10 and Windows 11 devices,” Microsoft says in a support document released Thursday.
“Run the script with administrator credentials in PowerShell on the affected devices. Two scripts are available. Which script to use depends on the version of Windows you are running.”
The recommended script version is PatchWinREScript_2004plus.ps1 which is used to apply security updates on systems running Windows 10 2004 and later (including Windows 11).
The other PowerShell script (PatchWinREScript_General.ps1) is less robust and should be used on Windows 10 1909 and earlier (although it will work on all Windows 10 and Windows 11 systems).
How to use WinRE patch script
The CVE-2022-41099 patch scripts can be run from a Windows PowerShell and allow administrators to specify the path and name of the Safe OS dynamic update package that should be used to update the WinRE image.
These update packages are specific to the operating system version and processor architecture and should be downloaded from the Microsoft Update Catalog beforehand.
The scripts also allow passing a workDir parameter to select the workspace to use during the remediation process (if not specified, the script will use the default Windows temporary folder).
Once launched, the script will go through the following steps:
- Mount the existing WinRE image (WINRE.WIM).
- Update the WinRE image with the specified Safe OS Dynamic Update (compatibility update) package available from the Windows Update Catalog (the latest update available for the version of Windows installed on the device is recommended)
- Unmount the WinRE image.
- If the BitLocker TPM protector is present, it reconfigures WinRE for the BitLocker service.
After running the script, you will not need to reboot the system to complete the WinRE image patching process.