Update-WindowsRE.ps1

$packagePath = "C:\temp\update.msu"
function PatchPackage([string]$mountDir, [string]$packagePath) {
    # Add package
    Write-Output("Apply package:" + $packagePath)
    Dism /Add-Package /Image:$mountDir /PackagePath:$packagePath
    if ($LASTEXITCODE -eq 0) {
        Write-Output("Successfully applied the package")
    }
    else {
        Write-Output("Applying the package failed with exit code: " + $LASTEXITCODE)
        return $False
    }
    # Cleanup recovery image
    Write-Output("Cleanup image")
    Dism /image:$mountDir /cleanup-image /StartComponentCleanup /ResetBase
    if ($LASTEXITCODE -eq 0) {
        Write-Output("Cleanup image succeed")
    }
    else {
        Write-Output("Cleanup image failed: " + $LASTEXITCODE)
        return $False
    }
    return $True
}
$WinREInfo = Reagentc /info
$findLocation = $False
foreach ($line in $WinREInfo) {
    $params = $line.Split(':')
    if ($params.count -le 1) {
        continue
    }
    if ($params[1].Lenght -eq 0) {
        continue
    }
    $content = $params[1].Trim()
    if ($content.Lenght -eq 0) {
        continue
    }
    $index = $content.IndexOf("\\?\")
    if ($index -ge 0) {
        Write-Output("Find \\?\ at " + $index + " for [" + $content + "]")
        $WinRELocation = $content
        $findLocation = $True
    }
}
if (!$findLocation) {
    Write-Output("WinRE Disabled")
    exit 1
}
Write-Output("WinRE Enabled. WinRE location:" + $WinRELocation)
$WinREFile = $WinRELocation + "\winre.wim"
if ([string]::IsNullorEmpty($workDir)) {
    Write-Output("No input for mount directory")
    Write-Output("Use default path from temporary directory")
    $workDir = [System.IO.Path]::GetTempPath()
}
Write-Output("Working Dir: " + $workDir)
$name = "CA551926-299B-27A55276EC22_Mount"
$mountDir = Join-Path $workDir $name
Write-Output("MountDir: " + $mountdir)
# Delete existing mount directory
if (Test-Path $mountDir) {
    Write-Output("Mount directory: " + $mountDir + " already exists")
    Write-Output("Try to unmount it")
    Dism /unmount-image /mountDir:$mountDir /discard
    if (!($LASTEXITCODE -eq 0)) {
        Write-Output("Warning: unmount failed: " + $LASTEXITCODE)
    }
    Write-Output("Delete existing mount direcotry " + $mountDir)
    Remove-Item $mountDir -Recurse
}
# Create mount directory
Write-Output("Create mount directory " + $mountDir)
New-Item -Path $mountDir -ItemType Directory
# Set ACL for mount directory
Write-Output("Set ACL for mount directory")
icacls $mountDir /inheritance:r
icacls $mountDir /grant:r SYSTEM:"(OI)(CI)(F)"
icacls $mountDir /grant:r *S-1-5-32-544:"(OI)(CI)(F)"
# Mount WinRE
Write-Output("Mount WinRE:")
Dism /mount-image /imagefile:$WinREFile /index:1 /mountdir:$mountDir
if ($LASTEXITCODE -eq 0) {
    # Patch WinRE
    if (PatchPackage -mountDir $mountDir -packagePath $packagePath) {
        # Disable WinRE and re-enable it to let new WinRE be trusted by BitLocker
        Write-Output("Disable WinRE")
        reagentc /disable
        Write-Output("Re-enable WinRE")
        reagentc /enable
        reagentc /info
    }
    else {
        Write-Output("Patch failed or is not applicable, discard unmount")
        Dism /unmount-image /mountDir:$mountDir /discard
        if (!($LASTEXITCODE -eq 0)) {
            Write-Output("Unmount failed: " + $LASTEXITCODE)
            exit 1
        }
    }
}
else {
    Write-Output("Mount failed: " + $LASTEXITCODE)
}
# Cleanup Mount directory in the end
Write-Output("Delete mount direcotry")
Remove-Item $mountDir -Recurse