Skip to content

Offline Servicing the Windows Image on Disk #276

New issue
New issue
Open
Open
Offline Servicing the Windows Image on Disk#276
Assignees
OSDeploy
Labels
questionFurther information is requested
@CMTRACE

Description

@CMTRACE
CMTRACE
opened on May 25, 2025

Not a problem per se, but it would be quite nice to fetch or search for updates to add to the offline windows images after Start-OSDCloud has applied the specified index to the local disk.

In addition, servicing of the WinRE.wim file in the Recovery partition would also come in handy to preserve Push Button Reset as we progress further along with the BlackLotus Mitigations. Eventually it will be quiet important to maintain all boot media, install media, WinRE media to at least a level where there isnt the chance of a bootmgr version downgrade as a machine proceeds from bare metal to fully functional (including PBR)

Describe the solution you'd like
Start-OSDCloud -Firmware -ZTI -OSName 'Windows 11 24H2 x64' -OSEdition Enterprise -OSLanguage en-us -OSActivation Volume -AndUpdate

  1. We check if the 2023 certificates are present in the UEFI DB
  2. We check if the 2011 certificate are in the forbidden database
  3. We assume anything but the latest bootmanager version is revoked.
  4. We Format the disk
  5. We Start-OSDCloud fetches the ESD
  6. The OS index is applied to disk
  7. We fetch the latest Windows 24H2 2025-05 CUs, Cus Latest WinRE/SafeOS Cabs and Latest ,Net Save to C:\OSDCloud\updates for example
  8. We check out access to the system recovery partition
  9. We mount WinRE.Wim to C:\OSDCloud\WinRE\Mount
  10. SafeOS Cabs are applied to the above
  11. We clean up the offline WinRE image
  12. We Dismount Win.RE
  13. We apply Main windows .net and Cus as appropriate
  14. Bonus points for checking all (incl WinRE) bootmgr files are consistent before we restart

This of course can be scripted and called with a URL, which is what I'm building towards now (poorly), but it feels like a nice addition to the main process. This would help to ensure every deployment with OSDCloud is as up to date as possible and Push Button Reset doesn't complain when there's is a bootmgrXX.efi version or certificate mismatch in the future. It also ensures we are trying to use the latest possible updates and any new versions of the bootmgr are consistent at build time.

Metadata

Metadata

Assignees

Labels

questionFurther information is requested

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions