everest90909/YellowKey-WinRE-Remediation

# YellowKey WinRE Remediation Intune Remediation package for the CVE-2026-45585 YellowKey BitLocker/WinRE bypass mitigation described in the provided procedure. This package removes `autofstx.exe` from the offline WinRE image's `BootExecute` value and refreshes WinRE registration so BitLocker trust is reestablished. ## Contents YellowKey-WinRE-Remediation/ scripts/ Detect-YellowKeyWinRE.ps1 Remediate-YellowKeyWinRE.ps1 .editorconfig .gitattributes .gitignore README.md ## Intune Settings Use these settings for the remediation package: | Setting | Value | | --- | --- | | Detection script | `scripts/Detect-YellowKeyWinRE.ps1` | | Remediation script | `scripts/Remediate-YellowKeyWinRE.ps1` | | Run this script using the logged-on credentials | `No` | | Enforce script signature check | `No`, unless you sign the scripts | | Run script in 64-bit PowerShell | `Yes` | ## Behavior Detection: - Requires elevated local administrator or SYSTEM context. - Requires 64-bit PowerShell. - Mounts WinRE using `reagentc.exe /mountre`. - Loads the offline WinRE `SYSTEM` hive under a temporary HKLM name. - Checks every offline `ControlSet###\Control\Session Manager\BootExecute` value for `autofstx.exe`. - Unloads the hive and discards the WinRE mount. - Exits `1` when `autofstx.exe` is found or detection cannot safely complete. - Exits `0` when no vulnerable entry is found. Remediation: - Performs the same environment guardrails as detection. - Enables WinRE first if it is disabled and can be enabled. - Mounts WinRE using `reagentc.exe /mountre`. - Loads the offline WinRE `SYSTEM` hive. - Removes any `BootExecute` entry containing `autofstx.exe` from every offline ControlSet. - Uses explicit `RegistryValueKind.MultiString` when writing `BootExecute`. - Refuses to write an empty `BootExecute`; if filtering would empty it, writes the Windows default `autocheck autochk *`. - Unloads the hive before committing. - Commits the WinRE image with `reagentc.exe /unmountre /commit`. - Runs `reagentc.exe /disable` and `reagentc.exe /enable` to refresh WinRE registration and BitLocker trust. - Cleans up loaded hives and mounted images on failure. ## Guardrails The scripts are intentionally conservative: - No BitLocker protectors are suspended, removed, or changed directly. - The remediation only edits the offline WinRE image, not the live OS `BootExecute` value. - Temporary hive names and mount paths include random suffixes to avoid collisions. - Failure cleanup unloads the temporary hive and discards the WinRE mount. - Logs are written to `C:\ProgramData\IntuneRemediations\YellowKey`. ## Logs Detection log: C:\ProgramData\IntuneRemediations\YellowKey\Detect.log Remediation log: C:\ProgramData\IntuneRemediations\YellowKey\Remediate.log ## Local Validation Run syntax validation without executing remediation: $paths = @( '.\scripts\Detect-YellowKeyWinRE.ps1', '.\scripts\Remediate-YellowKeyWinRE.ps1' ) foreach ($path in $paths) { $tokens = $null $errors = $null [System.Management.Automation.Language.Parser]::ParseFile($path, [ref] $tokens, [ref] $errors) | Out-Null if ($errors.Count -gt 0) { $errors | Format-Table throw "Parse failed: $path" } } Run Script Analyzer if installed: Invoke-ScriptAnalyzer -Path .\scripts -Recurse ## Operational Notes - Test on a small pilot ring before broad deployment. - Confirm WinRE is healthy on representative devices with `reagentc.exe /info`. - Devices with missing or unhealthy WinRE should be remediated separately. - If your organization signs Intune scripts, sign both `.ps1` files and enable signature enforcement. - Keep the remediation assigned only as long as needed, then rely on detection/reporting for compliance tracking. ## Exit Codes | Script | Exit `0` | Exit `1` | | --- | --- | --- | | Detection | Compliant or WinRE disabled/not applicable | Vulnerable or detection could not safely complete | | Remediation | Remediation completed successfully | Remediation failed or cleanup was required |

标签：Libemu