Latest on the BlackLotus Bootkit Mitigations - Includes Instructions and Batch Files

hsehestedt · Jul 12, 2023

EDIT: Batch files have been tweaked and updated on Jul 27, 2023. Please also note that this was tested with the US English version of Windows. It's possible that some adjustments may be needed for other locales but I have not looked into that. Use this information as a reference.

There was a lot of discussion on these forums regarding the May 2023 Windows updates and the included mitigations for the BlackLotus bootkit.

Below are some batch files and instructions to assist with addressing the BlackLotus bootkit issue.

NOTE: These instructions based upon the July 2023 Patch Tuesday security updates. I will assume that you have the July updates installed before proceeding. Please also note that I am testing this on Windows 11 22H2 and the instructions are geared toward that version.

To summarize:

Microsoft is addressing this issue in three phases. The May 2023 Security Updates included PHASE 1 of the mitigations but also required user action. Please see this article for the details:

KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932 - Microsoft Support

support.microsoft.com

Yesterday's updates (the July 2023 Security Updates), include PHASE 2 of these mitigations. More on that below.

PHASE 3 (the final phase), is currently expected in the first quarter of 2024. This will be the "Enforcement" phase where Microsoft enforces the mitigations for this issue.

End Summary

I had already created a few batch files to aid in addressing these issues, but I held off posting them because phase 2 mitigations were imminent, and I wanted to see if I had to change or amend my procedures as a result. Below are my updated batch files to assist you with the mitigations, updated to include the changes with phase 2.

There are four parts to this:

1) Make certain that you first apply all the Windows updates up to and including the July 2023 Windows updates.

2) Prepare for further steps by manually downloading a copy of the July 2023 Latest Cumulative Update (LCU) for Windows from the Microsoft Update Catalog. To do so, follow these steps:

Go to the Microsoft Update Catalog, located here:

Microsoft Update Catalog

In the search box, type the following (WITH the quotes), then click on Search or press ENTER:

"Windows 11" version 22H2 2023-07

As an alternative, you can search for "KB5028185" to find the July 2023 cumulative update. Make sure to grab the x64 version and the version NOT described as a dynamic update.

NOTE: After July 2023, for example, when the August 2023 updates are released, you can use that latest update rather than the July LCU.

Put aside this update for now. When you run the batch files later, it will ask you for that update file.

3) If you have any bootable media based upon Windows PE you should update it FIRST. Example: Macrium Reflect bootable media based upon Windows PE (NOT Windows RE). Why? In a little while, in step 4, we will apply "revocations" to Windows. Once that is done, any bootable media based upon Windows PE that has not been patched will not be allowed to boot if Secure Boot is enabled. As a result, it's best to perform this step now.

If you do not have any such Windows PE based bootable media, just skip to step 4. You can also skip to step 4 if you prefer to do this later, just be aware that if this is your only computer, you can be vulnerable if your bootable media doesn't work and you get into a situation where you cannot boot from the HDD / SSD.

To proceed, run the batch file called "UpdateWinPECustomMedia.bat". NOTE: I would suggest opening the batch file in Notepad first. Look at the "Explanation of User Customizable Settings" right near the top and determine if you want / need to change any settings.

When you run the batch file, it will tell you that you should place the LCU that you downloaded in a specific location. Do this when you are prompted to do so and then continue.

Follow the remaining instructions.

4) The next step is to apply the mitigations to your system. To do this, simply open an elevated command prompt (open it as Administrator) and then run this command:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x30 /f

After applying the above registry change, reboot the system. After the first reboot, wait a minimum of five minutes and then reboot a second time.

5) If you have Windows PE installed on your system, run the "UpdateWinPEAddOn.bat" and follow the instructions. As before, you may want to open this file in Notepad first and read the "Explanation of User Customizable Settings" section to see if you need to modify anything. Since Win PE is an add-on to the Windows ADK, we assume that you do have the ADK installed as well.

END PROCEDURE, START OF BATCH FILES

NOTE: In the batch files I reference a path that includes en-us. If you are not running the US English version of Windows, you may need to alter this path.

Batch File 1: The purpose of this batch file is to apply updates to Windows PE on your custom boot media. For example, if you have a Macrium Reflect Recovery Disk based upon Windows PE (not Windows RE), then you will want to update it. save this to a file called "UpdateWinPECustomMedia.bat".

Code:

@echo off
setlocal enabledelayedexpansion
setlocal enableextensions
cd /d %~dp0

:: Version: July 27, 2023

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: Explanation of User Customizable Settings ::                                                                   ::
:::::::::::::::::::::::::::::::::::::::::::::::                                                                   ::
:: Set the variables below to customize the behavior of the batch file.                                           ::
::                                                                                                                ::
:: ADK_Is_Installed - Set this to Y if the ADK installed. Set to N if not installed.                              ::
::    Note: Having the ADK installed is not necessary, but if it is installed, we can ensure that we run the most ::
::    current version of DISM that is included with the ADK.                                                      ::
::                                                                                                                ::
:: ADK_Location - This should contain the path to the Windows ADK Deployment Tools. By default this will be:      ::
::    C:\Program Files ^(x86^)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools                     ::
::    You should not normally need to change this. It is ok to leave this here even if the ADK is not installed.  ::
::                                                                                                                ::
:: ProjectLocation - The batch file will need a location where it can place the files needed for this project.    ::
::    Specify a location to use for this purpose. By default the batch file is configured to use C:\Project.      ::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::


:: IMPORTANT: For any variable to which a path is assigned, please  DO NOT end the path with a trailing backslash (\).
:: Note that if a path contains parenthesis You should preceed both the opening and closing parens with a ^ character.
:: Example: C:\Program Files ^(x86^)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools

set ADK_Is_Installed=N
set ADK_Location=C:\Program Files ^(x86^)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools
set ProjectLocation=C:\Project


:start

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: Check to see if this batch file is being run as Administrator. If it is not, then rerun the batch file ::
:: automatically as admin and terminate the intial instance of the batch file.                            ::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

(Fsutil Dirty Query %SystemDrive%>Nul)||(PowerShell start """%~f0""" -verb RunAs & Exit /B)

::::::::::::::::::::::::::::::::::::::::::::::::
:: End Routine to check if being run as Admin ::
::::::::::::::::::::::::::::::::::::::::::::::::

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: We reach this point once the batch file is run as admin ::
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: Change the console mode to 120 columns wide by 25 lines high ::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

mode con: cols=120 lines=25

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: Save the current location where this batch file is being run, then run the the "DandISetEnv.bat" file  ::
:: which sets environment variables for the ADK. This also changes the current directory, which we do NOT ::
:: want, so we will change it back to the current directory.                                              ::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

if ADK_Is_Installed==N goto After_ADK_Env_Set

pushd %~dp0
call "%ADK_Location%\DandISetEnv.bat"
popd

:After_ADK_Env_set

:: Make the folders for this project

md %ProjectLocation% >nul 2>&1
md %ProjectLocation%\Mount >nul 2>&1
md %ProjectLocation%\LCU >nul 2>&1
md %ProjectLocation%\SSU >nul 2>&1
md %ProjectLocation%\temp >nul 2>&1
md %ProjectLocation%\WinPE >nul 2>&1
md %ProjectLocation%\WinPE_NEW >nul 2>&1

:: Disable AV scanning for the project location. We will remove this exclusion when we are done.

powershell.exe -command Add-MpPreference -ExclusionPath "%ProjectLocation%"

cls
echo *******************
echo * Action Required *
echo *******************
echo.
echo 1) From the Microsoft Update Catalog, download the Latest Cumulative Update (LCU). Here is a sample search term to find
echo the LCU for Windows 11 22H2 as of July 2023. Include the quotes as shown: "Windows 11" version 22H2 2023-07
echo.
echo Make sure to download the x64 version of the update and NOT the arm64-based update. Also, download the version that
echo is NOT listed as being a dynamic update.
echo.
echo After downloading, right-click the update file, select properties, check the "Unblock" box and then click on OK.
echo.
echo Move the file to the %ProjectLocation%\LCU folder.
echo.
echo The Microsoft Update Catalog is located here: https://www.catalog.update.microsoft.com/Home.aspx
echo.
echo 2) Copy the boot.wim file from your custom media to the following location:
echo.
echo %ProjectLocation%\WinPE
echo.
echo Proceed only after you have performed the above tasks. If you indicate that you are not ready to proceed, we will exit
echo from this batch file. You can then rerun the batch file when you are ready to proceed. Please note that the folders
echo noted above have already been created and and ready for youo to place the LCU and boot.wim files into.
echo.

CHOICE /M "Are you ready to proceed now? "
goto option-%errorlevel%

:option-2
:: This option indicates that the user is not ready to proceed. Terminate the batch file now.
goto END

:option-1
:: This option indicates that the user is ready to proceed. Continue with the code below.

:: Mount Windows PE

echo.
echo **********************
echo * Mounting the Image *
echo **********************
echo.

DISM /Mount-Image /ImageFile:"%ProjectLocation%\WinPE\boot.wim" /index:1 /MountDir:"%ProjectLocation%\Mount"

:: The Latest Cumulative Update (LCU) may possibly also contain an SSU (Servicing Stack Update). Run the following to
:: extract the SSU if one is present. If an SSU is not present, no worries, this won't harm anything.

echo.
echo *****************************
echo * Extracting SSU if Present *
echo *****************************
echo.

expand "%ProjectLocation%\LCU\*.MSU" /f:"SSU*.cab" "%ProjectLocation%\SSU"

:: Apply SSU if a file is present. If no file is present, an error may be shown.

echo.
echo ***************************************************
echo * Applying SSU, if present. An error may be shown *
echo * if no SSU is present or if it does not apply to *
echo * this image.                                     *
echo ***************************************************
echo.

DISM /Add-Package /Image:"%ProjectLocation%\Mount" /PackagePath="%ProjectLocation%\SSU"

:: Apply The LCU

echo.
echo ********************
echo * Applying the LCU *
echo ********************
echo.

DISM /Add-Package /Image:"%ProjectLocation%\Mount" /PackagePath="%ProjectLocation%\LCU"

:: Lock in the updates

echo.
echo **********************
echo * Locking in Updates *
echo **********************
echo.

DISM /Cleanup-Image /Image:"%ProjectLocation%\Mount" /StartComponentCleanup /Resetbase /ScratchDir:%ProjectLocation%\temp

:: Unmount the Win PE image and commit the changes

echo.
echo *********************
echo * Commiting Changes *
echo *********************
echo.

DISM /Unmount-Image /MountDir:"%ProjectLocation%\Mount" /Commit

echo.
echo *******************************
echo * Exporting the Updated Image *
echo *******************************
echo.

DISM /Export-Image /Bootable /SourceImageFile:"%ProjectLocation%\WinPE\boot.wim" /SourceIndex:1 /DestinationImageFile:"%ProjectLocation%\WinPE_New\boot.wim"

:: This concludes the process.


:END

powershell.exe -command Remove-MpPreference -ExclusionPath "%ProjectLocation%"

cls
echo The updated boot.wim file can now be found in the following location:
echo.
echo %ProjectLocation%\WinPE_NEW
echo.
echo Copy this file to your customized media, overwriting the original boot.wim file located there.
echo.
echo TIP: You may want to backup your original boot.wim until you test this updated file to make sure it works properly.
echo.
pause
cls
echo The batch file will now end. If you are done, you may want to consider deleting the project folder.
echo The project is located here:
echo.
echo %ProjectLocation%
echo.
pause

Batch File 2: This batch file will update a locally installed copy of Windows PE. Since Windows PE is considered an add-on to the Windows ADK, this batch file assumes that you have the ADK installed as well. If not, [please install the ADK. When presented the available options, you need only chose to install the Deployment Tools. Save this batch file to "UpdateWinPEAddOn.bat".

Code:

@echo off
setlocal enabledelayedexpansion
setlocal enableextensions
cd /d %~dp0

:: Version: July 27, 2023

:: Note: This batch file is tested with the US English version of Windows. There are paths that reference
::       en-us in the batch file that may need to be modified for other locales.

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: Explanation of User Customizable Settings ::                                                                   ::
:::::::::::::::::::::::::::::::::::::::::::::::                                                                   ::
:: Set the variables below to customize the behavior of the batch file.                                           ::
::                                                                                                                ::
:: ADK_Location - This should contain the path to the Windows ADK Deployment Tools. By default this will be:      ::
::    C:\Program Files ^(x86^)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools                     ::
::    You should not normally need to change this.                                                                ::
::                                                                                                                ::
:: ProjectLocation - The batch file will need a location where it can place the files needed for this project.    ::
::    Specify a location to use for this purpose. By default the batch file is configured to use C:\Project       ::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::


:: IMPORTANT: For any variable to which a path is assigned, please  DO NOT end the path with a trailing backslash (\).
:: Note that if a path contains parenthesis You should preceed both the opening and closing parens with a ^ character.
:: Example: C:\Program Files ^(x86^)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools

set ADK_Location=C:\Program Files ^(x86^)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools
set ProjectLocation=C:\Project


:start

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: Check to see if this batch file is being run as Administrator. If it is not, then rerun the batch file ::
:: automatically as admin and terminate the intial instance of the batch file.                            ::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

(Fsutil Dirty Query %SystemDrive%>Nul)||(PowerShell start """%~f0""" -verb RunAs & Exit /B)

::::::::::::::::::::::::::::::::::::::::::::::::
:: End Routine to check if being run as Admin ::
::::::::::::::::::::::::::::::::::::::::::::::::

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: We reach this point once the batch file is run as admin ::
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: Change the console mode to 120 columns wide by 25 lines high ::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

mode con: cols=120 lines=25

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: Save the current location where this batch file is being run, then run the the "DandISetEnv.bat" file  ::
:: which sets environment variables for the ADK. This also changes the current directory, which we do NOT ::
:: want, so we will change it back to the current directory.                                              ::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

pushd %~dp0
call "%ADK_Location%\DandISetEnv.bat"
popd

:: Make the folders for this project

md %ProjectLocation% >nul 2>&1
md %ProjectLocation%\Mount >nul 2>&1
md %ProjectLocation%\LCU >nul 2>&1
md %ProjectLocation%\SSU >nul 2>&1
md %ProjectLocation%\temp >nul 2>&1

:: Disable AV scanning for the project location. We will remove this exclusion when we are done.

powershell.exe -command Add-MpPreference -ExclusionPath "%ProjectLocation%"

cls
echo *******************
echo * Action Required *
echo *******************
echo.
echo From the Microsoft Update Catalog, download the Latest Cumulative Update (LCU). Here is a sample search term to find the
echo LCU for Windows 11 22H2 as of July 2023. Include the quotes as shown:
echo.
echo. "Windows 11" version 22H2 2023-07
echo.
echo Make sure to download the x64 version of the update and NOT the arm64-based update. In addition, make certain that
echo the version you download is NOT listed as being a dynamic update.
echo.
echo After downloading, right-click the update file, select properties, check the "Unblock" box and then click on OK.
echo.
echo Move the file to the %ProjectLocation%\LCU folder.
echo.
echo The Microsoft Update Catalog is located here: https://www.catalog.update.microsoft.com/Home.aspx
echo.
echo Proceed only after you have downloaded the update and placed it in the above noted location. If you indicate that
echo you are not ready to proceed, we will exit from this batch file. You can then rerun the batch file when you are
echo ready to proceed. Please note that the folder %ProjectLocation%\LCU has already been created and is ready for you
echo to place the LCU file.
echo.

CHOICE /M "Are you ready to proceed now? "
goto option-%errorlevel%

:option-2
:: This option indicates that the user is not ready to proceed. Terminate the batch file now.
goto END

:option-1
:: This option indicates that the user is ready to proceed. Continue with the code below.

cls
c:
cd %ADK_Location%\..\Windows Preinstallation Environment\amd64

:: Make a backup copy of winpe.wim.

xcopy "en-us\winpe.wim" "en-us\winpe.wim.orig" /Y /-I

:: Mount Windows PE

echo.
echo **********************
echo * Mounting the Image *
echo **********************
echo.

DISM /Mount-Image /ImageFile:"en-us\winpe.wim" /index:1 /MountDir:"%ProjectLocation%\Mount"

:: The Latest Cumulative Update (LCU) may possibly also contain an SSU (Servicing Stack Update). Run the following to
:: extract the SSU if one is present. If an SSU is not present, no worries, this won't harm anything.

echo.
echo *****************************
echo * Extracting SSU if Present *
echo *****************************
echo.

expand "%ProjectLocation%\LCU\*.MSU" /f:"SSU*.cab" "%ProjectLocation%\SSU"

:: Apply SSU if a file is present. If no file is present, an error may be shown.

echo.
echo ***************************************************
echo * Applying SSU, if present. An error may be shown *
echo * if no SSU is present or if it does not apply to *
echo * this image.                                     *
echo ***************************************************
echo.

DISM /Add-Package /Image:"%ProjectLocation%\Mount" /PackagePath="%ProjectLocation%\SSU"

:: Apply The LCU

echo.
echo ********************
echo * Applying the LCU *
echo ********************
echo.

DISM /Add-Package /Image:"%ProjectLocation%\Mount" /PackagePath="%ProjectLocation%\LCU"

:: Lock in the updates

echo.
echo **********************
echo * Locking in Updates *
echo **********************
echo.

DISM /Cleanup-Image /Image:"%ProjectLocation%\Mount" /StartComponentCleanup /Resetbase /ScratchDir:%ProjectLocation%\temp

:: Copy boot files back to the Win PE add-on installation

echo.
echo **********************
echo * Copying Boot Files *
echo **********************
echo.

Xcopy "%ProjectLocation%\Mount\Windows\Boot\EFI\bootmgr.efi" "Media\bootmgr.efi" /Y /-I
Xcopy "%ProjectLocation%\Mount\Windows\Boot\EFI\bootmgfw.efi" "Media\EFI\Boot\bootx64.efi" /Y /-I

:: Unmount the Win PE image and commit the changes

echo.
echo *********************
echo * Commiting Changes *
echo *********************
echo.

DISM /Unmount-Image /MountDir:"%ProjectLocation%\Mount" /Commit

:: Performing an export can make the file smaller because the old version of files that were
:: updated do not get deleted until the export is performed.

DISM /Export-Image /Bootable /SourceImageFile:"%ADK_Location%\..\Windows Preinstallation Environment\amd64\en-us\winpe.wim" /SourceIndex:1 /DestinationImageFile:"%ADK_Location%\..\Windows Preinstallation Environment\amd64\en-us\winpe.wim.new"

DEL "%ADK_Location%\..\Windows Preinstallation Environment\amd64\en-us\winpe.wim"

REN "%ADK_Location%\..\Windows Preinstallation Environment\amd64\en-us\winpe.wim.new" winpe.wim

:: This concludes the process. Any images or media that you now create that uses the Windows PE add-on will now have
:: updated Windows PE files.

:END

powershell.exe -command Remove-MpPreference -ExclusionPath "%ProjectLocation%"

cls
echo The batch file will now end. If you are done, you may want to consider deleting the project folder.
echo The project is located here:
echo.
echo %ProjectLocation%
echo.
pause

If anything is not clear or I can help any further with this, please do let me know.

JagoWu · Sep 18, 2023

Hi hsehestedt,
I am testing out the batch scripts now. Using the Windows 11 22H2 Sept LCU instead of July. So far it patched the SCCM Custom Boot image fine. I then uploaded it back to SCCM to test later. I will next try to patch the ADK WinPE that is installed (backups of course first). On my client, I am installing the same Sept LCU and will try the apply the rev fix. Will let you know how it turns out. Thank You

garlin · Sep 18, 2023

So the punch line, is replace two revoked EFI boot files in both boot & install.wim.

JagoWu · Sep 18, 2023

Essentially Yes. I use the latest VL, patch to the latest for the Win11 22H2 Client OS. For the PXE-Boot, I'm just updating the custom boot.wim and the latest ADK11 WinPE. Funny thing is I want to do this in such an order that the VM fails to boot from the unpatched boot image then tell it to boot from the patched boot image to see it work.

So currently I have the patched (new one from this script) and the unpatched boot wims in SCCM. The Win11 22H2 client has the same LCU (sept) patch installed. Now I want to install the Reg key mentioned in this post into the client Win11 22H2 OS then reboot then wait 10 mins then reboot again. From my understanding, at that point, if i then try to PXE-Boot or ISO from the unpatched Boot.wim, it should fail because the secure boot in the VM will have the remediation but the unpatched boot.wim will not? Then I want to reboot the client and tell it to boot from the patched boot.wim and watch it work.

garlin · Sep 18, 2023

You can't test that inside a VM. The mitigation steps for a physical machine involve updating the UEFI to revoke the existing trust keys so the old EFI bootcode is no longer trusted. A VM doesn't replicate any of that. You need a physical machine you're willing to update, and for the most part, you can't revert the UEFI to a pre-mitigated state for comparison.

JagoWu · Sep 18, 2023

Here goes nothing:

C:\Windows\System32>reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x30 /f
The operation completed successfully.

My VM has a virtual TPM. Will this not work?

garlin · Sep 18, 2023

TPM is for storing security keys created by the system. We're talking about the UEFI keys which validate if your boot loader is in compliance with SecureBoot.

JagoWu · Sep 19, 2023

Opps Sorry. No idea why I was thinking TPM on that one. I do have an HP laptop that I can use for a client. I need to give it a static ip, join my domain, then patch it as it has Windows 11 22H2 with the same LCU, install the reg key, reboot, wait 10 mins, reboot again. At that point, if i try the unpatched boot.wim from SCCM, it should fail right? Then the patched boot.wim should work? This is a learning XP for me. Thanks for your help.

garlin · Sep 19, 2023

That's the idea if you've applied the reg key to turn on enforcement. At this point, the MS instructions are terrible -- they say wait 10 min. and look for some selected EventID's in the event logs. Not sure why there's isn't a simple tool to validate this, especially if you have to do mass deployments and check for which PC's failed to update.

JagoWu · Sep 19, 2023

Not sure why there's isn't a simple tool to validate this <-- like a POP UP since MS is known for that. :)
Thank The Good Lord for people like you to explain it down for people like me. Also, the simply DISM batch file! I was very weary of using the Powershell scripts others made. This .bat file is very explanatory so I can see what is happening if I wanted to perform each step manually.

If I am not mistaken, in the last quarter of 2024 is when MS will enforce this UEFI Secure Boot change on physical machines? If that is the case, surely everyone would have the CU installed for it by then I suppose.

Update: So my VM fails to boot from the old unpatched boot.wim in SCCM. The VM looks the ISO (boot.wim from sccm) and just echos back to the VM BIOS.

So I am now making the new patched boot wim (ISO) from SCCM. This is known as task sequence media.

Ok. The new ISO is made and what do you know. It works! Booted right on up! :) Thank you for your help and guidance on this! Now I just need to test updating WinPE in ADK on the SCCM/MDT Server in the lab. Yog Mas!

I would like to point out that the old boot.wim was 722mb in size and the patched boot.wim is 1.7 gig in size and the version number of the patched boot.wim is now 10.0.2261.2283. I will test this on the HP Wednesday night and post any results. Thank you

hsehestedt · Sep 19, 2023

JagoWu said:
Hi hsehestedt,
I am testing out the batch scripts now. Using the Windows 11 22H2 Sept LCU instead of July. So far it patched the SCCM Custom Boot image fine. I then uploaded it back to SCCM to test later. I will next try to patch the ADK WinPE that is installed (backups of course first). On my client, I am installing the same Sept LCU and will try the apply the rev fix. Will let you know how it turns out. Thank You

Thanks for the feedback!

JagoWu · Sep 19, 2023

You are welcome hsehestedt. I am about to update my HP laptop to Win11 Enterprise to 22H2 and full patch. Then i'll be ready to join the Lab domain and then test the unpatched boot.wim (which should work) then install the reg key on the HP laptop and reboot, wait 10 mins, reboot, then test the unpatched boot.wim (should fail) then try patched boot.wim (should work). I'll have to add some HP nic and storage drivers to both boot wims though :)

JagoWu · Sep 23, 2023

I am curios on how to handle domain joined machines with this CVE. Once MS enforces the changes, from that moment on, any boot media has to be patched in order for the client machine to load it but is there anything to do with the all the existing, everyday, windows users whether it be at home / work or was MS enforcing this meant to be seamless?

hsehestedt · Sep 23, 2023

JagoWu said:
I am curios on how to handle domain joined machines with this CVE. Once MS enforces the changes, from that moment on, any boot media has to be patched in order for the client machine to load it but is there anything to do with the all the existing, everyday, windows users whether it be at home / work or was MS enforcing this meant to be seamless?

I'm not really sure that this would be so different for domain joined systems.

At least now we have the new ADK and Windows PE add-on which seems to have been patched. I created a custom Win PE disk using the new Win PE that was released a few days ago and I have not had to patch it. It just seems to work right out of the box.

JagoWu · Sep 23, 2023

thank you for the info. So this means if I just upgrade ADK to this latest patched version then update boot images in CM, should be nothing left to do on the "patch boot images" side right?

garlin · Sep 23, 2023

Domains have nothing to do with the UEFI revocation list. If you can't boot locally, there is no domain to join.
If you're PXE booting, then your boot image needs to be correctly signed.

I would imagine for something this impactful, MS will roll out a best practices guide for domain-managed environments. This isn't something you want a less experienced admin to play around with. If you mess up, many clients will end up being offline until IT physically arrives.

hsehestedt · Sep 23, 2023

JagoWu said:
thank you for the info. So this means if I just upgrade ADK to this latest patched version then update boot images in CM, should be nothing left to do on the "patch boot images" side right?

First, it's the Win PE add-on for the ADK that needs to be updated. As for Windows PE based media, it all depends upon what they are using as their source. If they use the installed WinPE add-on, you are good to go. On the other hand, if they pull down a copy of WinPE from elsewhere, it all depends upon what version they are retreiving.