I'm just looking into the media now. I have done the revocations on my two laptops back in May. As you say, if I need to deal with them I can turn off Secure Boot for the small period when installing or restoring. I haven't done my desktop yet. I'm waiting until I have got updated media. I just downloaded some ISOs (W10 and W11) and also built a couple of USB keys a couple of days back. I'm trying to work out if they have been updated yet.
@BobD, if it helps at all, I posted batch files that you can use to update your Windows PE based boot disks. You can find those batch files here:
EDIT: Updated May 3, 2024. Please refer the following from now onward. This is a greatly improved article over this post, and it is in that article that I will post any new updates as they become available. https://www.elevenforum.com/t/performing-mitigations-for-blacklotus-uefi-bootkit.24892/...
www.elevenforum.com
If you prefer to do this manually so that you have full control over the process, here is a manual procedure. Please note that I tested these steps using the US English version of Windows 11.
Revised July 27, 2023
Please see Microsoft KB5025885
This document contains 3 procedures:
OPTION 1: How to Update the Windows PE Add-on to Address the BlackLotus UEFI Bootkit Mitigation
OPTION 2: Apply Updates to Existing WinPE Media
OPTION 3: Apply revocations to the local machine
NOTE: Microsoft suggests updating your Windows PE based media first before you apply the revocations on your machine to ensure that your media is ready to go before you update your PC. For this reason I have listed the procedure for updating the local machine last as option #3.
OPTION 1: How to Update the Windows PE Add-on to Address the BlackLotus UEFI Bootkit Mitigation
==================================================================
Just to clarify, this option is for updating a local Windows PE installation on your PC. In other words, if you have installed the Windows ADK and the Windows PE add-on for the ADK, this option will update that Windows PE installation. If you want to update bootable media that uses Windows PE, for example, a Macrium Reflect boot disk using Windows PE and NOT Windows RE, then follow the steps for Option 2 instead.
IMPORTANT: Before you perform this procedure, you should make sure that you first have the July 11, 2023 Patch Tuesday updates (or newer) applied to Windows.
Since the goal of this procedure is to update the Windows PE add-on, it is assumed that you already have Win PE installed. If not, please install the Windows ADK and the WinPE add-on. When installing the ADK, you will have the option to install a number of components. The only item needed is the "Deployment tools" option.
After installing the ADK, install the Win PE add-on.
On your Windows drive (assumed to be C:), create folders for this project using these commands:
md c:\Project
md c:\Project\Mount
md c:\Project\LCU
md c:\Project\SSU
md c:\Project\temp
IMPORTANT: The DISM command will often fail when dismounting an image if antivirus software interferes with it. I strongly suggest doing one of the following:
1) Disable real time antivirus scanning until you have finished this procedure.
2) Create an antivirus exception for c:\Project and all files and folders contained therein until you have finished this procedure.
From the Microsoft Update Catalog, download the Latest Cumulative Update. Here is a sample search term to find the LCU for Windows 11 22H2 as of July 2023. Include the quotes as shown:
"Windows 11" version 22H2 2023-07
Make sure to download the x64 version of the update and not the arm64-based update. In addition, you should download the version of the update that is NOT described as a dynamic update. It's possible that the dynamic update may work, but I did not test with it.
After downloading, right-click the update file, select properties, check the "Unblock" box and then click on OK.
Place that file in the c:\Project\LCU folder.
Start the "Deployment and Imaging Tools Environment" as an administrator. You can find this by going to Start > All apps > Windows Kits.
Run all of the following commands from that command prompt.
You will get a command prompt with a very long path shown. Run the command below (include the quotes):
cd "..\Windows Preinstallation Environment\amd64"
Mount Windows PE with this command:
DISM /Mount-Image /ImageFile:"en-us\winpe.wim" /index:1 /MountDir:"C:\Project\Mount"
The Latest Cumulative Update (LCU) may possibly also contain an SSU (Servicing Stack Update). Run the following to extract the SSU if one is present. If an SSU is not present, no worries, this won't harm anything:
expand "C:\Project\LCU\*.MSU" /f:"SSU*.cab" "C:\Project\SSU"
Check the SSU folder to see if a file is present. If a file is present, run the following command. If no file is present, skip that command and move on to the next item. This command will apply the SSU:
DISM /Add-Package /Image:"C:\Project\Mount" /PackagePath="C:\Project\SSU"
Apply The LCU with this command:
DISM /Add-Package /Image:"C:\Project\Mount" /PackagePath="C:\Project\LCU"
Lock the updates:
DISM /Cleanup-Image /Image:"C:\Project\Mount" /StartComponentCleanup /Resetbase /ScratchDir:C:\Project\temp
Copy boot files back to the Win PE add-on installation with these two commands:
Xcopy "C:\Project\Mount\Windows\Boot\EFI\bootmgr.efi" "Media\bootmgr.efi" /Y /-I
Xcopy "C:\Project\Mount\Windows\Boot\EFI\bootmgfw.efi" "Media\EFI\Boot\bootx64.efi" /Y /-I
Unmount the Win PE image and commit the changes:
DISM /Unmount-Image /MountDir:"C:\Project\Mount" /Commit
Export the image from the winpe.wim file. Exporting will shrink the file because the old versions of files within that WIM that were updated will not be exported. To export, run this command:
DISM /Export-Image /Bootable /SourceImageFile:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim" /SourceIndex:1 /DestinationImageFile:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim.new"
DEL "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim"
REN "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim" winpe.wim
This concludes the process. Any images or media that you now create that uses the Windows PE add-on will now have updated Windows PE files.
Option 2: Apply Updates to Existing WinPE Media
================================
IMPORTANT: Before you perform this procedure, you should make sure that you first have the July 11, 2023 Path Tuesday updates (or newer) applied to Windows.
IMPORTANT: The copy of Windows PE that you are updating should be of the same version as the updates being applied. My suggestion is that you regenerate the Windows PE based media using your current version of Windows before you proceed.
This procedure requires tools from the Windows ADK. If you do not already have the ADK installed, please install it now. When installing the ADK, you will have the option to install a number of components. The only item needed is the "Deployment tools" option.
On your Windows drive (assumed to be C:), create folders for this project using these commands:
md c:\Project
md c:\Project\Mount
md c:\Project\LCU
md c:\Project\SSU
md c:\Project\temp
md c:\Project\WinPE
md c:\Project\WinPE_NEW
Start by copying boot.wim from your media to C:\Project\WinPE. This file should be in a \Sources folder.
IMPORTANT: The DISM command will often fail when dismounting an image if antivirus software interferes with it. I strongly suggest doing one of the following:
1) Disable real time antivirus scanning until you have finished this procedure.
2) Create an antivirus exception for c:\Project and all files and folders contained therein until you have finished this procedure.
From the Microsoft Update Catalog, download the Latest Cumulative Update. Here is a sample search term to find the LCU for Windows 11 22H2 as of May 2023. Include the quotes as shown:
"Windows 11" version 22H2 2023-05
Make sure to download the x64 version of the update and not the arm64-based update.
After downloading, right-click the update file, select properties, check the "Unblock" box and then click on OK.
Place that file in the c:\Project\LCU folder.
Start the "Deployment and Imaging Tools Environment" as an administrator. You can find this by going to Start > All apps > Windows Kits. Run all of the following commands from that command prompt.
You will get a command prompt with a very long path shown. Run the command below. This will shorten that annoyingly long path and make it easier to see what you are doing:
CD\
Mount Windows PE:
DISM /Mount-Image /ImageFile:"c:\Project\WinPE\boot.wim" /index:1 /MountDir:"C:\Project\Mount"
The Latest Cumulative Update (LCU) may possibly also contain an SSU (Servicing Stack Update). Run the following to extract the SSU if one is present. If an SSU is not present, no worries, this won't harm anything:
expand "C:\Project\LCU\*.MSU" /f:"SSU*.cab" "C:\Project\SSU"
Check the SSU folder to see if a file is present. If a file is present, run the following command to apply the SSU, if not, skip that command:
DISM /Add-Package /Image:"C:\Project\Mount" /PackagePath="C:\Project\SSU"
Apply The LCU:
DISM /Add-Package /Image:"C:\Project\Mount" /PackagePath="C:\Project\LCU"
DISM /Cleanup-Image /Image:"C:\Project\Mount" /StartComponentCleanup
DISM /Unmount-Image /MountDir:"C:\Project\Mount" /Commit
DISM /Export-Image /Bootable /SourceImageFile:"C:\Project\WinPE\boot.wim" /SourceIndex:1 /DestinationImageFile:"C:\Project\WinPE_New\boot.wim"
Copy the boot.wim from c:\Project\WinPE_New to your media, replacing the boot.wim in the \Sources folder. If you like, you can first make a backup of the original boot.wim file by copying it to another location just in case there is a problem with the newly updated file.
This concludes the process of updating the boot.wim (Windows PE) on existing media.
OPTION 3: Apply Revocation to the Local Machine
=================================
Note that this option only needs to be performed one single time. Once this is applied to the computer, it will be permanent. We list this option last for the following reasons:
A) Options 1 and 2 may need to be run multiple times, for example, when new Windows PE based media is created or if Windows PE is reinstalled before Microsoft releases a new version with fixes built in.
B) You really want to update your Windows PE based bootable media FIRST since performing this step will render Windows PE media that is not patched unbootable if you run secure boot and this step has already been performed.
This procedure is very simple:
1) Make sure that the July 2023 or later Windows updates have been installed and the system has been rebooted.
2) Run this command from an elevated command prompt:
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x30 /f
After applying the above registry change, reboot the system. After the first reboot, wait a minimum of five minutes and then reboot a second time.
After the second reboot, check your System Event Log. You should find an event 1035 with the text "Secure Boot DBX update applied successfully".
