For those who might still be following this, I tested out some steps for upgrading Windows PE after revocations are put in place.
Before you read any further, I'm just going to point out that this is for the real geeks out there and for completeness in this thread. Most people may not care about this stuff
For those that don't care, I will just appeal to you to test any Win PE based media once you get to the point where you have applied revocations. You want to make sure that any such media works properly (that it can be booted successfully) after the revocations are applied to your system.
The procedure below has two options:
1) How to Update the Windows PE Add-on to Address the BlackLotus UEFI Bootkit Mitigation
This option applies if you installed Win PE onto your system. After you update Windows PE, any programs that create Windows PE based boot media will have all of the updates, assuming that they are pulling the Windows PE files from your installed copy of Windows PE.
In my testing, when I tried to create a Macrium Reflect boot disk, it did NOT pull files from my installed copy of Windows PE. Instead, it downloaded Windows PE from Microsoft and then built the media from that download. That is where Option 2 comes into play:
2) Apply Updates to Existing Windows PE Media (Macrium Reflect, Acronis software, etc.)
This will update media that has not already been patched that was created using Windows PE.
Enough intro. Here is the procedure that I worked out that is working for me:
--------------------------
This document contains 2 procedures:
OPTION 1: How to Update the Windows PE Add-on to Address the BlackLotus UEFI Bootkit Mitigation
OPTION 2: Apply Updates to Existing Windows PE Media
OPTION 1: How to Update the Windows PE Add-on to Address the BlackLotus UEFI Bootkit Mitigation
IMPORTANT: Before you perform this procedure, you should make sure that you first have the May 9, 2023 Path Tuesday updates (or newer) applied to Windows.
Since the goal of this procedure is to update the Windows PE add-on, it is assumed that you already have Windows PE installed. If not, please install the Windows ADK and the Windows PE add-on. When installing the ADK, you will have the option to install a number of components. The only item needed is the
Deployment tools option.
After installing the ADK, install the Windows PE add-on.
On your Windows drive (assumed to be C:), create folders for this project using these commands:
md c:\Project
md c:\Project\Mount
md c:\Project\LCU
md c:\Project\SSU
md c:\Project\temp
IMPORTANT: The DISM command will often fail when dismounting an image if antivirus software interferes with it. I strongly suggest doing one of the following:
1) Disable real time antivirus scanning until you have finished this procedure.
2) Create an antivirus exception for
c:\Project and all files and folders contained therein until you have finished this procedure.
From the Microsoft Update Catalog, download the Latest Cumulative Update. Here is a sample search term to find the LCU for Windows 11 22H2 as of May 2023. Include the quotes as shown:
"Windows 11" version 22H2 2023-05
Make sure to download the x64 version of the update and not the arm64-based update.
After downloading, right-click the update file, select properties, check the
Unblock box and then click on OK.
Place that file in the
c:\Project\LCU folder.
Start the
Deployment and Imaging Tools Environment as an administrator. You can find this by going to
Start > All apps > Windows Kits.
Run all of the following commands from that command prompt.
You will get a command prompt with a very long path shown. Run the command below (include the quotes):
cd "..\Windows Preinstallation Environment\amd64"
Mount Windows PE with this command:
DISM /Mount-Image /ImageFile:"en-us\winpe.wim" /index:1 /MountDir:"C:\Project\Mount"
The Latest Cumulative Update (LCU) may possibly also contain an SSU (Servicing Stack Update). Run the following to extract the SSU if one is present. If an SSU is not present, no worries, this won't harm anything:
expand "C:\Project\LCU\*.MSU" /f:"SSU*.cab" "C:\Project\SSU"
Check the SSU folder to see if a file is present. If a file is present, run the following command. If no file is present, skip that command. This command will apply the SSU:
DISM /Add-Package /Image:"C:\Project\Mount" /PackagePath="C:\Project\SSU"
Apply The LCU with this command:
DISM /Add-Package /Image:"C:\Project\Mount" /PackagePath="C:\Project\LCU"
Lock the updates:
DISM /Cleanup-Image /Image:"C:\Project\Mount" /StartComponentCleanup /Resetbase /ScratchDir:C:\Project\temp
Copy boot files back to the Win PE add-on installation with these two commands:
Xcopy "C:\Project\Mount\Windows\Boot\EFI\bootmgr.efi" "Media\bootmgr.efi" /Y
Xcopy "C:\Project\Mount\Windows\Boot\EFI\bootmgfw.efi" "Media\EFI\Boot\bootx64.efi" /Y
Unmount the Win PE image and commit the changes:
DISM /Unmount-Image /MountDir:"C:\Project\Mount" /Commit
This concludes the process. Any images or media that you now create that uses the Windows PE add-on will now have updated Windows PE files.
Option 2: Apply Updates to Existing Windows PE Media
IMPORTANT: Before you perform this procedure, you should make sure that you first have the May 9, 2023 Path Tuesday updates (or newer) applied to Windows.
IMPORTANT: The copy of Windows PE that you are updating should be of the same version as the updates being applied. My suggestion is that you regenerate the Windows PE based media using your current version of Windows before you proceed.
This procedure requires tools from the Windows ADK. If you do not already have the ADK installed, please install it now. When installing the ADK, you will have the option to install a number of components. The only item needed is the
Deployment tools option.
On your Windows drive (assumed to be C:), create folders for this project using these commands:
md c:\Project
md c:\Project\Mount
md c:\Project\LCU
md c:\Project\SSU
md c:\Project\temp
md c:\Project\WinPE
md c:\Project\WinPE_NEW
Start by copying boot.wim from your media to
C:\Project\WinPE. This file should be in a
\Sources folder.
IMPORTANT: The DISM command will often fail when dismounting an image if antivirus software interferes with it. I strongly suggest doing one of the following:
1) Disable real time antivirus scanning until you have finished this procedure.
2) Create an antivirus exception for
c:\Project and all files and folders contained therein until you have finished this procedure.
From the Microsoft Update Catalog, download the Latest Cumulative Update. Here is a sample search term to find the LCU for Windows 11 22H2 as of May 2023. Include the quotes as shown:
"Windows 11" version 22H2 2023-05
Make sure to download the x64 version of the update and not the arm64-based update.
After downloading, right-click the update file, select properties, check the
Unblock box and then click on
OK.
Place that file in the
c:\Project\LCU folder.
Start the
Deployment and Imaging Tools Environment as an administrator. You can find this by going to
Start > All apps > Windows Kits. Run all of the following commands from that command prompt.
You will get a command prompt with a very long path shown. Run the command below. This will shorten that annoyingly long path and make it easier to see what you are doing:
CD\
Mount Windows PE:
DISM /Mount-Image /ImageFile:"c:\Project\WinPE\boot.wim" /index:1 /MountDir:"C:\Project\Mount"
The Latest Cumulative Update (LCU) may possibly also contain an SSU (Servicing Stack Update). Run the following to extract the SSU if one is present. If an SSU is not present, no worries, this won't harm anything:
expand "C:\Project\LCU\*.MSU" /f:"SSU*.cab" "C:\Project\SSU"
Check the SSU folder to see if a file is present. If a file is present, run the following command to apply the SSU, if not, skip that command:
DISM /Add-Package /Image:"C:\Project\Mount" /PackagePath="C:\Project\SSU"
Apply The LCU:
DISM /Add-Package /Image:"C:\Project\Mount" /PackagePath="C:\Project\LCU"
DISM /Cleanup-Image /Image:"C:\Project\Mount" /StartComponentCleanup
DISM /Unmount-Image /MountDir:"C:\Project\Mount" /Commit
DISM /Export-Image /SourceImageFile:"C:\Project\WinPE\boot.wim" /SourceIndex:1 /DestinationImageFile:"C:\Project\WinPE_New\boot.wim"
Copy the
boot.wim from
c:\Project\WinPE_New to your media, replacing the
boot.wim in the
\Sources folder. If you like, you can first make a backup of the original
boot.wim file by copying it to another location just in case there is a problem with the newly updated file.
This concludes the process of updating Windows PE on existing media.
