Updating USB bootable media for DBX updates

[cjee21]

This issue documents the author's experience with updating USB bootable media for the new 2023 CA and revocation of 2011 cert as well as Bootmgr SVN 7.0 DBX update.

There are generally 2 types of bootable USB's that support Secure Boot:

1. Those that use Windows Boot Manager
   • Windows installer USB
   • Bootable tools/apps based on Windows PE
2. Those that do not use Windows Boot Manager
   • Example: PassMark's MemTest86 or non-Windows OS installers

The first type have to be updated to use Windows Boot Manager signed with cert issued by Windows UEFI CA 2023 or else they will not be bootable after revoking Windows Production PCA 2011. They may also need to be updated to ensure the SVN of the Boot Manager is not lower than the Bootmgr SVN in the DBX.

The second type contains boot loaders or EFI Applications that are signed by Microsoft Corporation UEFI CA 2011. There is no known plan to revoke this cert so they will continue to be bootable and there is no need for any action. Newer versions of this type should be signed by Microsoft UEFI CA 2023 when Microsoft Corporation UEFI CA 2011 expires. For Linux USBs, they only need to be updated to meet the following if the SBAT update is applied.

sbat,1,2024010900
shim,4
grub,3
grub.debian,4

Warning

Disabling Secure Boot should be avoided. If Windows is booted when Secure Boot is turned off, all the Secure Boot and UEFI-related configurations are reset. This may include UEFI variables for LSA protection, SkuSiPolicy.p7b and SbatLevel, requiring them to be set/updated again.

[cjee21]

Creating Windows installer USB that can be booted on all PCs

This documents the process of creating a Windows installer USB that can be used on both PCs with only 2011 CA in DB or with only 2023 CA allowed. It will also be bootable with Bootmgr SVN 7.0 DBX update. There are many methods to create Windows installer USB and this is just a method that the author uses.

For all commands below, D: and E: refers to the first and second partitions of the USB drive respectively while F: refers to the mounted ISO image. Make necessary changes if they are mounted with different letters.

1. Download Windows 11 25H2 or newer ISO from https://www.microsoft.com/en-us/software-download/windows11
2. Create two FAT32 partitions on a USB drive. The first partition should occupy most of the drive while the second partition only needs to be a few megabytes.
3. Mount the ISO and copy its entire contents to the first partition of the USB. install.wim should fail as it is greater than 4GB. Skip it as it will be handled in the next step.
4. Run the following in an elevated terminal to copy the split install image.

   Dism /Split-Image /ImageFile:F:\sources\install.wim /SWMFile:D:\sources\install.swm /FileSize:4000

5. Run the following commands in an elevated terminal to update the files to ones with a Boot Manager signed with cert issued by Windows UEFI CA 2023. This step must be performed on a PC running Windows 11 25H2 or newer.

   >copy D:\efi\microsoft\boot\bcd D:\efi\microsoft\boot\bcd.bak
           1 file(s) copied.
   
   >bcdboot C:\Windows /f UEFI /s D: /bootex
   Boot files successfully created.
   
   >copy /Y D:\efi\microsoft\boot\bcd.bak D:\efi\microsoft\boot\bcd
           1 file(s) copied.
   
   >del D:\efi\microsoft\boot\bcd.bak

6. Run the following commands to write the recovery EFI Application to the second partition.

   >md E:\efi\boot
   
   >copy C:\Windows\Boot\EFI\SecureBootRecovery.efi E:\efi\boot\bootx64.efi
           1 file(s) copied.

7. The following two commands can be used to obtain information about the Windows editions and version that are contained in the installer. The information can be used to label the USB drive.

   >Dism /Get-ImageInfo /imagefile:D:\sources\install.swm
   >Dism /Get-ImageInfo /imagefile:D:\sources\install.swm /Index:1

That is all that is required to make a bootable Windows 11 installer USB drive. There is no need for any additional action as Windows 11 is UEFI only and UEFI can boot from files that are in any normal FAT32 partition on USB drives.

Tip

A folder with a name not used by Windows installation files can be created at the root of the USB drive to store drivers, applications and other files. It will not affect the Windows installer.

Using the Windows installer USB

Use the UEFI boot menu (commonly F11) to boot the first partition of the USB drive. If it fails and a Secure Boot violation occurs, it is likely that that PC does not have Windows UEFI CA 2023 in the DB yet. In this case, boot the second partition of the USB drive which will add Windows UEFI CA 2023 to the DB. The first partition should then be bootable successfully. The Windows installation GUI should appear after booting the first partition of the USB drive.

[cjee21]

Creating USB applications based on Windows PE

This documents the process of creating a Macrium Reflect Free Rescue Media (based on Windows PE) that can be used on PCs with only 2023 CA allowed and Bootmgr SVN updated to 7.0 in DBX. It may be useful for creating other Windows PE USBs as well.

Prepare a FAT32 formatted USB drive and ensure sufficient space in C:\ drive before starting.

1. Install Windows ADK 10.1.26100.2454 (December 2024) and Windows PE add-on for the Windows ADK 10.1.26100.2454 (December 2024) from Microsoft.
2. Download the latest Windows 11 cumulative update 'msu's and save them in C:\Updates.
3. Update the WinPE image by running the following in an elevated 'Deployment and Imaging Tools Environment' terminal..

   cd "..\Windows Preinstallation Environment\amd64"
   md C:\WinPE_amd64\mount
   Dism /Mount-Image /ImageFile:"en-us\winpe.wim" /index:1 /MountDir:"C:\WinPE_amd64\mount"
   Dism /Add-Package /Image:"C:\WinPE_amd64\mount" /PackagePath:"C:\Updates"
   md C:\temp
   Dism /Cleanup-Image /Image:C:\WinPE_amd64\mount /Startcomponentcleanup /Resetbase /ScratchDir:C:\temp
   Dism /Unmount-Image /MountDir:"C:\WinPE_amd64\mount" /commit

4. Build Macrium ISO Rescue Media with Macrium set to use C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim as the custom base WIM.
5. Start the 'Deployment and Imaging Tools Environment' as an administrator.
6. Run

   copype amd64 C:\WinPE_amd64

7. Mount Macrium Rescue Media ISO that was generated.
8. Copy sources\boot.wim from the mounted ISO to C:\WinPE_amd64\media\sources\boot.wim
9. Copy PEVersion, RMBuilder.xml, Version and x64 from the mounted Macrium ISO to C:\WinPE_amd64\media.
10. Run

    MakeWinPEMedia /ISO C:\WinPE_amd64 C:\WinPE_amd64\WinPE_amd64.iso /bootex`.

11. Mount C:\WinPE_amd64\WinPE_amd64.iso and copy its entire contents to the USB drive.
12. Unmount all ISOs and delete C:\WinPE_amd64\, C:\temp\ and C:\Updates\ after saving a copy of WinPE_amd64.iso for future use.

Using the created USB

Use the UEFI boot menu (commonly F11) to boot the USB drive. It should boot even on systems with the Windows Production PCA 2011 revoked and the SVN updated to 7.0 in the DBX.