Patch Tuesday for October 2020 brought the usual updates, but also blessed us with a security update, that addresses a vulnerability found in the setup of Windows 10.
- Everything about the vulnerability is explained in details here: CVE-2020-16908 | Windows Setup Elevation of Privilege Vulnerability
The article tells us to download the latest refreshed media from VLSC or MSDN, or download the latest applicable Setup Dynamic Update (DU) package and patch the media ourselves.
Now, as of writing, the official downloads has not been refreshed yet, so I wanted to get rid of the vulnerability and patch my existing media manually. The process I went through, made this post.
Update 28 October: Official and affected Windows 10 downloads are still not refreshed.
Download Setup DU packages
There are multiple downloads available, depending on what version of Windows 10 you are looking to patch.
- Windows 10 version 1803
- Windows 10 version 1809
- Windows 10 version 1903
- Windows 10 version 1909
- Windows 10 version 2004
Head into the Microsoft Update Catalog and search for and download the relevant update (KB-number).
In my scenario, I was looking to patch my Windows 10 version 2004 media, as I’m about to begin a broad In-Place Upgrade process.
The result of the download will be a .cab file similar to below illustration:
Applying the Setup DU package
To apply the Setup Dynamic Update Package to your existing Windows 10 media, you start off by referencing the downloaded .cab file in a variable in a PowerShell console like shown below.
$SETUP_DU_PATH = "C:\Users\adminmab\Desktop\DU-Package\all-windows10.0-kb4579308-x64_94d5ca59e4741d786e71156be11cd62e2f6cb417.cab"
Next, you expand the content of the .cab file into the \sources folder of the Windows 10 media (This is the downloaded .ISO extracted, which is used as an Upgrade Package in ConfigMgr).
cmd.exe /c $env:SystemRoot\System32\expand.exe $SETUP_DU_PATH -F:* "D:\Pkgsource\OSPackages\SW_DVD9_Win_Pro_10_2004.4_64BIT_English_Pro_Ent_EDU_N_MLF_-2_X22-36939\sources"
And once the process is complete, you will see a completion notice similar to below:
Distribute the changes to your distribution points, or if you did like me, and redownloaded the latest .ISO (which was updated in September), go ahead and add that as a new Operating System Upgrade Package in the Configuration Manager console.