-
Notifications
You must be signed in to change notification settings - Fork 86
/
Copy pathCVE-2023-24932-PR-Detection_v2_July.ps1
74 lines (55 loc) · 4.03 KB
/
CVE-2023-24932-PR-Detection_v2_July.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
<# GARY BLOK | GARYTOWN.COM | @gwblok
#https://support.microsoft.com/en-us/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d
This script checks EventViewer for status of Fix based on the information in the link above.
If the event is found, then the Fix has been applied successfully.
Checks for Status of SKUSiPolicy.P7b file which is added to the device with the May CU KB
Checks EFI Partition for that file, if not found, copies it into the correct location
Sets Registry Value based on the link information (Hex 0x10 or Decimal 16), which gets reset to 0 after restart.
- This changed for the July Release - went from Hex 0x10 (16) to Dex 0x30 (48)
Once it sets the registry value, it triggers a Restart, to make sure everything gets applied.
- I commented out the Restart Line, if you want it to trigger restart, go ahead and uncomment that line.
23.05.10 - Initial Release
23.05.11 - Added File Hash Compare for SKUSiPolicy.P7b
23.05.15 - Added check that if HASH of SKUSiPolicy.P7b matches in both locations, set compliance to compliant. This prevents running remediation again when system event log roles over.
23.05.16 - Huge Change for Intune Proactive Remediations
- Removed CM Code
- Added "Get-FirstFreeDriveLetter" Function
- Added logic to set Drive Letter on Windows 11 devices for the System Volume
- Win10 still uses Literal path, skipping adding of Drive letter... considering just making everything use a drive letter...
23.05.24 - Added Access Path of c:\windows\temp\sysvol instead of drive letter, as I was setting a drive popup and give error.
- Remoevd Get-FirstFreeDriveLetter Function
23.07.17 - Updated for July 2023 patch cycle... removed a lot of things no longer needed that were required with the May Update.
- Updated Registry value of AvailableUpdates from 16 from the May instructions to 48 (0x30) from the July instructions
#>
$Remediate = $false #True = Remediation Script | False = Detection/Discovery Script
$Compliance = "Non-Compliant"
$SKUSiPolicyPath = "$env:windir\System32\SecureBootUpdates\SKUSiPolicy.P7b"
#Test if Event logs has the ID for having applied the Remediation. This only works for so long after remediation has run, as the eveng log will roll over and the data will go missing.
$DBXUpdateSuccess = Get-EventLog -LogName System -Source "Microsoft-Windows-TPM-WMI" -InstanceId 1035 -ErrorAction SilentlyContinue
if ($DBXUpdateSuccess){
#Write-Output "Patch has been Applied Successfully"
$Compliance = "Compliant"
}
if ($Remediate -eq $true -and $Compliance -ne "Compliant"){
Write-Output "Patch has not been completely applied according to Event Logs"
if (Test-Path -Path $SKUSiPolicyPath){
$AvailableUpdateStatus = Get-ItemPropertyValue -Path HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot -Name AvailableUpdates
if ($AvailableUpdateStatus -ne 48){
#This will trigger the system to know to apply the update, I've done this multiple times and have no seen an issue running it more than once.
#if the log in the event viewer roles over and the entry for success is going, triggering this will have the event viewer recreate the entry after next reboot.
Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot -Name AvailableUpdates -Type DWord -Value 48 -Force | Out-Null
#Restart to Trigger Remediation
$Process = "C:\windows\system32\shutdown.exe"
$ShutdownArgs = '/r /f /t 28800 /c "Apply fix for CVE-2023-24932"'
#Start-Process $Process -ArgumentList $ShutdownArgs -NoNewWindow
}
}
else {
Write-Output "SKUSiPolicy Patch Not available, make sure you've updated Windows to latest CU"
}
}
#If Intune and Non-Compliant, for Detection Script, exit 1 to trigger Remediation
if ($Remediate -eq $false -and $Compliance -ne "Compliant"){
exit 1
}
Write-Output $Compliance