Latest on the BlackLotus Bootkit Mitigations - Includes Instructions and Batch Files

Ghot · May 3, 2024

hsehestedt said:
Look for updates from me within the next couple of days

hsehestedt · May 3, 2024

As promised, the update can be found here:

Performing Mitigations for BlackLotus UEFI Bootkit

Please note that this is my first attempt at an article with all the BBcode formatting. Any constructive critisism is welcome. At the same time, I would appreciate it if you could bear in mind that this is a first attempt! This is the initial release of this document, released on May 3, 2024...

www.elevenforum.com

A few things to bear in mind:

There will be further updates provided by Microsoft in the future. I will update the article as appropriate.

Since Windows installation media is affected by this issue as well (unpatched media may not boot on a patched PC), I will publish a separate article with instructions for patching Windows installation media. This article will be updated with a link to that article once this is available. I would expect no more than 2 days at the outside for the this.

andrew129260 · May 3, 2024

hsehestedt said:
As promised, the update can be found here:

Performing Mitigations for BlackLotus UEFI Bootkit

Please note that this is my first attempt at an article with all the BBcode formatting. Any constructive critisism is welcome. At the same time, I would appreciate it if you could bear in mind that this is a first attempt! This is the initial release of this document, released on May 3, 2024...

www.elevenforum.com

A few things to bear in mind:

There will be further updates provided by Microsoft in the future. I will update the article as appropriate.

Since Windows installation media is affected by this issue as well (unpatched media may not boot on a patched PC), I will publish a separate article with instructions for patching Windows installation media. This article will be updated with a link to that article once this is available. I would expect no more than 2 days at the outside for the this.

So my understanding is that if I have an unattended installer I made a few months ago it will now refuse to boot? As long as secure boot is enabled with windows already installed? I guess I could just wipe the drive in the bios and then it would still work.....

hsehestedt · May 3, 2024

andrew129260 said:
So my understanding is that if I have an unattended installer I made a few months ago it will now refuse to boot? As long as secure boot is enabled with windows already installed? I guess I could just wipe the drive in the bios and then it would still work.....

Unfortunately no - even wiping the hard disk will not reverse these mitigations once applied. My suggestion would be to CAREFULLY review the Microsoft article regarding this issue as it points out this as well as other issues that you need to be aware of.

However, this is easy to remedy. In my new article, I reference the fact that I will be posting a separate article within the next day or two that includes instructions and a batch file to allow you to patch Windows bootable installation media.

I want to put that article into a clear format, but since I know that you have been waiting for this, here is a preliminary copy of the information in a slightly "rough" format. Please feel free to ask any questions!

----------------------
First, please note that the batch file contains instructions for use near the start of the file in comments. Please open it in a text editor such as notepad, or simply view it in the Window below and read the instructions. Especially important are the instructions on how to download and organize the Windows updates and user defined variables that you should set.

It is also important to note that this batch file will update ONE edition of Windows from your bootable media. As an example, suppose that you used the Microsoft Media Creation Tool to create your bootable and that media contains multiple editions of Windows such as Home, Pro, etc. You will need to select which edition the batch file will extract and update. I do have solutions for updating multiple, or even all editions in one shot, but that is something that we can discuss if you are interested.

Please also be aware that the latest version of the Microsoft article regarding these mitigations references a couple of minor additional updates that I have not yet implemented in this batch file. My goal is to test that either tonight or tomorrow and then update the below batch file before I publish the new article.

In the meantime, I will simply say this: I have now applied these mitigations to several machines and all of my patched boot disks are working fine on those machines.

NOTE: I am literally still up since yesterday. I was going to try and get some sleep at some point in the night, but that never happened. I have been at this non-stop. I am finally going to try to catch a few winks right now so if I am unresponsive for the next few hours, it is not because I am ignoring you

Batch:

@echo off
cd /d %~dp0
cls


:::::::::::::::::::::::::::::::::::::::
:: Windows Image Updater             ::
::                                   ::
:: Version 6.0.1                     ::
::                                   ::
:: Jan 21, 2024 by Hannes Sehestedt  ::
:::::::::::::::::::::::::::::::::::::::


:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::                                                                                                     ::
:: PURPOSE OF THIS SCRIPT                                                                              ::
::                                                                                                     ::
:: This script will take one Windows edition in a Windows ISO image and inject Windows                 ::
:: updates into it. The updated edition of Windows will be saved to a new file containing              ::
:: just that one edition of Windows. As an example, assume that you have a retail Windows              ::
:: ISO image. This ISO image has multiple editions of Windows such as Win 11 Home, Pro, etc.           ::
:: Each edition of Windows has an index number associated with it.                                     ::
::                                                                                                     ::
:: For example, on the US English consumer edition ISO images from Microsoft, Windows 11 Pro is index  ::
:: number 6. To get a list of Windows editions and the index number associated with each edition, you  ::
:: can run this command:                                                                               ::
::                                                                                                     ::
:: dism /Get-WimInfo /WimFile:C:\Project\ISO_Files\Sources\install.wim                                 ::
::                                                                                                     ::
:: If located elsewhere, substitute the correct location of the install.wim file in the above command. ::
::                                                                                                     ::
:: This utility will perform the updates THE RIGHT WAY by updating all elements of the image           ::
:: including not only the cumulative update, but also the SSU (Servicing Stack Update), Safe           ::
:: OS Dynamic Update, Setup Dynamic Update, other updates such as .NET updates and Microcode           ::
:: updates, and will even allow you to add custom scripts to the Windows PE image. However,            ::
:: if you want to update only one item, such as the cumulative update, you can do that as well.        ::
::                                                                                                     ::
:: IMPORTANT: As noted, this script will only update one edition of Windows from an image. If          ::
:: you want to update multiple editions and combine them all into a single image, please               ::
:: message me as noted above. I can provide to you a tool that will allow you to update many           ::
:: Windows editions and combine them into a single image. That same tool also has many other           ::
:: features such as being able to inject drivers into an image, create bootable media, and many        ::
:: other tasks related to Windows Image Management.                                                    ::
::                                                                                                     ::
:: Please note that it is possible to also add updates such as language packs and other language       ::
:: related components to Windows images. This batch file does not apply those updates, however         ::
:: I can provide information regarding how to update those components if you need to do so.            ::
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::


:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::                                                                                                                 ::
:: SUMMARY OF INSTRUCTIONS                                                                                         ::
::                                                                                                                 ::
::                                                                                                                 ::
:: 1) Read the instructions below to learn how to organize the folders that this project needs.                    ::
::                                                                                                                 ::
:: 2) Review the "User defined variables" section below and modify as needed.                                      ::
::                                                                                                                 ::
:: 3) Make sure that you have the Windows ADK installed. Only the Deployment Tools from the                        ::
::    ADK need to be installed.                                                                                    ::
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::                                                                                                                 ::
:: DETAILED INSTRUCTIONS                                                                                           ::
::                                                                                                                 ::
:: Create the following folders before you run this batch file.                                                    ::
::                                                                                                                 ::
:: NOTE: The paths below assume the default settings of user defined variables. If you change those variables,     ::
:: Please alter the below paths accordingly.                                                                       ::
::                                                                                                                 ::
:: Do either one of the following:                                                                                 ::
::                                                                                                                 ::
:: 1) Create a folder and copy the contents of your Windows ISO image that you want to update to it.               ::
::                                                                                                                 ::
:: OR                                                                                                              ::
::                                                                                                                 ::
:: 2) Mount the ISO image by double-clicking it.                                                                   ::
::                                                                                                                 ::
:: For whichever of the above options you choose, note the location as the batch file will ask you for that        ::
:: location when you run it.                                                                                       ::
::                                                                                                                 ::
:: Create a folder under which you will place the Windows updates to be installed.                                 ::
::                                                                                                                 ::
:: NOTE: This location can be changed using the user defined variables below. In this example, we assume that      ::
:: location will be "C:\WinUpdates". Beneath that folder, create all of the following folders and place the        ::
:: updates described into that folder. All of these updates can be downloaded from the "Microsoft Update Catalog". ::
::                                                                                                                 ::
:: NOTE: All items are optional. For example, if you do not have a Safe OS Dynamic Update, simply leave that       ::
:: folder empty.                                                                                                   ::
::                                                                                                                 ::
:: The "PE_Files" folder can be used to place files that you want to copy to Windows setup. For example, I have a  ::
:: couple of scripts that I want to be available to Windows setup. Any files that you place here will be available ::
:: on drive X: during windows setup. Note that X: is the RAM Drive that Windows creates during setup. Since this   ::
:: is just about the first thing setup does, these files will be available very early in setup. IT IS EXTREMEMELY  ::
:: UNLIKELY that you will ever put anything in this folder unless you have a very specific reason for doing so. As ::
:: a result, you will typically leave this folder empty.                                                           ::
::                                                                                                                 ::
:: If you wish to DELETE files from Windows PE, for example, scripts that you previously added as described in the ::
:: above paragragh, please search this batch file for the text "delete files from WinPE" and follow the            ::
:: instructions found there. Once again, IT IS EXTREMEMELY UNLIKELY that you will need to do this.                 ::
::                                                                                                                 ::
:: When downloading updates from the Microsoft Update Catalog, please note that the "Safe OS Dynamic Update"       ::
:: will include "Windows Safe OS Dysnamic Update" in the "Products" column. The "Setup Dynamic Update" will        ::
:: simply be called a "Dynamic Update" in this same column.                                                        ::
::                                                                                                                 ::
:: Once again, note that the "C:\WinUpdates" portion of the paths below can be chaned using the user defined       ::
:: variables that are described below.                                                                             ::
::                                                                                                                 ::
:: C:\WinUpdates\LCU       <--- Place Latest Cumulative Update in this folder. DON'T use a DYNAMIC version.        ::
:: C:\WinUpdates\SSU       <--- Place a Standalone SSU in this folder if one is available. These are not common.   ::
:: C:\WinUpdates\Other     <--- Place other updates (for example .NET and OOBE ZDP Updates) in this folder.        ::
:: C:\WinUpdates\SafeOS_DU <--- Place the latest Safe OS Dynamic Update in this folder.                            ::
:: C:\WinUpdates\Setup_DU  <--- Place the latest Setup Dynamic Update in this folder.                              ::
:: C:\WinUpdates\PE_Files  <--- Place any files such as scripts that you want copied to WinPE here.                ::
::                                                                                                                 ::
:: IMPORTANT: Please note that for each type of update, you should only download the latest update of that type    ::
:: because updates are cumulative. However, there is one exception to this rule: The OOBE ZDP updates are NOT      ::
:: cumulative, so you should download ALL available updates of that type and place them in the Other folder. Also, ::
:: be aware that there may sometimes be no update of a certain type available. As an example, Safe OS updates do   ::
:: not get released every month, so it is possible that there is no update of that type available, especially soon ::
:: after the release of a new version of Windows.                                                                  ::
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::


:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::                                                                                                                     ::
:: USER DEFINED VARIABLES                                                                                              ::
::                                                                                                                     ::
:: Below you will find a description of variables that you can set. You should check each one to make sure that it     ::
:: fits your needs. The actual variables are found below the description section. Please note that spaces in path      ::
:: names or file names are perfectly fine. you should NOT use quotes to enclose file names or paths even if there      ::
:: are spaces in the names.                                                                                            ::
::                                                                                                                     ::
:: IndexNum - Set "IndexNum" to the index number corresponding to the Windows edition you want to update. By default   ::
::    we have this set to "6" which corresponds to Windows 10 or 11 Pro when using the standard retail edition ISO     ::
::    image from Microsoft. To get a list of Windows editions and the index number associated with each edition, you   ::
::    can run this command:                                                                                            ::
::                                                                                                                     ::
::       dism /Get-WimInfo /WimFile:C:\Project\ISO_Files\Sources\install.wim                                           ::
::                                                                                                                     ::
::    If located elsewhere, substitute the correct location of the install.wim file in the above command.              ::
::                                                                                                                     ::
:: ProjectFolder - Set "ProjectFolder" to the location where the project will be created. The batch file will create   ::
::    a number of folders under the project folder. Many of the files here are temporary files. Be aware that there    ::
::    will be a lot files. You can easily need 20GB or more of space in this location.                                 ::
::                                                                                                                     ::
:: WinUpdates - Set "WinUpdates" to the location of the Windows update files. Under this folder, you should create the ::
::    folder structure that is desribed above in the "DETAILED INSTRUCTIONS" section.                                  ::
::                                                                                                                     ::
:: EnableLogs - If you want logging to show what updates actually got installed into your WinRE.WIM, BOOT.WIM, and     ::
::    INSTALL.WIM files, set "EnableLogs" to "1". Otherwise, set it "0". This will cause two text files for each WIM   ::
::    to be created. The first is created after updates are applied, but before the cleanup of the image is performed. ::
::    The second is created after cleanup. As an example, after a combined LCU / SSU package is applied, you may see   ::
::    more than one SSU package in the log prior to the cleanup, however, after the cleanup, the older SSU should have ::
::    been removed. Note that for WinPE four files are created because a pair is created for each of the two indicies  ::
::    that get updated. The files are created in the same folder from which the batch file is run. You can normally    ::
::    leave this set to "0".                                                                                           ::
::                                                                                                                     ::
:: NewImageFileName - Set "NewImageFileName" to the name you want to use for the final ISO image to be created. Make   ::
::    sure to include the .ISO file extension. Spaces in the file name are okay.                                       ::
::                                                                                                                     ::
:: ADK_Location - Set this variable to the location of the "Deployment Tools" folder within the Windows ADK. You       ::
::    should only need to change this if you did not install to the default location.                                  ::
::                                                                                                                     ::
:: SaveWinRE - Set this to "1" if you wish to save a copy of the WinRE.wim file after it is updated. This can be       ::
::    helpful if you need to replace the WinRE.wim file in your Recovery Partition. This file could otherwise be       ::
::    difficult to obtain because it is located within another WIM file (the install.wim) so saving a copy after       ::
::    updating can be helpful. Setting this to "0" (or anything other than "1") will cause a copy of the file to       ::
::    not be saved.                                                                                                    ::
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::


set IndexNum=6
set ProjectFolder=C:\Project
set WinUpdates=C:\WinUpdates\x64
set EnableLogs=0
set NewImageFileName=Windows.ISO
set ADK_Location=C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools
set SaveWinRE=1


:::::::::::::::::::::::::::::::::::
:: End of user defined variables ::
:::::::::::::::::::::::::::::::::::


::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: Check to see if this batch file is being run as Administrator. If it is not, then rerun the batch file ::
:: automatically as admin and terminate the initial instance of the batch file.                           ::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::


(Fsutil Dirty Query %SystemDrive%>Nul)||(PowerShell start """%~f0""" -verb RunAs & Exit /B) > NUL 2>&1


::::::::::::::::::::::::::::::::::::::::::::::::
:: End Routine to check if being run as Admin ::
::::::::::::::::::::::::::::::::::::::::::::::::


::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: Change the console mode to 120 columns wide by 25 lines high ::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::


mode con: cols=120 lines=25


:::::::::::::::::::::::::::::::::::
:: Display introductory comments ::
:::::::::::::::::::::::::::::::::::


echo It is VERY IMPORTANT that prior to running this batch file, you open it in an editor such as notepad and read the
echo following sections: PURPOSE OF THIS SCRIPT, SUMMARY OF INSTRUCTIONS, DETAILED INSTRUCTIONS. Make certain to set the
echo user defined variables as instructed.
echo.
echo If you have not done so, please press CTRL + C to terminate this batch file, and then run it again after you perform
echo the above steps.
echo.
pause


::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: Save the current location where this batch file is being run, then run the the "DandISetEnv.bat" file  ::
:: which sets environment variables for the ADK. This also changes the current directory, which we do NOT ::
:: want, so we will change it back to the current directory.                                              ::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::


pushd %~dp0
call "%ADK_Location%\DandISetEnv.bat"
popd


::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: Ask user for location of mounted ISO image or the directory containing the Windows files ::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::


:GetSourcePath

cls
echo Enter the path to the SOURCE where your Windows files are located below.
echo.
echo Note that these files can be located in a folder on your HDD, SSD, flash drive, etc. or they can be located on an ISO
echo image that you have mounted.
echo.
echo Tip: The path can end with or without a backslash (\). D:, D:\, D:\ISO_Files, D:\ISO_Files\ are all valid paths.
echo.

:GetSourcePath

set /p SourcePath="Enter source path: "

:: Add a trailing backslash (\) if one does not exist

IF NOT "%SourcePath:~-1%"=="\" (
set SourcePath=%SourcePath%\
)


:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: Any valid Windows boot media will have a file called "boot\bootfix.bin" on the drive. This is true for both ::
:: single architecture images (x64 or x86) or for images with dual architectures. We will do a simple check to ::
:: see if such a file exists as a basic test for a valid source image location.                                ::
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::


if NOT EXIST "%SourcePath%boot\bootfix.bin" (
cls
echo The location that you specified does not contain a valid Windows image. Please try another location. If you are
echo specifying a location on disk, please be sure to specify the location to the root of the Windows image. If you
echo are using an ISO image, you should double-click the ISO image to mount it and note the drive letter to which it
echo was mounted.
echo.
pause
goto GetSourcePath
)

:: Finally, all preparation is done. We can now begin the update process.

cls
echo ***************************************************************
echo ***************************************************************
echo **                                                           **
echo ** PLEASE BE PATIENT! Applying updates is a lengthy process. **
echo **                                                           **
echo ***************************************************************
echo ***************************************************************
echo.

:: Create the initial directory structure for this project

md "%ProjectFolder%\Mount" > NUL 2>&1
md "%ProjectFolder%\WinRE" > NUL 2>&1
md "%ProjectFolder%\WinRE_Mount" > NUL 2>&1
md "%ProjectFolder%\WinPE" > NUL 2>&1
md "%ProjectFolder%\WinPE_Mount" > NUL 2>&1
md "%ProjectFolder%\Assets" > NUL 2>&1
md "%ProjectFolder%\Temp" > NUL 2>&1
md "%ProjectFolder%\Base" > NUL 2>&1
md "%ProjectFolder%\SSU" > NUL 2>&1

:: Copy the ISO image files to base folder

echo ****************************************
echo * Copy Windows files to working folder *
echo ****************************************
echo.


::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: Note: Because the source path end with a backslash, and this is seen as an escape    ::
:: when followed by the double quotes, we have to add a space before the double quotes. ::
:: Also, we need to make sure that the files we are working with are accessible, so     ::
:: we are stripping the read-only, hidden, and system attributes from the files.        ::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::


robocopy "%SourcePath% " "%ProjectFolder%\Base" /mir /a-:HSR > NUL

:: Mount the install.wim file

echo ****************************************
echo * Mounting main OS image (install.wim) *
echo ****************************************
echo.

DISM /mount-image /imagefile:"%ProjectFolder%\Base\sources\install.wim" /index:%IndexNum% /mountdir:"%ProjectFolder%\Mount" > NUL

:: Update Win RE

echo ******************************
echo * Updating WinRE (winre.wim) *
echo ******************************
echo.
echo    ***************************
echo    * Applying Standalone SSU *
echo    ***************************
echo.

copy /B "%ProjectFolder%\Mount\Windows\System32\Recovery\WinRE.wim" "%ProjectFolder%\WinRE" > NUL
DISM /mount-image /imagefile:"%ProjectFolder%\WinRE\WinRE.wim" /index:1 /mountdir:"%ProjectFolder%\WinRE_Mount" > NUL

DISM /Add-Package /Image:"%ProjectFolder%\WinRE_Mount" /PackagePath="%WinUpdates%\SSU" > NUL

echo    ****************
echo    * Applying SSU *
echo    ****************
echo.

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: We are now applying the SSU from the combined SSU / LCU package. Note that since the SSU is contained within ::
:: the combined SSU / LCU package, we first need to extract the SSU from that package. Once we have extracted   ::
:: the SSU package, we can use it here and later when we also apply the SSU to WinPE (boot.wim) and the main    ::
:: Windows image (install.wim). We will not need to extract the SSU again since we are already doing so here.   ::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

expand "%WinUpdates%\LCU\*.msu" /f:SSU*.cab "%ProjectFolder%\SSU" > NUL
DISM /Add-Package /Image:"%ProjectFolder%\WinRE_Mount" /PackagePath="%ProjectFolder%\SSU" > NUL

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: Microsoft documentation indicates that the LCU package does NOT get applied to the WinRE.wim. However,   ::
:: testing related to a Windows vulnerability in Jan of 2023 reveals that it is necessary to apply the LCU. ::
:: As a result, this batch file has been updated as of Jan 2023 to apply the SSU, LCU, and Safe OS Dynamic  ::
:: Updates.                                                                                                 ::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

echo    ***********************************
echo    * Applying Safe OS Dynamic Update *
echo    ***********************************
echo.

DISM /Add-Package /Image:"%ProjectFolder%\WinRE_Mount" /PackagePath="%WinUpdates%\SafeOS_DU" > NUL

if %EnableLogs%==1 (
DISM /Get-Packages /image:"%ProjectFolder%\WinRE_Mount" > WinRE_Before_Cleanup.txt
)

echo    ************************************
echo    * Cleaning up old files from image *
echo    ************************************
echo.

DISM /Cleanup-Image /Image:"%ProjectFolder%\WinRE_Mount" /StartComponentCleanup > NUL

if %EnableLogs%==1 (
DISM /Get-Packages /image:"%ProjectFolder%\WinRE_Mount" > WinRE_After_Cleanup.txt
)

echo    ********************
echo    * Unmounting image *
echo    ********************
echo.

DISM /Unmount-Image /MountDir:"%ProjectFolder%\WinRE_Mount" /Commit > NUL

echo    *************************
echo    * Exporting WinRE image *
echo    *************************
echo.

DISM /Export-Image /SourceImageFile:"%ProjectFolder%\WinRE\WinRE.wim" /SourceIndex:1 /DestinationImageFile:"%ProjectFolder%\Assets\WinRE.wim" > NUL


:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: It is possible that the user may wish to save a copy of the WinRE.wim file. As an example, in Jan 2023 a vulnerability required ::
:: that the WinRE on a running system be updated to avoid an exploit that could allow access to a BitLocker encrypted OS volume    ::
:: from the Recovery Environment. Unfortunatley, there may not be enough room on the Recovery volume to update this file in place. ::
:: If the users chooses to save the WinRE.wim, we will save a copy to the same place where the final ISO image is saved.           ::
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::


if %SaveWinRE%==1 (
copy /B /Y "%ProjectFolder%\Assets\WinRE.wim" "%ProjectFolder%" > NUL
)

echo **********************************
echo * Updating main OS (install.wim) *
echo **********************************
echo.

echo    ***************************
echo    * Applying Standalone SSU *
echo    ***************************
echo.

DISM /Add-Package /Image:"%ProjectFolder%\Mount" /PackagePath="%WinUpdates%\SSU" > NUL

echo    ****************
echo    * Applying SSU *
echo    ****************
echo.

DISM /Add-Package /Image:"%ProjectFolder%\Mount" /PackagePath="%ProjectFolder%\SSU" > NUL

echo    ****************
echo    * Applying LCU *
echo    ****************
echo.

DISM /Add-Package /Image:"%ProjectFolder%\Mount" /PackagePath="%WinUpdates%\LCU" > NUL

echo    ********************************************************
echo    * Move updated winre.wim back into mounted install.wim *
echo    ********************************************************
echo.

move /Y "%ProjectFolder%\Assets\WinRE.wim" "%ProjectFolder%\Mount\Windows\System32\Recovery" > NUL

if %EnableLogs%==1 (
DISM /Get-Packages /image:"%ProjectFolder%\Mount" > MainOS_Before_Cleanup.txt
)

echo    ************************************
echo    * Cleaning up old files from image *
echo    ************************************
echo.

DISM /Cleanup-Image /Image:"%ProjectFolder%\Mount" /StartComponentCleanup /ResetBase /ScratchDir:"%ProjectFolder%\Temp" > NUL

if %EnableLogs%==1 (
DISM /Get-Packages /image:"%ProjectFolder%\Mount" > MainOS_After_Cleanup.txt
)

echo    *************************************************************************************************
echo    * Install "Other" updates such as .NET and OOBE ZDP updates to the main OS image (install.wim). *
echo    *************************************************************************************************
echo.

DISM /Add-Package /Image:"%ProjectFolder%\Mount" /PackagePath="%WinUpdates%\Other" > NUL


:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: We could copy files from the mounted install.wim now but just as with the boot.wim we will delay doing so ::
:: until after the Setup Dynamic Update has been applied.                                                    ::
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::


echo **************************************
echo * Updating WinPE (boot.wim), index 1 *
echo **************************************
echo.

copy /B "%ProjectFolder%\Base\sources\boot.wim" "%ProjectFolder%\WinPE" > NUL
DISM /mount-image /imagefile:"%ProjectFolder%\WinPE\boot.wim" /index:1 /mountdir:"%ProjectFolder%\WinPE_Mount" > NUL

echo    ***************************
echo    * Applying Standalone SSU *
echo    ***************************
echo.

DISM /Add-Package /Image:"%ProjectFolder%\WinPE_Mount" /PackagePath="%WinUpdates%\SSU" > NUL

echo    ****************
echo    * Applying SSU *
echo    ****************
echo.

DISM /Add-Package /Image:"%ProjectFolder%\WinPE_Mount" /PackagePath="%ProjectFolder%\SSU" > NUL

echo    ****************
echo    * Applying LCU *
echo    ****************
echo.

DISM /Add-Package /Image:"%ProjectFolder%\WinPE_Mount" /PackagePath="%WinUpdates%\LCU" > NUL

if %EnableLogs%==1 (
DISM /Get-Packages /image:"%ProjectFolder%\WinPE_Mount" > WinPE_Index1_Before_Cleanup.txt
)

echo    ************************************
echo    * Cleaning up old files from image *
echo    ************************************
echo.

DISM /Cleanup-Image /Image:"%ProjectFolder%\WinPE_Mount" /StartComponentCleanup > NUL

if %EnableLogs%==1 (
DISM /Get-Packages /image:"%ProjectFolder%\WinPE_Mount" > WinPE_Index1_After_Cleanup.txt
)

echo    ********************
echo    * Unmounting image *
echo    ********************
echo.

DISM /Unmount-Image /MountDir:"%ProjectFolder%\WinPE_Mount" /Commit > NUL

echo    **********************************
echo    * Exporting WinPE image, index 1 *
echo    **********************************
echo.

DISM /Export-Image /SourceImageFile:"%ProjectFolder%\WinPE\boot.wim" /SourceIndex:1 /DestinationImageFile:"%ProjectFolder%\Assets\boot.wim" > NUL

echo **************************************
echo * Updating WinPE (boot.wim), index 2 *
echo **************************************
echo.

DISM /mount-image /imagefile:"%ProjectFolder%\WinPE\boot.wim" /index:2 /mountdir:"%ProjectFolder%\WinPE_Mount" > NUL

echo    ***************************
echo    * Applying Standalone SSU *
echo    ***************************
echo.

DISM /Add-Package /Image:"%ProjectFolder%\WinPE_Mount" /PackagePath="%WinUpdates%\SSU" > NUL

echo    ****************
echo    * Applying SSU *
echo    ****************
echo.

DISM /Add-Package /Image:"%ProjectFolder%\WinPE_Mount" /PackagePath="%ProjectFolder%\SSU" > NUL

echo    ****************
echo    * Applying LCU *
echo    ****************
echo.

DISM /Add-Package /Image:"%ProjectFolder%\WinPE_Mount" /PackagePath="%WinUpdates%\LCU" > NUL

echo    **************************************
echo    * Copy any user files to WinPE image *
echo    **************************************
echo.

robocopy "%ProjectFolder%\PE_Files" "%ProjectFolder%\WinPE_Mount" *.* /E > NUL

:: If you want to delete files from WinPE, such as scripts you may have added previously, uncommet the
:: line below and change the filename to the name of the file you want to delete. Add additional lines using
:: the same format if needed.

:: del "%ProjectFolder%\WinPE_Mount\MyScript.bat" /Q > NUL

if %EnableLogs%==1 (
DISM /Get-Packages /image:"%ProjectFolder%\WinPE_Mount" > WinPE_Index2_Before_Cleanup.txt
)

echo    ************************************
echo    * Cleaning up old files from image *
echo    ************************************
echo.

DISM /Cleanup-Image /Image:"%ProjectFolder%\WinPE_Mount" /StartComponentCleanup > NUL

if %EnableLogs%==1 (
DISM /Get-Packages /image:"%ProjectFolder%\WinPE_Mount" > WinPE_Index2_After_Cleanup.txt
)


:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: We are going to delay exporting of the boot.wim index 2 until later so that we can copy files while ::
:: it is still mounted to the main media. We could this right now, but by delaying it until after the  ::
:: Setup Dynamic Update is applied, we can demonstrate that there are files that are out of sync after ::
:: all updates, including the Setup Dynamic Update, have been applied.                                 ::
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::


echo ******************************
echo * Apply Setup Dynamic Update *
echo ******************************
echo.

Expand "%WinUpdates%\Setup_DU\*" -F:* "%ProjectFolder%\Base\Sources" > NUL

echo **************************************************
echo * Copy mismatched files to appropriate locations *
echo **************************************************
echo.


::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: The section below syncs files between Windows PE and the base media. It is ::
:: possible that some files which should be the same are not synced properly. ::
:: This section will correct that situation.                                  ::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: These are the items that should be synced (In x64 Images):                                                            ::
::                                                                                                                       ::
:: From WinPE, Index 2, \Sources\Setup.exe > \Sources folder on base media.                                              ::
:: From WinPE, Index 2, \Windows\boot\efi\bootmgfw.efi > base media \efi\boot\bootx64.efi (replace the file bootx64.efi) ::
:: From WinPE, Index 2, \Windows\boot\efi\bootmgr.efi > base media \bootmgr.efi (replace the file bootmgr.efi)           ::
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::


copy /b /y "%ProjectFolder%\winpe_mount\sources\setup.exe" "%ProjectFolder%\Base\sources\setup.exe" > NUL
copy /b /y "%ProjectFolder%\winpe_mount\windows\boot\efi\bootmgfw.efi" "%ProjectFolder%\Base\efi\boot\bootx64.efi" > NUL
copy /b /y "%ProjectFolder%\winpe_mount\windows\boot\efi\bootmgr.efi" "%ProjectFolder%\Base\bootmgr.efi" > NUL

echo ******************************************
echo * Unmounting index 2 of WinPE (boot.wim) *
echo ******************************************
echo.

DISM /Unmount-Image /MountDir:"%ProjectFolder%\WinPE_Mount" /Commit > NUL

echo    **********************************
echo    * Exporting WinPE Image, Index 2 *
echo    **********************************
echo.

DISM /Export-Image /Bootable /SourceImageFile:"%ProjectFolder%\WinPE\boot.wim" /SourceIndex:2 /DestinationImageFile:"%ProjectFolder%\Assets\boot.wim" > NUL

echo ****************************************
echo * Unmounting the Main OS (install.wim) *
echo ****************************************
echo.

DISM /Unmount-Image /MountDir:"%ProjectFolder%\Mount" /Commit > NUL

echo ***************************************
echo * Exporting the Main OS (install.wim) *
echo ***************************************
echo.

DISM /Export-Image /SourceImageFile:"%ProjectFolder%\Base\sources\install.wim" /SourceIndex:%IndexNum% /DestinationImageFile:"%ProjectFolder%\Assets\install.wim" > NUL

echo ******************************************************
echo * Move updated boot.wim and install.wim image folder *
echo * to replace the original files                      *
echo ******************************************************
echo.

move /Y "%ProjectFolder%\Assets\boot.wim" "%ProjectFolder%\Base\Sources" > NUL
move /Y "%ProjectFolder%\Assets\install.wim" "%ProjectFolder%\Base\Sources" > NUL

echo ******************************
echo * Create the final ISO image *
echo ******************************
echo.

oscdimg.exe -m -o -u2 -udfver102 -bootdata:2#p0,e,b"%ProjectFolder%\Base\boot\etfsboot.com"#pEF,e,b"%ProjectFolder%\Base\efi\microsoft\boot\efisys.bin" "%ProjectFolder%\Base" "%ProjectFolder%\%NewImageFileName%" > NUL 2>&1

:: Cleanup the temporary folders.

rd "%ProjectFolder%\Mount" /s /q > NUL
rd "%ProjectFolder%\winre" /s /q > NUL
rd "%ProjectFolder%\winre_mount" /s /q > NUL
rd "%ProjectFolder%\winpe" /s /q > NUL
rd "%ProjectFolder%\winpe_mount" /s /q > NUL
rd "%ProjectFolder%\assets" /s /q > NUL
rd "%ProjectFolder%\temp" /s /q > NUL
rd "%ProjectFolder%\Base" /s /q > NUL
rd "%ProjectFolder%\SSU" /s /q > NUL

echo Done! The ISO image has been saved as "%ProjectFolder%\%NewImageFileName%"
echo.
pause

andrew129260 · May 3, 2024

hsehestedt said:
I am literally still up since yesterday. I was going to try and get some sleep at some point in the night, but that never happened. I have been at this non-stop. I am finally going to try to catch a few winks right now so if I am unresponsive for the next few hours, it is not because I am ignoring you

Thanks for the information. I will definitely review this. Please sleep :)

I am still confused how a simple windows update and a blank drive could prevent an unattended windows install from booting on a clean disk on what was already created. I doubt every bios as well in the world is being updated. But perhaps I am confused. I will read further and investigate.

garlin · May 3, 2024

andrew129260 said:
Thanks for the information. I will definitely review this. Please sleep :)

I am still confused how a simple windows update and a blank drive could prevent an unattended windows install from booting on a clean disk on what was already created. I doubt every bios as well in the world is being updated. But perhaps I am confused. I will read further and investigate.

This isn't an issue with Unattended mode. The problem is any image that contains the legacy boot manager will fail on UEFI BIOS'es which have Secure Boot enabled, and latest UEFI DBX updates which permanently revocate trust in the digital certificates which signed the old boot manager. If your BIOS has revoked trust, then the bootable image needs a boot manager which passes the test. All Linux distros are going through the same steps in parallel, they're also replacing their boot loaders in anticipation of the DBX cutover.

The new boot manager is required regardless of how the image is served. Booting from an installed Windows system, booting from USB, or booting off the network.

Your old PC's BIOS might not care, or doesn't enable Secure Boot -- but the goal is to make your images universal for all supported HW platforms. To your old PC, it gets a boot manager with a revised signing certificate that is just as acceptable as the old boot manager.

andrew129260 · May 3, 2024

Thank you very much @garlin, I think I understand now. Every single bootable media, be it ISO, usb, boot managers, grub etc that ever exists now needs to be updated once this goes through. I just finished reading the microsoft paper. This is a huge change.

I found these older articles on it

Microsoft Updating Windows Secure Boot Keys in 2024 -- Redmondmag.com

Microsoft, and its original equipment manufacturer partners, are planning to update Secure Boot on Windows Unified Extensible Firmware Interface PCs, starting this year, per a Tuesday Microsoft announcement.

redmondmag.com

and

https://www.bleepingcomputer.com/news/microsoft/microsoft-issues-optional-fix-for-secure-boot-zero-day-used-by-malware/

It looks like this is an optional enablement though?

garlin · May 3, 2024

Right now, enforcement is optional. But mandatory enforcement (via future Windows Updates) is coming, but the deadline keeps getting pushed to later.

pseymour · May 3, 2024

Yep, see current timeline here, with no enforcement date yet.

KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932 - Microsoft Support

support.microsoft.com

andrew129260 · May 3, 2024

Not going to lie, I am really glad microsoft is making things more secure, but this is going to SUCK in my organization. I have so many unattended installs and custom boot stuff for production equipment......

Either way, major thanks @hsehestedt

This is going to save me time. But I am going to wait until it's enforced.

pseymour · May 3, 2024

I would say if you have so many things to deal with, it would be better to start planning and updating now. Do it like Johnny Cash's Cadillac.

ian50 · May 3, 2024

garlin (7:43am my time) wrote:

The problem is any image that contains the legacy boot manager will fail on UEFI BIOS'es which have Secure Boot enabled, and latest UEFI DBX updates which permanently revocate trust in the digital certificates which signed the old boot manager

The clearest statement I've seen to date. Thanks for that.

Remaining question - will Secure Boot ON be enforced for booting both the PC and external USB booters ? That is, if Secure Boot is turned and left OFF, will an unrevocated PC or USB boot ?

garlin · May 3, 2024

Secure Boot is enforced on all boot manager files, regardless of their location.

When Secure Boot is disabled, there is no need for digital signatures, and thus your UEFI doesn't care if your boot manager's signing Cert Authority is no longer recognized. No Secure Boot = everything boots.

ian50 · May 3, 2024

@garlin

Thanks for that reply. You've helped clarify the situation.

I knew Secure Boot OFF would bypass Cert Authorities of course, but my question really went to whether later versions of 24H2 (or later still) would baulk at booting if Secure Boot was noted as OFF by that OS version. Too early to know yet ?

As noted on another thread, I've tested 24H2 26100.268 on one of my laptops (completely unrevocated, untouched) with SB ON then OFF. The PC re-booted without issue in both cases so at least to 26100.268 using the older "untrusted" Cert Authorities made no difference. The older USB boot disks worked of course since nothing had changed for them.

andrew129260 · May 3, 2024

garlin said:
Secure Boot is enforced on all boot manager files, regardless of their location.

When Secure Boot is disabled, there is no need for digital signatures, and thus your UEFI doesn't care if your boot manager's signing Cert Authority is no longer recognized. No Secure Boot = everything boots.

That's true...... and that was part of my confusion. So perhaps I could simply turn off secure boot in the bios, install whatever and then turn it on. Getting rid of the headaches. I have done that in the past by accident forgetting to turn on TPM and secure boot on some machines and turning it on after without issues.

pseymour · May 3, 2024

andrew129260 said:
So perhaps I could simply turn off secure boot in the bios, install whatever and then turn it on. Getting rid of the headaches.

That will work until the certificate is revoked later on.

ian50 · May 3, 2024

pseymour :

That will work until the certificate is revoked later on.

Sometimes I'm so slow !! It has finally occurred to me that the question of Secure Boot ON or OFF (this allowing older "untrusted" Boot Managers to still work) could likely be resolved by MS and manufacturers in the end by removing the choice of OFF in EUFI BIOS menus.

garlin · May 3, 2024

Let's step back and understand how Windows security has evolved, based on the changing threats from bad actors.

In the beginning, Windows just booted from BIOS and kept on running until an out-of-bounds memory reference caused by a bad driver or serious kernel bug crashed it. All it did was to simply run code, as long as it was a valid execution sequence. One day, someone invented the rootkit, a persistent way of burying a modified file into the Windows boot process so you could exploit it later. The first line of defense was to enable digital signatures and hashes (checksums) which could identify tampered files. Each step of the boot process would check if the next layer was compromised or not. Security is maintained by sequential checks ("chaining"), from BIOS boot and all the way until Windows is running.

A chain is as strong as the weakest link. Now that we have locked down boot files with signatures and hashes, the next exploit was to bury the rootkit into UEFI BIOS. The original legacy BIOS'es were mostly hard-coded programs. You had a few extra bytes for settings, but everything was burned in at the factory, or could be reflashed using a BIOS updater. This method was fairly secure, but not extensible. Programmers love extensibility.

UEFI offers dynamic flash storage which can be populated with a collection of mini-apps, which help manage and configure your PC. It's like a miniature operating system, which can be updated by UEFI BIOS tools. If you bury a rootkit into the UEFI, it's possible to substitute your own boot functions (as long as it continues to do the normal boot loader's work), or modify the legitimate boot manager as it's loaded. Again the solution is to enable digital signatures and hashes. But who watches the watchers? Every digital signature is checked against a signing authority, which your OEM has listed as trustworthy. Most security rules can follow one of two actions: 1) allow a list of trusted authorities, or 2) disallow a list of untrusted authorities.

Black Lotus has the ability to get around the old Windows boot manager's security. MS realized it needed to perform two actions: 1) Replace the vulnerable boot manager with a new version, 2) Invalidate the old version in the wild so it can't be used.

MS has made agreements with the UEFI standards group, major OEM partners, and most of the larger Linux distros to make an unified approach to cut off UEFI rootkits of this nature. Major OEM's should be releasing (or have released) UEFI BIOS updates which revoke the CA which the original Windows boot manager was registered. This has the collateral effect of breaking some Linux distros, unless they also adapt and re-release signed boot managers.

Not all OEM's will be releasing UEFI updates, because some PC's are considered obsolete by the vendor. In this case, it's up to MS (and Windows) to try updating the BIOS through Windows when it finds an unpatched BIOS.

The first step is to check if your Windows has the latest CU's (which contain the new boot manager files and DBX updates for the BIOS). Right now, this is still an optional step. If you enable the proper reg keys, and reboot Windows then it will attempt to update the DBX list in BIOS and revoke the old boot loader. All this step does is to ban any files signed by the revoked CA's, if Secure Boot is used for booting.

For maximum protection, all the steps must be taken together. But some of the steps can be done in piecemeal, in ANTICIPATION of later steps.

We can have several different combinations:

	Secure Boot state	Boot Manager type	DBX list version	Bootable?
1.	Disabled	Legacy	Not revoked	Yes
2.	Disabled	Updated	Not revoked	Yes
3.	Disabled	Legacy	Revoked	Yes
4.	Disabled	Updated	Revoked	Yes
5.	Enabled	Legacy	Not revoked	Yes
6.	Enabled	Updated	Not revoked	Yes
7.	Enabled	Legacy	Revoked	No
8.	Enabled	Updated	Revoked	Yes

Note: it's entirely possible the new boot manager will be defeated, and requiring yet ANOTHER replacement. After which, we can repeat this entire process all over again.

pseymour · May 3, 2024

That’s a pretty good summary of where we are. It’s also, basically, how HTTPS trust works.

ian50 · May 4, 2024

Thanks garlin. A useful summary.

... if Secure Boot is used for booting

Perhaps if sufficient numbers of people choose not to use SB (ie. choose to keep SB turned OFF), this might damage the overall integrity of change. So that suggests a possible forced EUFI BIOS upgrade to remove that choice. (I've already experienced a forced EUFI BIOS upgrade from HP, when it occurred on a routine reboot with no warning or opt out option).

This is a very useful thread for clarity. As it stands, my current choice is to do nothing, just wait and keep the powder dry. But it's become clear what we are waiting for.