EDIT: Updated May 3, 2024. Please refer the following from now onward. This is a greatly improved article over this post, and it is in that article that I will post any new updates as they become available.
www.elevenforum.com
EDIT: Updated May 2, 2024. Along with the April 9, 2024 Windows updates, Microsoft has completely revised the procedures for the BlackLotus UEFI Bootkit mitigations. The new procedures no longer work on my primary desktop. You will find the new procedures in the article for KB5025885 linked to below. I am currently looking into this and if my procedures are in any way affected, I'll post further updates. However, for now, the procedures on updating your Windows PE installation and Windows PE based bootable media seem to remain the same. Please note that I have some references below such as "PHASE 3 (the final phase), is currently expected in the first quarter of 2024" that need to be updated. I am aware of this and will update when I make further changes in the coming days.
EDIT: Batch files have been tweaked and updated on Jul 27, 2023. Please also note that this was tested with the US English version of Windows. It's possible that some adjustments may be needed for other locales but I have not looked into that. Use this information as a reference.
There was a lot of discussion on these forums regarding the May 2023 Windows updates and the included mitigations for the BlackLotus bootkit.
Below are some batch files and instructions to assist with addressing the BlackLotus bootkit issue.
NOTE: These instructions based upon the July 2023 Patch Tuesday security updates. I will assume that you have the July updates installed before proceeding. Please also note that I am testing this on Windows 11 22H2 and the instructions are geared toward that version.
To summarize:
Microsoft is addressing this issue in three phases. The May 2023 Security Updates included PHASE 1 of the mitigations but also required user action. Please see this article for the details:
Yesterday's updates (the July 2023 Security Updates), include PHASE 2 of these mitigations. More on that below.
PHASE 3 (the final phase), is currently expected in the first quarter of 2024. This will be the "Enforcement" phase where Microsoft enforces the mitigations for this issue.
End Summary
I had already created a few batch files to aid in addressing these issues, but I held off posting them because phase 2 mitigations were imminent, and I wanted to see if I had to change or amend my procedures as a result. Below are my updated batch files to assist you with the mitigations, updated to include the changes with phase 2.
There are four parts to this:
1) Make certain that you first apply all the Windows updates up to and including the July 2023 Windows updates.
2) Prepare for further steps by manually downloading a copy of the July 2023 Latest Cumulative Update (LCU) for Windows from the Microsoft Update Catalog. To do so, follow these steps:
Go to the Microsoft Update Catalog, located here:
In the search box, type the following (WITH the quotes), then click on Search or press ENTER:
"Windows 11" version 22H2 2023-07
As an alternative, you can search for "KB5028185" to find the July 2023 cumulative update. Make sure to grab the x64 version and the version NOT described as a dynamic update.
NOTE: After July 2023, for example, when the August 2023 updates are released, you can use that latest update rather than the July LCU.
Put aside this update for now. When you run the batch files later, it will ask you for that update file.
3) If you have any bootable media based upon Windows PE you should update it FIRST. Example: Macrium Reflect bootable media based upon Windows PE (NOT Windows RE). Why? In a little while, in step 4, we will apply "revocations" to Windows. Once that is done, any bootable media based upon Windows PE that has not been patched will not be allowed to boot if Secure Boot is enabled. As a result, it's best to perform this step now.
If you do not have any such Windows PE based bootable media, just skip to step 4. You can also skip to step 4 if you prefer to do this later, just be aware that if this is your only computer, you can be vulnerable if your bootable media doesn't work and you get into a situation where you cannot boot from the HDD / SSD.
To proceed, run the batch file called "UpdateWinPECustomMedia.bat". NOTE: I would suggest opening the batch file in Notepad first. Look at the "Explanation of User Customizable Settings" right near the top and determine if you want / need to change any settings.
When you run the batch file, it will tell you that you should place the LCU that you downloaded in a specific location. Do this when you are prompted to do so and then continue.
Follow the remaining instructions.
4) The next step is to apply the mitigations to your system. To do this, simply open an elevated command prompt (open it as Administrator) and then run this command:
After applying the above registry change, reboot the system. After the first reboot, wait a minimum of five minutes and then reboot a second time.
5) If you have Windows PE installed on your system, run the "UpdateWinPEAddOn.bat" and follow the instructions. As before, you may want to open this file in Notepad first and read the "Explanation of User Customizable Settings" section to see if you need to modify anything. Since Win PE is an add-on to the Windows ADK, we assume that you do have the ADK installed as well.
END PROCEDURE, START OF BATCH FILES
NOTE: In the batch files I reference a path that includes en-us. If you are not running the US English version of Windows, you may need to alter this path.
Batch File 1: The purpose of this batch file is to apply updates to Windows PE on your custom boot media. For example, if you have a Macrium Reflect Recovery Disk based upon Windows PE (not Windows RE), then you will want to update it. save this to a file called "UpdateWinPECustomMedia.bat".
Batch File 2: This batch file will update a locally installed copy of Windows PE. Since Windows PE is considered an add-on to the Windows ADK, this batch file assumes that you have the ADK installed as well. If not, [please install the ADK. When presented the available options, you need only chose to install the Deployment Tools. Save this batch file to "UpdateWinPEAddOn.bat".
If anything is not clear or I can help any further with this, please do let me know.
Performing Mitigations for BlackLotus UEFI Bootkit
Please note that this is my first attempt at an article with all the BBcode formatting. Any constructive critisism is welcome. At the same time, I would appreciate it if you could bear in mind that this is a first attempt! This is the initial release of this document, released on May 3, 2024...
www.elevenforum.com
EDIT: Updated May 2, 2024. Along with the April 9, 2024 Windows updates, Microsoft has completely revised the procedures for the BlackLotus UEFI Bootkit mitigations. The new procedures no longer work on my primary desktop. You will find the new procedures in the article for KB5025885 linked to below. I am currently looking into this and if my procedures are in any way affected, I'll post further updates. However, for now, the procedures on updating your Windows PE installation and Windows PE based bootable media seem to remain the same. Please note that I have some references below such as "PHASE 3 (the final phase), is currently expected in the first quarter of 2024" that need to be updated. I am aware of this and will update when I make further changes in the coming days.
EDIT: Batch files have been tweaked and updated on Jul 27, 2023. Please also note that this was tested with the US English version of Windows. It's possible that some adjustments may be needed for other locales but I have not looked into that. Use this information as a reference.
There was a lot of discussion on these forums regarding the May 2023 Windows updates and the included mitigations for the BlackLotus bootkit.
Below are some batch files and instructions to assist with addressing the BlackLotus bootkit issue.
NOTE: These instructions based upon the July 2023 Patch Tuesday security updates. I will assume that you have the July updates installed before proceeding. Please also note that I am testing this on Windows 11 22H2 and the instructions are geared toward that version.
To summarize:
Microsoft is addressing this issue in three phases. The May 2023 Security Updates included PHASE 1 of the mitigations but also required user action. Please see this article for the details:
Yesterday's updates (the July 2023 Security Updates), include PHASE 2 of these mitigations. More on that below.
PHASE 3 (the final phase), is currently expected in the first quarter of 2024. This will be the "Enforcement" phase where Microsoft enforces the mitigations for this issue.
End Summary
I had already created a few batch files to aid in addressing these issues, but I held off posting them because phase 2 mitigations were imminent, and I wanted to see if I had to change or amend my procedures as a result. Below are my updated batch files to assist you with the mitigations, updated to include the changes with phase 2.
There are four parts to this:
1) Make certain that you first apply all the Windows updates up to and including the July 2023 Windows updates.
2) Prepare for further steps by manually downloading a copy of the July 2023 Latest Cumulative Update (LCU) for Windows from the Microsoft Update Catalog. To do so, follow these steps:
Go to the Microsoft Update Catalog, located here:
In the search box, type the following (WITH the quotes), then click on Search or press ENTER:
"Windows 11" version 22H2 2023-07
As an alternative, you can search for "KB5028185" to find the July 2023 cumulative update. Make sure to grab the x64 version and the version NOT described as a dynamic update.
NOTE: After July 2023, for example, when the August 2023 updates are released, you can use that latest update rather than the July LCU.
Put aside this update for now. When you run the batch files later, it will ask you for that update file.
3) If you have any bootable media based upon Windows PE you should update it FIRST. Example: Macrium Reflect bootable media based upon Windows PE (NOT Windows RE). Why? In a little while, in step 4, we will apply "revocations" to Windows. Once that is done, any bootable media based upon Windows PE that has not been patched will not be allowed to boot if Secure Boot is enabled. As a result, it's best to perform this step now.
If you do not have any such Windows PE based bootable media, just skip to step 4. You can also skip to step 4 if you prefer to do this later, just be aware that if this is your only computer, you can be vulnerable if your bootable media doesn't work and you get into a situation where you cannot boot from the HDD / SSD.
To proceed, run the batch file called "UpdateWinPECustomMedia.bat". NOTE: I would suggest opening the batch file in Notepad first. Look at the "Explanation of User Customizable Settings" right near the top and determine if you want / need to change any settings.
When you run the batch file, it will tell you that you should place the LCU that you downloaded in a specific location. Do this when you are prompted to do so and then continue.
Follow the remaining instructions.
4) The next step is to apply the mitigations to your system. To do this, simply open an elevated command prompt (open it as Administrator) and then run this command:
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x30 /fAfter applying the above registry change, reboot the system. After the first reboot, wait a minimum of five minutes and then reboot a second time.
5) If you have Windows PE installed on your system, run the "UpdateWinPEAddOn.bat" and follow the instructions. As before, you may want to open this file in Notepad first and read the "Explanation of User Customizable Settings" section to see if you need to modify anything. Since Win PE is an add-on to the Windows ADK, we assume that you do have the ADK installed as well.
END PROCEDURE, START OF BATCH FILES
NOTE: In the batch files I reference a path that includes en-us. If you are not running the US English version of Windows, you may need to alter this path.
Batch File 1: The purpose of this batch file is to apply updates to Windows PE on your custom boot media. For example, if you have a Macrium Reflect Recovery Disk based upon Windows PE (not Windows RE), then you will want to update it. save this to a file called "UpdateWinPECustomMedia.bat".
Code:
@echo off
setlocal enabledelayedexpansion
setlocal enableextensions
cd /d %~dp0
:: Version: July 27, 2023
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: Explanation of User Customizable Settings :: ::
::::::::::::::::::::::::::::::::::::::::::::::: ::
:: Set the variables below to customize the behavior of the batch file. ::
:: ::
:: ADK_Is_Installed - Set this to Y if the ADK installed. Set to N if not installed. ::
:: Note: Having the ADK installed is not necessary, but if it is installed, we can ensure that we run the most ::
:: current version of DISM that is included with the ADK. ::
:: ::
:: ADK_Location - This should contain the path to the Windows ADK Deployment Tools. By default this will be: ::
:: C:\Program Files ^(x86^)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools ::
:: You should not normally need to change this. It is ok to leave this here even if the ADK is not installed. ::
:: ::
:: ProjectLocation - The batch file will need a location where it can place the files needed for this project. ::
:: Specify a location to use for this purpose. By default the batch file is configured to use C:\Project. ::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: IMPORTANT: For any variable to which a path is assigned, please DO NOT end the path with a trailing backslash (\).
:: Note that if a path contains parenthesis You should preceed both the opening and closing parens with a ^ character.
:: Example: C:\Program Files ^(x86^)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools
set ADK_Is_Installed=N
set ADK_Location=C:\Program Files ^(x86^)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools
set ProjectLocation=C:\Project
:start
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: Check to see if this batch file is being run as Administrator. If it is not, then rerun the batch file ::
:: automatically as admin and terminate the intial instance of the batch file. ::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
(Fsutil Dirty Query %SystemDrive%>Nul)||(PowerShell start """%~f0""" -verb RunAs & Exit /B)
::::::::::::::::::::::::::::::::::::::::::::::::
:: End Routine to check if being run as Admin ::
::::::::::::::::::::::::::::::::::::::::::::::::
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: We reach this point once the batch file is run as admin ::
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: Change the console mode to 120 columns wide by 25 lines high ::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
mode con: cols=120 lines=25
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: Save the current location where this batch file is being run, then run the the "DandISetEnv.bat" file ::
:: which sets environment variables for the ADK. This also changes the current directory, which we do NOT ::
:: want, so we will change it back to the current directory. ::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
if ADK_Is_Installed==N goto After_ADK_Env_Set
pushd %~dp0
call "%ADK_Location%\DandISetEnv.bat"
popd
:After_ADK_Env_set
:: Make the folders for this project
md %ProjectLocation% >nul 2>&1
md %ProjectLocation%\Mount >nul 2>&1
md %ProjectLocation%\LCU >nul 2>&1
md %ProjectLocation%\SSU >nul 2>&1
md %ProjectLocation%\temp >nul 2>&1
md %ProjectLocation%\WinPE >nul 2>&1
md %ProjectLocation%\WinPE_NEW >nul 2>&1
:: Disable AV scanning for the project location. We will remove this exclusion when we are done.
powershell.exe -command Add-MpPreference -ExclusionPath "%ProjectLocation%"
cls
echo *******************
echo * Action Required *
echo *******************
echo.
echo 1) From the Microsoft Update Catalog, download the Latest Cumulative Update (LCU). Here is a sample search term to find
echo the LCU for Windows 11 22H2 as of July 2023. Include the quotes as shown: "Windows 11" version 22H2 2023-07
echo.
echo Make sure to download the x64 version of the update and NOT the arm64-based update. Also, download the version that
echo is NOT listed as being a dynamic update.
echo.
echo After downloading, right-click the update file, select properties, check the "Unblock" box and then click on OK.
echo.
echo Move the file to the %ProjectLocation%\LCU folder.
echo.
echo The Microsoft Update Catalog is located here: https://www.catalog.update.microsoft.com/Home.aspx
echo.
echo 2) Copy the boot.wim file from your custom media to the following location:
echo.
echo %ProjectLocation%\WinPE
echo.
echo Proceed only after you have performed the above tasks. If you indicate that you are not ready to proceed, we will exit
echo from this batch file. You can then rerun the batch file when you are ready to proceed. Please note that the folders
echo noted above have already been created and and ready for youo to place the LCU and boot.wim files into.
echo.
CHOICE /M "Are you ready to proceed now? "
goto option-%errorlevel%
:option-2
:: This option indicates that the user is not ready to proceed. Terminate the batch file now.
goto END
:option-1
:: This option indicates that the user is ready to proceed. Continue with the code below.
:: Mount Windows PE
echo.
echo **********************
echo * Mounting the Image *
echo **********************
echo.
DISM /Mount-Image /ImageFile:"%ProjectLocation%\WinPE\boot.wim" /index:1 /MountDir:"%ProjectLocation%\Mount"
:: The Latest Cumulative Update (LCU) may possibly also contain an SSU (Servicing Stack Update). Run the following to
:: extract the SSU if one is present. If an SSU is not present, no worries, this won't harm anything.
echo.
echo *****************************
echo * Extracting SSU if Present *
echo *****************************
echo.
expand "%ProjectLocation%\LCU\*.MSU" /f:"SSU*.cab" "%ProjectLocation%\SSU"
:: Apply SSU if a file is present. If no file is present, an error may be shown.
echo.
echo ***************************************************
echo * Applying SSU, if present. An error may be shown *
echo * if no SSU is present or if it does not apply to *
echo * this image. *
echo ***************************************************
echo.
DISM /Add-Package /Image:"%ProjectLocation%\Mount" /PackagePath="%ProjectLocation%\SSU"
:: Apply The LCU
echo.
echo ********************
echo * Applying the LCU *
echo ********************
echo.
DISM /Add-Package /Image:"%ProjectLocation%\Mount" /PackagePath="%ProjectLocation%\LCU"
:: Lock in the updates
echo.
echo **********************
echo * Locking in Updates *
echo **********************
echo.
DISM /Cleanup-Image /Image:"%ProjectLocation%\Mount" /StartComponentCleanup /Resetbase /ScratchDir:%ProjectLocation%\temp
:: Unmount the Win PE image and commit the changes
echo.
echo *********************
echo * Commiting Changes *
echo *********************
echo.
DISM /Unmount-Image /MountDir:"%ProjectLocation%\Mount" /Commit
echo.
echo *******************************
echo * Exporting the Updated Image *
echo *******************************
echo.
DISM /Export-Image /Bootable /SourceImageFile:"%ProjectLocation%\WinPE\boot.wim" /SourceIndex:1 /DestinationImageFile:"%ProjectLocation%\WinPE_New\boot.wim"
:: This concludes the process.
:END
powershell.exe -command Remove-MpPreference -ExclusionPath "%ProjectLocation%"
cls
echo The updated boot.wim file can now be found in the following location:
echo.
echo %ProjectLocation%\WinPE_NEW
echo.
echo Copy this file to your customized media, overwriting the original boot.wim file located there.
echo.
echo TIP: You may want to backup your original boot.wim until you test this updated file to make sure it works properly.
echo.
pause
cls
echo The batch file will now end. If you are done, you may want to consider deleting the project folder.
echo The project is located here:
echo.
echo %ProjectLocation%
echo.
pauseBatch File 2: This batch file will update a locally installed copy of Windows PE. Since Windows PE is considered an add-on to the Windows ADK, this batch file assumes that you have the ADK installed as well. If not, [please install the ADK. When presented the available options, you need only chose to install the Deployment Tools. Save this batch file to "UpdateWinPEAddOn.bat".
Code:
@echo off
setlocal enabledelayedexpansion
setlocal enableextensions
cd /d %~dp0
:: Version: July 27, 2023
:: Note: This batch file is tested with the US English version of Windows. There are paths that reference
:: en-us in the batch file that may need to be modified for other locales.
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: Explanation of User Customizable Settings :: ::
::::::::::::::::::::::::::::::::::::::::::::::: ::
:: Set the variables below to customize the behavior of the batch file. ::
:: ::
:: ADK_Location - This should contain the path to the Windows ADK Deployment Tools. By default this will be: ::
:: C:\Program Files ^(x86^)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools ::
:: You should not normally need to change this. ::
:: ::
:: ProjectLocation - The batch file will need a location where it can place the files needed for this project. ::
:: Specify a location to use for this purpose. By default the batch file is configured to use C:\Project ::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: IMPORTANT: For any variable to which a path is assigned, please DO NOT end the path with a trailing backslash (\).
:: Note that if a path contains parenthesis You should preceed both the opening and closing parens with a ^ character.
:: Example: C:\Program Files ^(x86^)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools
set ADK_Location=C:\Program Files ^(x86^)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools
set ProjectLocation=C:\Project
:start
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: Check to see if this batch file is being run as Administrator. If it is not, then rerun the batch file ::
:: automatically as admin and terminate the intial instance of the batch file. ::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
(Fsutil Dirty Query %SystemDrive%>Nul)||(PowerShell start """%~f0""" -verb RunAs & Exit /B)
::::::::::::::::::::::::::::::::::::::::::::::::
:: End Routine to check if being run as Admin ::
::::::::::::::::::::::::::::::::::::::::::::::::
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: We reach this point once the batch file is run as admin ::
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: Change the console mode to 120 columns wide by 25 lines high ::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
mode con: cols=120 lines=25
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: Save the current location where this batch file is being run, then run the the "DandISetEnv.bat" file ::
:: which sets environment variables for the ADK. This also changes the current directory, which we do NOT ::
:: want, so we will change it back to the current directory. ::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
pushd %~dp0
call "%ADK_Location%\DandISetEnv.bat"
popd
:: Make the folders for this project
md %ProjectLocation% >nul 2>&1
md %ProjectLocation%\Mount >nul 2>&1
md %ProjectLocation%\LCU >nul 2>&1
md %ProjectLocation%\SSU >nul 2>&1
md %ProjectLocation%\temp >nul 2>&1
:: Disable AV scanning for the project location. We will remove this exclusion when we are done.
powershell.exe -command Add-MpPreference -ExclusionPath "%ProjectLocation%"
cls
echo *******************
echo * Action Required *
echo *******************
echo.
echo From the Microsoft Update Catalog, download the Latest Cumulative Update (LCU). Here is a sample search term to find the
echo LCU for Windows 11 22H2 as of July 2023. Include the quotes as shown:
echo.
echo. "Windows 11" version 22H2 2023-07
echo.
echo Make sure to download the x64 version of the update and NOT the arm64-based update. In addition, make certain that
echo the version you download is NOT listed as being a dynamic update.
echo.
echo After downloading, right-click the update file, select properties, check the "Unblock" box and then click on OK.
echo.
echo Move the file to the %ProjectLocation%\LCU folder.
echo.
echo The Microsoft Update Catalog is located here: https://www.catalog.update.microsoft.com/Home.aspx
echo.
echo Proceed only after you have downloaded the update and placed it in the above noted location. If you indicate that
echo you are not ready to proceed, we will exit from this batch file. You can then rerun the batch file when you are
echo ready to proceed. Please note that the folder %ProjectLocation%\LCU has already been created and is ready for you
echo to place the LCU file.
echo.
CHOICE /M "Are you ready to proceed now? "
goto option-%errorlevel%
:option-2
:: This option indicates that the user is not ready to proceed. Terminate the batch file now.
goto END
:option-1
:: This option indicates that the user is ready to proceed. Continue with the code below.
cls
c:
cd %ADK_Location%\..\Windows Preinstallation Environment\amd64
:: Make a backup copy of winpe.wim.
xcopy "en-us\winpe.wim" "en-us\winpe.wim.orig" /Y /-I
:: Mount Windows PE
echo.
echo **********************
echo * Mounting the Image *
echo **********************
echo.
DISM /Mount-Image /ImageFile:"en-us\winpe.wim" /index:1 /MountDir:"%ProjectLocation%\Mount"
:: The Latest Cumulative Update (LCU) may possibly also contain an SSU (Servicing Stack Update). Run the following to
:: extract the SSU if one is present. If an SSU is not present, no worries, this won't harm anything.
echo.
echo *****************************
echo * Extracting SSU if Present *
echo *****************************
echo.
expand "%ProjectLocation%\LCU\*.MSU" /f:"SSU*.cab" "%ProjectLocation%\SSU"
:: Apply SSU if a file is present. If no file is present, an error may be shown.
echo.
echo ***************************************************
echo * Applying SSU, if present. An error may be shown *
echo * if no SSU is present or if it does not apply to *
echo * this image. *
echo ***************************************************
echo.
DISM /Add-Package /Image:"%ProjectLocation%\Mount" /PackagePath="%ProjectLocation%\SSU"
:: Apply The LCU
echo.
echo ********************
echo * Applying the LCU *
echo ********************
echo.
DISM /Add-Package /Image:"%ProjectLocation%\Mount" /PackagePath="%ProjectLocation%\LCU"
:: Lock in the updates
echo.
echo **********************
echo * Locking in Updates *
echo **********************
echo.
DISM /Cleanup-Image /Image:"%ProjectLocation%\Mount" /StartComponentCleanup /Resetbase /ScratchDir:%ProjectLocation%\temp
:: Copy boot files back to the Win PE add-on installation
echo.
echo **********************
echo * Copying Boot Files *
echo **********************
echo.
Xcopy "%ProjectLocation%\Mount\Windows\Boot\EFI\bootmgr.efi" "Media\bootmgr.efi" /Y /-I
Xcopy "%ProjectLocation%\Mount\Windows\Boot\EFI\bootmgfw.efi" "Media\EFI\Boot\bootx64.efi" /Y /-I
:: Unmount the Win PE image and commit the changes
echo.
echo *********************
echo * Commiting Changes *
echo *********************
echo.
DISM /Unmount-Image /MountDir:"%ProjectLocation%\Mount" /Commit
:: Performing an export can make the file smaller because the old version of files that were
:: updated do not get deleted until the export is performed.
DISM /Export-Image /Bootable /SourceImageFile:"%ADK_Location%\..\Windows Preinstallation Environment\amd64\en-us\winpe.wim" /SourceIndex:1 /DestinationImageFile:"%ADK_Location%\..\Windows Preinstallation Environment\amd64\en-us\winpe.wim.new"
DEL "%ADK_Location%\..\Windows Preinstallation Environment\amd64\en-us\winpe.wim"
REN "%ADK_Location%\..\Windows Preinstallation Environment\amd64\en-us\winpe.wim.new" winpe.wim
:: This concludes the process. Any images or media that you now create that uses the Windows PE add-on will now have
:: updated Windows PE files.
:END
powershell.exe -command Remove-MpPreference -ExclusionPath "%ProjectLocation%"
cls
echo The batch file will now end. If you are done, you may want to consider deleting the project folder.
echo The project is located here:
echo.
echo %ProjectLocation%
echo.
pauseIf anything is not clear or I can help any further with this, please do let me know.
Last edited:
My Computers
System One System Two
-
- OS
- Win11 Pro 24H2
- Computer type
- PC/Desktop
- Manufacturer/Model
- Self-built
- CPU
- Intel i7 11700K
- Motherboard
- ASUS Prime Z590-A MB
- Memory
- 64GB (Waiting for warranty replacement of another 64GB for 128GB total)
- Graphics Card(s)
- No GPU - Built-in Intel Graphics
- Sound Card
- Integrated
- Monitor(s) Displays
- HP Envy 32
- Screen Resolution
- 2560 x 1440
- Hard Drives
- 1 x 1TB NVMe SSD
1 x 2TB NVMe SSD
1 x 4TB NVMe SSD
3 x 512GB 2.5" SSD
1 x 4TB 2.5" SSD
5 x 8TB Seagate Barracuda HDD
- PSU
- Corsair HX850i
- Case
- Corsair iCUE RGB 5000X mid tower case
- Cooling
- Noctua NF-S12A chromax.black.swap case fans (Qty. 7) & Home Computer Specifications, Configuration, and Usage Notes General Specifications ASUS Prime Z590-A motherboard, serial number M1M0KC222467ARP Intel Core i7-11700K CPU (11th Gen Rocket Lake / LGA 1200 Socket) 128GB Crucial Ballistix RGB DDR4 3200 MHz DRAM (4 x 32GB) Corsair iCUE RGB 5000X mid tower case Noctua NH-D15 chromax.black CPU cooler Noctua NF-S12A chromax.black.swap case fans (Qty. 7) & Corsair LL-120 RGB Fans (Qty. 3)
- Keyboard
- Corsair K70 Max RGB Magnetic Keyboard
- Mouse
- Logitech MX Master 3
- Internet Speed
- 1Gb Up / 1 Gb Down
- Browser
- Edge
- Antivirus
- Windows Defender
- Other Info
- The five 8TB drives and three 512GB SSDs are part of a DrivePool using StableBit DrivePool software. The three SSDs are devoted purely to caching for the 8TB drives. All of the important data is stored in triplicate so that I can withstand simultaneous failure of 2 disks.
Networking: 2.5Gbps Ethernet and WiFi 6e
-
- Operating System
- Win11 Pro 23H2
- Computer type
- Laptop
- Manufacturer/Model
- Lenovo ThinkBook 13x Gen 2
- CPU
- Intel i7-1255U
- Memory
- 16 GB
- Graphics card(s)
- Intel Iris Xe Graphics
- Sound Card
- Realtek® ALC3306-CG codec
- Monitor(s) Displays
- 13.3-inch IPS Display
- Screen Resolution
- WQXGA (2560 x 1600)
- Hard Drives
- 2 TB 4 x 4 NVMe SSD
- PSU
- USB-C / Thunderbolt 4 Power / Charging
- Mouse
- Buttonless Glass Precision Touchpad
- Keyboard
- Backlit, spill resistant keyboard
- Internet Speed
- 1Gb Up / 1Gb Down
- Browser
- Edge
- Antivirus
- Windows Defender
- Other Info
- WiFi 6e / Bluetooth 5.1 / Facial Recognition / Fingerprint Sensor / ToF (Time of Flight) Human Presence Sensor
