Windows - Security - Mitigate CVE-2023-32019

What the CVE-2023-32019 mitigation Worklet does

This Automox Worklet™ turns on the Windows Kernel Information Disclosure mitigation for CVE-2023-32019. Microsoft included the fix in the June 2023 cumulative updates but left it disabled by default, because enabling it can change how a small set of applications handle commit failures. The Worklet writes the registry override that activates the protection on every endpoint that already has the prerequisite cumulative installed.

The Worklet identifies the OS build at runtime and selects the registry path and value Microsoft documents for that exact build. For Windows 10 20H2 through 22H2, Windows 11 21H2 and 22H2, and Windows Server 2022, it writes a per-build DWORD under HKLM:\SYSTEM\CurrentControlSet\Policies\Microsoft\FeatureManagement\Overrides. For Windows 10 1607 with Server 2016 and Windows 10 1809 with Server 2019, it writes LazyRetryOnCommitFailure = 0 under the relevant Session Manager subkey.

Before applying any change, the evaluation script confirms the per-build June 2023 cumulative is installed (KB5027215, KB5027219, KB5027222, KB5027225, or KB5027231 depending on build) and reports patch status to the Automox Activity Log on every run. The Worklet does not install the cumulative itself; pair it with a patch policy when an endpoint is missing the prerequisite. A revert parameter is exposed in the evaluation script for rollback: uncommenting $revert = $true removes the override and restores the disabled-by-default state.

Why activate the CVE-2023-32019 kernel fix explicitly

CVE-2023-32019 lets a low-privileged local user read memory from a privileged process and recover sensitive material from kernel space. Exploitation requires existing local access, but information disclosure primitives are exactly what attackers chain after an initial foothold to escalate further. Microsoft delivered the fix in a disabled state so customers could test the behavior change on their own schedule, which means the patch alone does nothing until the per-build registry override is written.

The result is a fleetwide gap that lasts as long as the registry value stays unset, even though the binary fix is already on disk. Tracking the override state across Windows 10, Windows 11, and Server SKUs by hand is impractical: each supported build has its own registry path and value name. This Worklet closes that gap by detecting the build, writing the right value, and reporting the prerequisite KB status on every evaluation pass.

How the CVE-2023-32019 kernel override is applied

1. Evaluation phase: The script reads the OS build from [System.Environment]::OSVersion.Version.Build and matches it against the supported build table (14393, 17763, 19042 to 19045, 20348, 22000, and 22621). It enumerates installed updates via wmic qfe list and Get-HotFix to determine whether the per-build June 2023 cumulative is present. It then tests the relevant registry path and value with Test-Path and Get-ItemProperty and compares the current value to the build-specific expected value. When the override is missing or wrong, the build profile (path, name, property type, value, patch status) is base64-encoded and staged under HKCU:\Automox\WorkletConfig for remediation; endpoints outside the supported build range exit cleanly with no change.

2. Remediation phase: The remediation script reads the staged build profile from HKCU:\Automox\WorkletConfig, reports the prerequisite patch status to the Activity Log, creates the target registry key with New-Item if it does not already exist, and writes the DWORD with New-ItemProperty -Force. For Windows 10 20H2 through 22H2 the value is 4103588492 = 1; for Windows 11 21H2 it is 4204251788 = 1; for Windows 11 22H2 it is 4237806220 = 1; for Windows Server 2022 it is 4137142924 = 1, all under HKLM:\SYSTEM\CurrentControlSet\Policies\Microsoft\FeatureManagement\Overrides. For Windows 10 1607 and Server 2016, LazyRetryOnCommitFailure = 0 is written under HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Configuration Manager. For Windows 10 1809 and Server 2019, the same value is written under HKLM:\SYSTEM\CurrentControlSet\Control\Session. The script exits 0 on success.

CVE-2023-32019 mitigation requirements

• Supported builds only: Windows 10 1607 (14393), 1809 (17763), 20H2/21H2/22H2 (19042 to 19045); Windows 11 21H2 (22000) or 22H2 (22621); Windows Server 2016 (14393), 2019 (17763), or 2022 (20348). Endpoints outside these builds exit with no change.

• Per-build June 2023 cumulative installed: KB5027219 (Server 2016, Win10 1607), KB5027222 (Server 2019, Win10 1809), KB5027225 (Server 2022), KB5027215 (Win10 20H2 to 22H2), or KB5027231 (Win11 21H2 and 22H2).

• Administrative privileges to write under HKLM. The Automox agent runs as SYSTEM and meets this by default.

• Scheduled-policy mode is required. Evaluation stages the build profile in HKCU:\Automox\WorkletConfig and remediation reads it back; running evaluation and remediation as separate manual steps will not pass state.

• Pilot group validation. Microsoft documents that enabling the override can change commit-failure handling for some applications, so qualify the change on a representative subset of endpoints before fleetwide rollout.

• Optional rollback. Uncomment $revert = $true in the evaluation script to invert the override value and return the endpoint to the default disabled state.

Expected kernel protection state after remediation

On Windows 10 20H2 through 22H2, Windows 11 21H2 and 22H2, and Windows Server 2022, the build-specific DWORD (4103588492, 4204251788, 4237806220, or 4137142924) is present and set to 1 under HKLM:\SYSTEM\CurrentControlSet\Policies\Microsoft\FeatureManagement\Overrides. On Windows 10 1607 and Server 2016, LazyRetryOnCommitFailure = 0 is set under HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Configuration Manager. On Windows 10 1809 and Server 2019, the same value is set under HKLM:\SYSTEM\CurrentControlSet\Control\Session. The Activity Log records which path and value were written and confirms the per-build prerequisite KB.

Subsequent evaluation runs find the override already in place and report the endpoint as compliant with no further change. Endpoints outside the supported build range log a no-action message. To validate by hand on a Windows 11 22H2 endpoint, run Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Policies\Microsoft\FeatureManagement\Overrides' -Name '4237806220' and confirm the value is 1, then watch for application compatibility regressions during the pilot window before fleetwide rollout.