BitLocker Security Feature Bypass Vulnerability CVE-2022-41099 and KB5025175

Question

Hello,

This is a about CVE-2022-41099 and KB5025175.

Firstly, the KB5025175 page provides PatchWinREScript_2004plus.ps1 and PatchWinREScript_General.ps1 as "Sample" scripts, presumably expecting us to read and understand them before running them.

• Could we have a "download" option, instead of having to copy/paste/save?
• Also, is there any chance Microsoft could make them readable by formatting and indenting them properly?

Secondly, the link in KB5025175 says "We recommend that you use the latest Safe OS Dynamic Update available for the version of Windows installed on the device." The Windows Update Catalog link is basically a search for "Safe OS", but "Safe OS" comes in different places. Also, it seems that some of the Windows 11 Safe OS updates are applicable to "Windows 10 and later".

Concretely: which one should be used for Windows 10 22H2 (for example)?

In addition, is there a way to check whether a machine has been correctly patched and which version of WinRE is use?

Thank you

Answer 1

Hi Bruno,

My name is Cindy. I am sorry you are having this problem. I know it is really frustrating. I will do my best to help you with this problem.

Please note: This is a user-to-user community forum. We are users just like you who help others. We are not employees of Microsoft.

Thank you for writing. It is possible to review the updates that have been added to your computer. I have enclosed the directions below.

Please type the word update in the search on the taskbar and open the page.

Then click on update history.

On this page, you will see the complete update history.

To find out which version you need, you will need to check the build version of Windows 10 on your computer. This can be done by typing the word about in the search and opening the page.

Once you have the build number of Windows you have, you will be able to click on each of the Windows 10 updates to see which one is for your computer.

Windows does automatically update your computer with the updates for your computer so you do not need to worry about having to update the computer.

It is possible for you to leave feedback for Microsoft? Just click on the Windows key and the f key at the same time. This will take you to the feedback page.

Please let me know if you have any questions.

Best Wishes,

Cindy

Answer 2

Hi Cindy,

Thank you for your suggestions. The problem with update KB5025175 is that it has to be run explicitly (at least via a script) and it doesn't show up in the Windows Updates list (even if you've executed the script).

As far as I understand, if you have Bitlocker-enabled devices protected only via TPM (generally the default option if you've enable system disk encryption) then they're vulnerable and no automatic update will fix it.

In this case, you unfortunately do have to worry about it, even with automatic updates enabled.

Regarding the build number, my problem is that the entry with Title "Windows 11 22H2" also says "Windows 10 and later" in the Product column on the same row: this is ambiguous.

Considering the seriousness of this vulnerability, some clarity from Microsoft employees would indeed be welcome.

Best wishes,

Bruno.

Answer 3

Bitlocker is only available on Windows 10-11 Pro devices. Do you have Windows pro on the computer?

Best Wishes,

Cindy

Answer 4

Bitlocker is only available on Windows 10-11 Pro devices. Do you have Windows pro on the computer?

Yes, for clarification, my question relates to computers where the problem is applicable: with BitLocker enabled using TPM (hence with Windows Pro indeed).

Best wishes,

Bruno.

Answer 5

So I may find the correct download for you, can you send over a screenshot of the About screen? This will give the information on the version of Windows you have on the computer.

This can be accessed by typing the word about in the search on the taskbar and opening the page.

Cindy