Category Archives: Windows 10

KB5025885 (Black Lotus) – Making Everything Work After It Breaks

The rumours about Microsoft’s enforcement of the Black Lotus boot kit mitigations have been around since May 2023 but so far Microsoft have (sensibly) held back enforcement. And with good reason – the mitigations, once applied, are known to cause all sorts of problems with booting, PXE boot, USB boot, CD, even SecureBoot. As you can imagine, this could become a support headache, especially when applied at enterprise level customers.

I have recently had the dubious pleasure of investigating this and assessing what impact this might have when it’s forcibly imposed in some future KB (incidentally, no concrete date set from what I have heard so far, but possibly Q1 2025 although this date keeps getting shunted forward).

In any case, I thought I’d share the benefit of my knowledge for those struggling to get stuff working, particularly PXE booting via WDS. In all likelihood, any machines you’re preparing for have already got the ‘payload’ in place – that is, it’s already present on your machines but just needs activation. This is achieved via several registry updates and reboots, the process of which can take the best part of half an hour. Quite a pain, but as I say, I would expect this to be taken care of in a more streamlined way in a future KB. Once the mitigations have been applied, there shouldn’t be any immediately noticeable issues with the machine, although there are reports by some of being unable to boot into the OS. If this happens, you may wish to temporarily disable SecureBoot or alternatively, apply a workaround in the linked article above. However I wouldn’t expect this to happen and I haven’t personally come across it yet.

However, you will start to notice problems when you attempt to PXE boot or boot off some other media. The reason for this is that the certificates in the UEFI BIOS have now been updated to 2023 from 2011 and fail the integrity check when booting using binaries with unmatched certs. There are three areas we have to update:

  • The Boot Image
  • The WDS/Native SCCM PXE Binaries
  • The OS Media

Boot Image

This should be the first port of call. When creating the image, make sure you have installed the ADK 10.1.26100.1 (May 2024) and in particular, the WinPE Add-On. This version contains all the latest certificates within the winpe.wim file and will ensure compatibility/bootability(!).

Windows Deployment Server

  1. Ensure the server has a recent (at least June 2024) KB update. This will ensure it has a copy of the binaries required to PXEboot containing the new certs available.
  2. Copy C:\Windows\System32\RemInst\boot_EX\x64\wdsmgfw_EX.efi E:\RemoteInstall\Boot\x64\wdsmgfw.efi
  3. Copy C:\Windows\System32\RemInst\boot_EX\x64\en-US\wdsmgfw_EX.efi.mui E:\RemoteInstall\Boot\x64\en-US\wdsmgfw.efi.mui
  4. Copy C:\Windows\System32\RemInst\boot_EX\x64\en-US\bootmgfw_EX.efi.mui E:\RemoteInstall\Boot\x64\en-US\bootmgfw.efi.mui
  5. Copy C:\Windows\System32\RemInst\boot_EX\x64\bootmgfw_EX.efi E:\RemoteInstall\Boot\x64\bootmgfw.efi

Strictly speaking, the mui’s aren’t necessary but…belt and braces. What we’re doing here is replacing the old binaries with the new 2023 binaries which were supplied in the latest KB. If you have more than one WDS server, obviously ensure all are updated appropriately. In our environment, we also had one or two hard-coded boot paths which caused further confusion but I wouldn’t expect that normally.

PXE via Native SCCM

If you use the native PXE responder in SCCM rather than WDS, follow the steps below:

  1. Download the Windows 11 24H2 Enterprise ISO and mount it. This contains the new binaries we need.
  2. Browse to <MOUNTPOINT>\sources and copy boot.wim to a new folder (D:\Updates).
  3. Mount the boot image, eg Dism /mount-wim /wimfile:D:\Updates\boot.wim /index:1 /mountdir:D:\Updates\MOUNT
  4. Copy the following files to your update directory: D:\Updates\MOUNT\Windows\Boot\EFI_EX\bootmgfw_EX.efi D:\Updates\MOUNT\Windows\Boot\PXE_EX\wdsmgfw_EX.efi
  5. Rename bootmgfw_EX.efi to bootmgfw.efi and wdsmgfw_EX.efi to wdsmgfw.efi
  6. Copy the renamed files to D:\SMS_DP$\sms\bin\SMSBoot\<PkgID\>\x64 on your PXE server (substitute for C: if necessary)
  7. You should be able to boot an updated machine now.

NOTE: wdsmgfw_EX.efi and bootmgfw_EX.efi can also be found on the boot image in the May 24 ADK. I had no luck trying the get the versions included there working correctly even though the certificates stated 2023, so it’s recommended you stick with the versions in the latest 24H2 ISO.

OS Media (Task Sequence)

So….we should now be working, right? Not so fast. You should now be in a position to be able to boot from WDS. However, if your OS media is out of date you will also be in trouble. If this is the case, you’ll find your task sequence failing once the OS has been laid down with bcdboot.exe failing to find the appropriate files it needs. From an OS media perspective you will need a minimum of the following:

  1. Windows 11 23H2 OS 22621.3737
  2. Windows 10 22H2 OS 19044.4529

If you ensure these or later versions are part of your task sequence, everything should be rosy.

OS Media (ISO Image)

Sometimes we need an ISO image to boot off. The instructions below should help when updating an ISO with the mitigations:

On SCCM – Upgrade to latest ADK and create a bootable ISO

Pre-Requisites On client machine ( eg win 11 )
Install Windows latest ADK (ADK 10.1.26100.1 (May 2024)) on your system, ensuring you include Deployment Tools.
Obtain the most recent Windows 11 23H2/24H2 installation media through your preferred distribution channel, such as the Volume Licensing portal.
This latest installation media contains the UEFI 2023 CA signed boot managers within the boot.wim file.

Once you have installed ADK, open Deployment and Imaging Tools Environment with administrative privileges.
Create the following directories:
mkdir C:\UpdateWinMedia\DVD
mkdir C:\UpdateWinMedia\Boot
mkdir C:\UpdateWinMedia\Mount

Mount the Windows installation ISO media on your system. In this example, the drive letter is F:

Copy the contents of the Windows installation media (F:) to C:\UpdateWinMedia\DVD
xcopy /s /h F:\ C:\UpdateWinMedia\DVD

Mount the Boot.wim file to extract updated boot files
Dism /mount-wim /wimfile:C:\UpdateWinMedia\DVD\sources\boot.wim /index:1 /mountdir:C:\UpdateWinMedia\Mount

xcopy /s /h C:\UpdateWinMedia\Mount\Windows\Boot C:\UpdateWinMedia\Boot
Dism /unmount-wim /discard /mountdir:C:\UpdateWinMedia\Mount

Create bootable DVD using oscdimg tool with the UEFI 2023 CA signed efisys.bin
oscdimg -m -o -u2 -udfver102 -pEF -b”C:\UpdateWinMedia\Boot\DVD_EX\EFI\en-US\efisys_EX.bin” C:\UpdateWinMedia\DVD C:\UpdateWinMedia\Windows11_UEFI2023.iso

Boot using the updated ISO and install Windows 11.

Hope the above is useful to someone, certainly cost me a good few hours of my life!

Simple Configurable Front End SCCM

The business of adding a front end for a PXE-driven SCCM OS build is generally a pretty important consideration if you want to specify some basic information prior to deployment. It’s also something that I’ve felt has never been properly addressed by the SCCM development team. To be fair you could argue it’s not their job to do this but with more functionality being adding to every single aspect of SCCM in every new release, it does feel like something that probably should be looked at in the future.

For now, there are plenty of examples of great front ends on the internet – look up ‘Pretty Good FrontEnd’ by Johan Arwidmark or ‘Pretty Good Front End Clone’ by Maik Koster. These two have been around donkey’s years. One of my favourites is Nicolaj Andersen’s very neat ConfigMgr Front End which offers a whole world of features. Additional infrastructure is necessary to accommodate this however, in the form of web services.

So why create another? Well I’m certainly not pretending to  set the world alight with some kind of ingenious new approach but I always felt there was just a little too much fiddling about with most of the solutions I saw elsewhere. What I wanted was something I could ideally just drop straight into my WinPE image which would just work.  There are certainly features I could add (and may indeed do so if enough people ask) such as ability to remove certain sections, eg, domain, OS, etc. However in an effort to keep things simple I have left this for now.

The Front End

This is a typical illustration of what it looks like in my lab. Most aspects are configurable via a small ini file (yes I know it’s a bit 90’s but let’s face it, it’s a damn sight easier to use than an xml file for this kind of thing). The ini file below is configurable for the OUs in your environment, the domain (or domains) and even colour and font size. One area I went a little off the beaten track is the ability to select different images you want to use in your task sequence. This is great in my lab as I often want to test stuff out on different OS’s and will routinely add a new image when necessary to my tried and trusted task sequence.  As such I’ll detail this a little more.

If you want to use the same task sequence but have different images available in that sequence, you can enter them in the ini file. Just be sure to enter the appropriate option/filter in appropriate task sequence step. For example, in the image above we have  a number of different OS’s which relate to separate images. Under the INSTALL section of your task sequence you might have one or more separate steps to Install Windows 10, Install Server 2016, etc. On each of these steps, click Options and add a Task Sequence Variable condition, eg:

TS VARIABLE: OSDImage Equals <Windows 10 1803>

It is important that the text in the OS box above equals the OSDImage value of your condition. 

Of course, you can just add a description in the Config.ini file instead and have one image step in your task sequence with no condition set and all will be well. I suspect this is what most people will want. The option to do it this way is just there if you want it.

CONFIG.INI

Typical Config.ini settings below. This file must always exist in the exact same folder as the NewFrontEnd.exe executable.

:: [ORG_UNIT] - Enter all OUs you want displayed in format OU=Dept, OU=Org, DC=domain, DC=suffix one after the other.
:: [DOMAIN] - In most cases, this is more for show but can be used to build a workgroup machine too if WORKGROUP is specified underneath the primary domain.
:: [OS] - If your task sequence can build more than one image, add it here, eg Windows 10 1607 LTSB. Then add a task sequence variable condition called OSDIMAGE and equal it to the image name in your TS.

:: [MISC]
:: LOGO, recommended max size is approx W:120, H:120 for a font size of 8-10
:: BACKGROUND, Enter standard OS colour names, eg Red, DarkRed, Marroon, MidnightBlue, etc
:: FONTSIZE, recommend, 8-10 but it will go bigger. Seems to jump in 2s, eg, 8,10,12, etc. This has a bearing on the size of the form.
:: FONTCOLOR (American spelling, sorry) see BACKGROUND, above.
:: SMSTSPREFERREDADVERTID, If specified, enter the Deployment ID of the task sequence you want to run. This will override any other advertised task sequence either 'available' or 'required' and the wizard won't show.

:: HIRESDISPLAY, If HIRESDISPLAY=True the size of the form is increased so it doesn't get 'scrunched up' on the display. This has been tested against a Surface Pro 4.

:: NOTE - [ORG_UNIT], [DOMAIN] and [OS] should all have at least one value (ideally) so the interface has something to show. Settings under [MISC] can be removed or ignored by adding a semicolon before the setting.

[ORG_UNIT]
OU=Workstations,OU=Bondynet,DC=BONDYNET,DC=org
OU=Servers,OU=Bondynet,DC=BONDYNET,DC=org
OU=Secure Workstations,OU=Bondynet,DC=BONDYNET,DC=org

[DOMAIN]
BONDYNET.org
WORKGROUP

[OS]
Windows 10 1803
Windows 10 1607
Windows Server 2016
Windows 2012 R2
Windows 10 1607 LTSB
Windows 7
Windows 8.1
Windows Server 2008

[MISC]
LOGO=logo-3.png
BACKGROUND=LightSteelBlue
FONTSIZE=8
FONTCOLOR=Black
SMSTSPREFERREDADVERTID=PR120019

WinPE Setup

So how do you get this working in WinPE?

  1. Create a share somewhere and drop NewFrontEnd.exe, Config.ini and your company logo png into it (and/or possibly RunFEUI.vbs – see end of post)
  2. In SCCM go to your chosen boot image, right-click | properties | Optional Components. Select Microsoft .NET (WinPE-NetFx). This is a C# application so it needs this option available in your boot image binaries.
  3. Select the Customisation tab. Under Prestart Command Settings enter “X:\sms\PKG\SMS10000\NewFrontEnd.exe”
  4. Select Include files for the prestart command
  5. Select the share you created above with the files in for the source directory.

If you want to, add a background, click OK  and you’re done. After the update distribution points wizard has completed, double check the Last Update information in the bottom section of the SCCM console to ensure the time matches the time you ran the wizard and everything has updated as it should. This is important as it hasn’t usually finished updating just because the wizard progress bar has completed.

.

For The Adventurous.

One of the neat things about using the above method is that there is no ugly command prompt in the background as it brings up the front end interface. However the downside of this is that all the files are inside your WinPE image so if you want to update them you have to go through the above process once again which is both time consuming and laborious. One solution though is to simply point to a script that will map a drive to a share that exists elsewhere on your network and execute the files from there instead. This facilitates updating the files on the fly.

In the zip file included below, there is a file called RunFEUI.vbs. Simply open it and edit it to fit your environment (ie edit line 4 with the appropriate drive mapping and account).

DOWNLOAD HERE:

NewFrontEnd_v1.2

Please ask any questions or suggestions for improvements in the comments below.

[*** UPDATE ***]

I have added a new variable, HIRESDISPLAY=True. If you have a Surface or another slate type device, it is common to see forms get squashed up. Set this if you need a larger form to display.