MS posted this security advisory on 9 May 2023 which will impact on the creation of MR rescue media.
When creating MR rescue media, i use the following options -

What steps are MR planning to take to mitigate this issue?
MR     Home v 8.1.7469
OS     Windows 11 Pro v 22H2 (Build 22621.1776)

If your system has the May update installed, you could try performing a WinRE-based build, since your system's WinRE partition might now contain that update. Microsoft's documentation isn't clear on whether the WinRE partition gets updated when installing the May update, but if it does, then WinRE-based Rescue Media built by your system should work even after you've applied revocations. If that doesn't work or you specifically want to avoid WinRE, then Rescue Media Builder uses WinPE content downloaded straight from Microsoft, which means Microsoft will have to release updated WinPE ADK packages. The article doesn't specifically address availability of ADK packages, but the closest thing they reference is Windows installation media (which uses WinPE), and as of this writing the article still says that updated versions of those "will soon be available". So if you want to stick to WinPE in the meantime, you'd probably have to perform the "DISM offline package installation" steps linked in the "Updating bootable media > Enterprise" section to install the May cumulative update into the boot.wim file on your Rescue Media after it gets built by Rescue Media Builder.

+x

 

IanM - 17 May 2023 4:46 AM

MS posted this security advisory on 9 May 2023 which will impact on the creation of MR rescue media.
When creating MR rescue media, i use the following options -

What steps are MR planning to take to mitigate this issue?
MR     Home v 8.1.7469
OS     Windows 11 Pro v 22H2 (Build 22621.1776)

Thanks for the response.
I've already installed the Windows 11 Cummulative Updae, which installs Build(22621.1702

Thanks for the response.
I've already installed the Windows 11 Cummulative Updae, which installs Build(22621.1702) - Build(22621.1776) is the latest for the Windows 11 release Preview Channel
My peers on another forum are exploring this issue - ref Additional guidance for devices using Secure Boot to address CVE-2023-24932 - which has left me totally confused.
I would appreciate your views on same.

I understand you’ve already installed the latest update, but WinRE exists on a separate hidden partition and is a completely independent environment, so the build of the main OS will not necessarily correspond to the build of the WinRE instance. In fact the norm is that WinRE instances do NOT get updated as a result of installing monthly updates. In this specific case, it would seem that it would be prudent to do that, since a WinRE instance that isn’t bootable isn’t useful for its express purpose of helping to recover from an unbootable main OS environment. But again, I haven’t found any express confirmation that WinRE gets updated as part of installing the May update in the main OS environment, nor have I had a chance to delve into it on my personal system.

FWIW, my Win10 WinRE was changed between 23April and 30April, and not by anything I had done.  It grew by 46.9mB.  I can't say which date exactly as my Incremental merge has already removed any dailies made during that time frame.

I have some comments to add to this discussion but also a question.

First, for the Windows ADK Win PE add-on, Microsoft is currently expecting the you patch that installation your yourself. If you go to the Windows ADK download page, you will note that there is a not about this issue posted there. The date on the page has not been updated to reflect that there is new information, but it is there. The note provides links explaining how to perform the updates. It's not super clear, but fortunately, this is something that I am already very familiar with so I've performed the patching and tested my own Win PE images and they work fine on systems with revocations applied.

However, that leads me to my question:
When I create a Macrium Reflect recovery disk or ISO image specifically using Windows PE (not RE), I notice that Reflect does not appear to use the Windows PE already installed on my system. Instead, it seems to insist on downloading a copy of Windows PE from Microsoft, even though it is already installed on my system.

Could you tell me where Reflect saves that copy of Windows PE that it downloads so that I can target it for updates?

WinPE files are cached at C:\ProgramData\Macrium\Reflect\Windows Kits

Thank you. One follow-up question:

Is there a way that I can force an update of those files to the latest version, for example, the Win 11 22H2 version, patched to mitigate BlackLotus UEFI Bootkit issue?

I'm a little bit surprised that Macrium insists on downloading Win PE even when the Win PE add-on is already installed on my system.

I have been monitoring posts on this issue.  I am surprised that Macrium has not posted anything regarding this issue. If there is no reliable rescue media, then making backups is a big waste of time and disk space.  

I would expect that Reflect would have some included or standalone program that would verify rescue media is compliant with the new requirements.  If not compliant, such software would provide at least rudimentary comments on what needs to be done to make a compliant rescue media.  Or, failing that, at least provide a knowledgebase article (maybe they already have) with details on how we can verify that our boot options and rescue disks are compliant. This would seem to be a serious matter!

Am I correct in believing that a worst case solution is going into my bios and turning off secure boot?  And that will let me boot a rescue disk and then do a restore?

Also, I am assuming this is JUST a windows thing.  Do I have to do any kind of change to flash drives with Linux distros?