From 8082e3cf353b452b433e1df7fdf4ded612a11bef Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Wed, 25 Oct 2023 17:22:46 -0400 Subject: [PATCH 1/6] Minor updates --- windows/client-management/mdm/index.yml | 10 +++---- ...sed-root-of-trust-helps-protect-windows.md | 29 +++++++------------ 2 files changed, 15 insertions(+), 24 deletions(-) diff --git a/windows/client-management/mdm/index.yml b/windows/client-management/mdm/index.yml index c05832ef83..2e6a1b1f54 100644 --- a/windows/client-management/mdm/index.yml +++ b/windows/client-management/mdm/index.yml @@ -1,11 +1,11 @@ ### YamlMime:Landing title: Configuration Service Provider # < 60 chars -summary: Learn more about the configuration service provider (CSP) policies available on Windows 10 and Windows 11. # < 160 chars +summary: Learn more about the configuration service provider (CSP) policies available on Windows devices. # < 160 chars metadata: title: Configuration Service Provider # Required; page title displayed in search results. Include the brand. < 60 chars. - description: Learn more about the configuration service provider (CSP) policies available on Windows 10 and Windows 11. # Required; article description that is displayed in search results. < 160 chars. + description: Learn more about the configuration service provider (CSP) policies available on Windows devices. # Required; article description that is displayed in search results. < 160 chars. ms.topic: landing-page ms.technology: itpro-manage ms.prod: windows-client @@ -15,7 +15,7 @@ metadata: author: vinaypamnani-msft ms.author: vinpa manager: aaroncz - ms.date: 08/04/2022 + ms.date: 10/25/2023 localization_priority: medium # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new @@ -35,8 +35,8 @@ landingContent: url: configuration-service-provider-ddf.md - text: BitLocker CSP url: bitlocker-csp.md - - text: DynamicManagement CSP - url: dynamicmanagement-csp.md + - text: Declared Configuration protocol + url: ../declared-configuration.md # Card (optional) diff --git a/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md b/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md index 077e6473de..d5451404d1 100644 --- a/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md +++ b/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md @@ -1,8 +1,8 @@ --- -title: How a Windows Defender System Guard helps protect Windows -description: Windows Defender System Guard reorganizes the existing Windows system integrity features under one roof. Learn how it works. +title: How Windows Defender System Guard helps protect Windows +description: Learn how Windows Defender System Guard reorganizes the existing Windows system integrity features under one roof. ms.localizationpriority: medium -ms.date: 03/01/2019 +ms.date: 10/25/2023 ms.topic: conceptual --- @@ -19,15 +19,11 @@ Windows Defender System Guard reorganizes the existing Windows system integrity ### Static Root of Trust for Measurement (SRTM) -With Windows 7, one of the means attackers would use to persist and evade detection was to install what is often referred to as a bootkit or rootkit on the system. -This malicious software would start before Windows started, or during the boot process itself, enabling it to start with the highest level of privilege. +With Windows 7, one of the means attackers would use to persist and evade detection was to install what is often referred to as a bootkit or rootkit on the system. This malicious software would start before Windows started, or during the boot process itself, enabling it to start with the highest level of privilege. -With Windows 10 running on modern hardware (that is, Windows 8-certified or greater) a hardware-based root of trust helps ensure that no unauthorized firmware or software (such as a bootkit) can start before the Windows bootloader. -This hardware-based root of trust comes from the device's Secure Boot feature, which is part of the Unified Extensible Firmware Interface (UEFI). -This technique of measuring the static early boot UEFI components is called the Static Root of Trust for Measurement (SRTM). +With Windows 10 running on modern hardware, a hardware-based root of trust helps ensure that no unauthorized firmware or software (such as a bootkit) can start before the Windows bootloader. This hardware-based root of trust comes from the device's Secure Boot feature, which is part of the Unified Extensible Firmware Interface (UEFI). This technique of measuring the static early boot UEFI components is called the Static Root of Trust for Measurement (SRTM). -As there are thousands of PC vendors that produce many models with different UEFI BIOS versions, there becomes an incredibly large number of SRTM measurements upon bootup. -Two techniques exist to establish trust here—either maintain a list of known 'bad' SRTM measurements (also known as a blocklist), or a list of known 'good' SRTM measurements (also known as an allowlist). +As there are thousands of PC vendors that produce many models with different UEFI BIOS versions, there becomes an incredibly large number of SRTM measurements upon bootup. Two techniques exist to establish trust here—either maintain a list of known 'bad' SRTM measurements (also known as a blocklist), or a list of known 'good' SRTM measurements (also known as an allowlist). Each option has a drawback: @@ -37,9 +33,7 @@ Also, a bug fix for UEFI code can take a long time to design, build, retest, val ### Secure Launch—the Dynamic Root of Trust for Measurement (DRTM) -[Windows Defender System Guard Secure Launch](system-guard-secure-launch-and-smm-protection.md), first introduced in Windows 10 version 1809, aims to alleviate these issues by leveraging a technology known as the Dynamic Root of Trust for Measurement (DRTM). -DRTM lets the system freely boot into untrusted code initially, but shortly after launches the system into a trusted state by taking control of all CPUs and forcing them down a well-known and measured code path. -This has the benefit of allowing untrusted early UEFI code to boot the system, but then being able to securely transition into a trusted and measured state. +[Windows Defender System Guard Secure Launch](system-guard-secure-launch-and-smm-protection.md), first introduced in Windows 10 version 1809, aims to alleviate these issues by leveraging a technology known as the Dynamic Root of Trust for Measurement (DRTM). DRTM lets the system freely boot into untrusted code initially, but shortly after launches the system into a trusted state by taking control of all CPUs and forcing them down a well-known and measured code path. This has the benefit of allowing untrusted early UEFI code to boot the system, but then being able to securely transition into a trusted and measured state. ![System Guard Secure Launch.](images/system-guard-secure-launch.png) @@ -47,9 +41,7 @@ Secure Launch simplifies management of SRTM measurements because the launch code ### System Management Mode (SMM) protection -System Management Mode (SMM) is a special-purpose CPU mode in x86 microcontrollers that handles power management, hardware configuration, thermal monitoring, and anything else the manufacturer deems useful. -Whenever one of these system operations is requested, a non-maskable interrupt (SMI) is invoked at runtime, which executes SMM code installed by the BIOS. -SMM code executes in the highest privilege level and is invisible to the OS, which makes it an attractive target for malicious activity. Even if System Guard Secure Launch is used to late launch, SMM code can potentially access hypervisor memory and change the hypervisor. +System Management Mode (SMM) is a special-purpose CPU mode in x86 microcontrollers that handles power management, hardware configuration, thermal monitoring, and anything else the manufacturer deems useful. Whenever one of these system operations is requested, a non-maskable interrupt (SMI) is invoked at runtime, which executes SMM code installed by the BIOS. SMM code executes in the highest privilege level and is invisible to the OS, which makes it an attractive target for malicious activity. Even if System Guard Secure Launch is used to late launch, SMM code can potentially access hypervisor memory and change the hypervisor. To defend against this, two techniques are used: @@ -60,14 +52,13 @@ Paging protection can be implemented to lock certain code tables to be read-only A hardware-enforced processor feature known as a supervisor SMI handler can monitor the SMM and make sure it doesn't access any part of the address space that it isn't supposed to. -SMM protection is built on top of the Secure Launch technology and requires it to function. -In the future, Windows 10 will also measure this SMI Handler's behavior and attest that no OS-owned memory has been tampered with. +SMM protection is built on top of the Secure Launch technology and requires it to function. In the future, Windows 10 will also measure this SMI Handler's behavior and attest that no OS-owned memory has been tampered with. ## Validating platform integrity after Windows is running (run time) While Windows Defender System Guard provides advanced protection that will help protect and maintain the integrity of the platform during boot and at run time, the reality is that we must apply an "assume breach" mentality to even our most sophisticated security technologies. We can trust that the technologies are successfully doing their jobs, but we also need the ability to verify that they were successful in achieving their goals. For platform integrity, we can't just trust the platform, which potentially could be compromised, to self-attest to its security state. So Windows Defender System Guard includes a series of technologies that enable remote analysis of the device's integrity. -As Windows 10 boots, a series of integrity measurements are taken by Windows Defender System Guard using the device's Trusted Platform Module 2.0 (TPM 2.0). System Guard Secure Launch won't support earlier TPM versions, such as TPM 1.2. This process and data are hardware-isolated away from Windows to help ensure that the measurement data isn't subject to the type of tampering that could happen if the platform was compromised. From here, the measurements can be used to determine the integrity of the device's firmware, hardware configuration state, and Windows boot-related components, just to name a few. +As Windows boots, a series of integrity measurements are taken by Windows Defender System Guard using the device's Trusted Platform Module 2.0 (TPM 2.0). System Guard Secure Launch doesn't support earlier TPM versions, such as TPM 1.2. This process and data are hardware-isolated away from Windows to help ensure that the measurement data isn't subject to the type of tampering that could happen if the platform was compromised. From here, the measurements can be used to determine the integrity of the device's firmware, hardware configuration state, and Windows boot-related components, to name a few. ![Boot time integrity.](images/windows-defender-system-guard-boot-time-integrity.png) From 3a9a8672be771d922a9a7ea72681a4b0c1152d77 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Fri, 27 Oct 2023 14:02:27 +0530 Subject: [PATCH 2/6] Update customize-boot-image.md replaced windows10.0-kb5028166-x64_fe3aa2fef685c0e76e1f5d34d529624294273f41.msu with windows11.0-kb5029263-x64_4f5fe19bbec786f5e445d3e71bcdf234fe2cbbec.msu replaced SSU-19041.3205-x64.cab with SSU-22621.2061-x64 corrected grammatical errors --- windows/deployment/customize-boot-image.md | 54 +++++++++++----------- 1 file changed, 27 insertions(+), 27 deletions(-) diff --git a/windows/deployment/customize-boot-image.md b/windows/deployment/customize-boot-image.md index 1e160b35dd..a35ba81cb1 100644 --- a/windows/deployment/customize-boot-image.md +++ b/windows/deployment/customize-boot-image.md @@ -56,9 +56,9 @@ This walkthrough describes how to customize a Windows PE boot image including up For this walk-through, when the Windows ADK is installed, it's only necessary to install the **Deployment Tools**. Other products, such as Microsoft Configuration Manager and Microsoft Deployment Toolkit (MDT), may require additional features installed, such as the **User State Migration Tool (USMT)**. - One of the tools installed when installing the the **Deployment Tools** feature is the **Deployment and Imaging Tools Environment** command prompt. When using the **Command Line** option to run the commands in this walk-through, make sure to run the commands from an elevated **Deployment and Imaging Tools Environment** command prompt. The **Deployment and Imaging Tools Environment** command prompt can be found in the Start Menu under **Windows Kits** > **Deployment and Imaging Tools Environment**. + One of the tools installed when installing the **Deployment Tools** feature is the **Deployment and Imaging Tools Environment** command prompt. When using the **Command Line** option to run the commands in this walk-through, make sure to run the commands from an elevated **Deployment and Imaging Tools Environment** command prompt. The **Deployment and Imaging Tools Environment** command prompt can be found in the Start Menu under **Windows Kits** > **Deployment and Imaging Tools Environment**. - The paths in this article assume the Windows ADK was installed at the default location of `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit`. If the Windows ADK was installed to a different location, then adjust the paths during the walk-through accordingly. + The paths in this article assume the Windows ADK was installed at the default location of `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit`. If the Windows ADK was installed in a different location, then adjust the paths during the walk-through accordingly. 1. Download and install the **Windows PE add-on for the Windows ADK** from [Download and install the Windows ADK](/windows-hardware/get-started/adk-install). The **Windows PE add-on for the Windows ADK** is a separate download and install from the **Windows Assessment and Deployment Kit (Windows ADK)**. Make sure to individually download and install both. @@ -70,13 +70,13 @@ This walkthrough describes how to customize a Windows PE boot image including up > > - Microsoft Deployment Toolkit (MDT) doesn't support versions of Windows or the Windows ADK beyond Windows 10. If using MDT, the recommendation is to instead use the [ADK for Windows 10, version 2004](/windows-hardware/get-started/adk-install#other-adk-downloads). This version was the last version of the Windows ADK supported by MDT. > -> - The latest versions of the **Windows PE add-on for the Windows ADK** only includes 64-bit boot images. If a 32-bit boot image is required, then the recommendation in this scenario is to also use the [ADK for Windows 10, version 2004](/windows-hardware/get-started/adk-install#other-adk-downloads). This version of the Windows ADK was the last version to include both 32-bit and 64-bit boot images. +> - The latest versions of the **Windows PE add-on for the Windows ADK** only include 64-bit boot images. If a 32-bit boot image is required, then the recommendation in this scenario is to also use the [ADK for Windows 10, version 2004](/windows-hardware/get-started/adk-install#other-adk-downloads). This version of the Windows ADK was the last version to include both 32-bit and 64-bit boot images. ## Step 2: Download cumulative update (CU) 1. Go to the [Microsoft Update Catalog](https://catalog.update.microsoft.com/) site and search for the latest cumulative update. The Windows version of the cumulative update should match the version of the Windows PE boot image that is being updated. -1. When searching the [Microsoft Update Catalog](https://catalog.update.microsoft.com/) site, use the search term `"- cumulative update for windows "` where `year` is the four digit current year, `` is the two digit current month, and `` is the version of Windows that Windows PE is based on. Make sure to include the quotes (`"`). For example, to search for the latest cumulative update for Windows 11 in August 2023, use the search term `"2023-08 cumulative update for windows 11"`, again making sure to include the quotes. If the cumulative update hasn't been released yet for the current month, then search on the previous month. +1. When searching the [Microsoft Update Catalog](https://catalog.update.microsoft.com/) site, use the search term `"- cumulative update for windows "` where `year` is the four-digit current year, `` is the two-digit current month, and `` is the version of Windows that Windows PE is based on. Make sure to include the quotes (`"`). For example, to search for the latest cumulative update for Windows 11 in August 2023, use the search term `"2023-08 cumulative update for Windows 11"`, again making sure to include the quotes. If the cumulative update hasn't been released yet for the current month, then search for the previous month. 1. Once the cumulative update has been found, download the appropriate version for the version and architecture of Windows that matches the Windows PE boot image. For example, if the version of the Windows PE boot image is Windows 11 22H2 64-bit, then download the **Cumulative Update for Windows 11 Version 22H2 for x64-based Systems** version of the update. @@ -249,7 +249,7 @@ The cumulative update installed later in this walkthrough doesn't affect drivers > [!TIP] > -> A full set of drivers is not needed in Windows PE boot images. Only a small subset of drivers is needed that provide basic functionality while in WinPE. In most cases, no drivers need to be added to an out of box Windows ADK boot image since it already has many drivers built in. Don't add drivers to a boot image until it is verified that they are needed. When drivers do need to be added, generally only network (NIC) drivers are needed. Occasionally, mass storage (disk) may also be needed. Some Surface devices may also need keyboard and mouse drivers. +> A full set of drivers is not needed in Windows PE boot images. Only a small subset of drivers is needed that provides basic functionality while in WinPE. In most cases, no drivers need to be added to an out-of-box Windows ADK boot image since it already has many drivers built in. Don't add drivers to a boot image until it is verified that they are needed. When drivers do need to be added, generally only network (NIC) drivers are needed. Occasionally, mass storage (disk) may also be needed. Some Surface devices may also need keyboard and mouse drivers. > [!IMPORTANT] > @@ -304,9 +304,9 @@ The cumulative update installed later in this walkthrough doesn't affect drivers --- -1. After adding an optional component to the boot image, make sure to also add the language specific component for that optional component. +1. After adding an optional component to the boot image, make sure to also add the language-specific component for that optional component. - Not all optional components have the language specific component. However, for optional components that do have a language specific component, make sure that the language specific component is installed. + Not all optional components have the language-specific component. However, for optional components that do have a language-specific component, make sure that the language-specific component is installed. To check if an optional component has a language component, check the `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\\` directory to see if there's a matching language component for that optional component. @@ -507,15 +507,15 @@ DISM Package Manager: PID= TID= Failed while processing command add-pa --- -The problem occurs when the WinPE boot image that is being serviced requires installation of a servicing stack update (SSU) before installation of the cumulative update (CU) can occur. The problem usually occurs when using older Windows ADKs and older versions of Windows PE. The suggested fix is to upgrade to the latest version of the Windows ADK and Windows PE. The latest versions of the Windows ADK and Windows PE most likely don't need a servicing stack update (SSU) installed before installing the cumulative update (CU). +The problem occurs when the WinPE boot image that is being serviced requires the installation of a servicing stack update (SSU) before installation of the cumulative update (CU) can occur. The problem usually occurs when using older Windows ADKs and older versions of Windows PE. The suggested fix is to upgrade to the latest version of the Windows ADK and Windows PE. The latest versions of the Windows ADK and Windows PE most likely don't need a servicing stack update (SSU) installed before installing the cumulative update (CU). For scenarios where older versions of the Windows ADK and Windows PE need to be used, for example when using Microsoft Deployment Toolkit (MDT), the servicing stack update needs to be installed before installing the cumulative update. The servicing stack update (SSU) is contained within the cumulative update (CU). To obtain the servicing stack update (SSU) so that it can be applied, it can be extracted from the cumulative update (CU). -The following steps outline how to extract and then install the servicing stack update (SSU) to the boot image. Once the servicing stack update (SSU) has been installed in the boot image, then the cumulative update (CU) should install to the boot image without error: +The following steps outline how to extract and then install the servicing stack update (SSU) to the boot image. Once the servicing stack update (SSU) has been installed in the boot image, then the cumulative update (CU) should be installed in the boot image without error: > [!IMPORTANT] > -> These steps are only necessary if error `0x800f0823` occurs when installing the cumulative update (CU) to the boot image. If error `0x800f0823` didn't occur when installing the cumulative update (CU) to the boot image, then skip to the next step [Step 8: Copy boot files from mounted boot image to ADK installation path](#step-8-copy-boot-files-from-mounted-boot-image-to-adk-installation-path) +> These steps are only necessary if the error `0x800f0823` occurs when installing the cumulative update (CU) to the boot image. If error `0x800f0823` didn't occur when installing the cumulative update (CU) to the boot image, then skip to the next step [Step 8: Copy boot files from mounted boot image to ADK installation path](#step-8-copy-boot-files-from-mounted-boot-image-to-adk-installation-path) 1. Create a folder to extract the servicing stack update (SSU) into. For example, `C:\Updates\Extract`: @@ -530,7 +530,7 @@ The following steps outline how to extract and then install the servicing stack **Example**: ```powershell - Start-Process "expand.exe" -ArgumentList " -f:* `"C:\Updates\windows10.0-kb5028166-x64_fe3aa2fef685c0e76e1f5d34d529624294273f41.msu`" `"C:\Updates\Extract`"" -Wait -LoadUserProfile + Start-Process "expand.exe" -ArgumentList " -f:* `"C:\Updates\windows11.0-kb5029263-x64_4f5fe19bbec786f5e445d3e71bcdf234fe2cbbec.msu`" `"C:\Updates\Extract`"" -Wait -LoadUserProfile ``` For more information, see [Start-Process](/powershell/module/microsoft.powershell.management/start-process) and [expand](/windows-server/administration/windows-commands/expand). @@ -544,7 +544,7 @@ The following steps outline how to extract and then install the servicing stack **Example**: ```cmd - expand.exe -f:* "C:\Updates\windows10.0-kb5028166-x64_fe3aa2fef685c0e76e1f5d34d529624294273f41.msu" "C:\Updates\Extract" + expand.exe -f:* "C:\Updates\windows11.0-kb5029263-x64_4f5fe19bbec786f5e445d3e71bcdf234fe2cbbec.msu" "C:\Updates\Extract" ``` For more information, see [expand](/windows-server/administration/windows-commands/expand). @@ -566,7 +566,7 @@ The following steps outline how to extract and then install the servicing stack **Example**: ```powershell - Add-WindowsPackage -PackagePath "C:\Updates\Extract\SSU-19041.3205-x64.cab" -Path "C:\Mount" -Verbose + Add-WindowsPackage -PackagePath "C:\Updates\Extract\SSU-22621.2061.cab" -Path "C:\Mount" -Verbose ``` For more information, see [Add-WindowsPackage](/powershell/module/dism/add-windowspackage). @@ -582,7 +582,7 @@ The following steps outline how to extract and then install the servicing stack **Example**: ```cmd - DISM.exe /Image:"C:\Mount" /Add-Package /PackagePath:"C:\Updates\Extract\SSU-19041.3205-x64.cab" + DISM.exe /Image:"C:\Mount" /Add-Package /PackagePath:"C:\Updates\Extract\SSU-22621.2061.cab" ``` For more information, see [Add or Remove Packages Offline Using DISM](/windows-hardware/manufacture/desktop/add-or-remove-packages-offline-using-dism) and [DISM Operating System Package (.cab or .msu) Servicing Command-Line Options: /Add-Package](/windows-hardware/manufacture/desktop/dism-operating-system-package-servicing-command-line-options#add-package). @@ -627,7 +627,7 @@ For more information, see [Copy-Item](/powershell/module/microsoft.powershell.ma ### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line) -From an elevated command prompt, run the following command to copy the updated bootmgr boot files from the mounted boot image to the ADK installation path. These commands also back up any existing bootmgr boot files its finds. When applicable, the commands need confirmation to overwrite any existing files: +From an elevated command prompt, run the following command to copy the updated bootmgr boot files from the mounted boot image to the ADK installation path. These commands also back up any existing bootmgr boot files it finds. When applicable, the commands need confirmation to overwrite any existing files: ```cmd copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\bootmgr.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\bootmgr.bak.efi" @@ -930,19 +930,19 @@ This process has the following advantages: 1. Keeps `boot.wim` pristine. -1. Makes sure that changes done to a boot image are being done to a pristine unmodified version of the boot image. This process helps avoid corruption when a boot image is updated multiple times. I can also correct issues with existing boot images. +1. Make sure that changes done to a boot image are being done to a pristine unmodified version of the boot image. This process helps avoid corruption when a boot image is updated multiple times. I can also correct issues with existing boot images. 1. Helps manage components in the boot image. The process doesn't need to know what components may need to be removed from the boot image each time the boot image is rebuilt. Instead, it just needs to know what components need to be added to the boot image. -1. It reduces the size of the boot image that can occur when components are repeatedly added to and removed from the boot image. +1. It reduces the size of the boot image which can occur when components are repeatedly added to and removed from the boot image. Configuration Manager updates the `boot.wim` boot image in two scenarios: -1. When Configuration Manager is upgraded between version or a hotfix roll ups (HFRUs) is applied, `boot.wim` may be updated as part of the upgrade process. +1. When Configuration Manager is upgraded between versions or hotfix roll-ups (HFRUs) is applied, `boot.wim` may be updated as part of the upgrade process. 1. When selecting the option **Reload this boot image with the current Windows PE version from the Windows ADK** in the **Update Distribution Points Wizard**. -In theses scenarios, the `boot.wim` boot image is updated using the `winpe.wim` boot image from the Windows ADK as described earlier in this section. This process creates a new pristine copy of the `boot.wim` boot image using the current version of the `winpe.wim` boot image that is part of the Windows ADK. +In these scenarios, the `boot.wim` boot image is updated using the `winpe.wim` boot image from the Windows ADK as described earlier in this section. This process creates a new pristine copy of the `boot.wim` boot image using the current version of the `winpe.wim` boot image that is part of the Windows ADK. ### Which boot image should be updated with the cumulative update? @@ -954,7 +954,7 @@ The `winpe.wim` boot image from the Windows ADK should be updated because if `bo > > Never manually update the `boot..wim` boot image. In addition to facing the same issues when manually updating the `boot.wim` boot image, the `boot..wim` boot image will also face additional issues such as: > -> - Any time any changes are done to the boot image, such as adding drivers, enabling the command prompt. etc, any manual changes done to the boot image, including the cumulative update, will be lost. +> - Any time any changes are done to the boot image, such as adding drivers, and enabling the command prompt. etc, any manual changes done to the boot image, including the cumulative update, will be lost. > > - Manually changing the `boot..wim` boot image changes the hash value of the boot image. A change in the hash value of the boot image can lead to download failures when downloading the boot image from a distribution point. @@ -985,7 +985,7 @@ For Microsoft Configuration Manager boot images to function correctly, it requir | Network/WinPE-WDS-Tools | `WinPE-WDS-Tools.cab` | NA | Yes | | Startup/WinPE-SecureStartup | `WinPE-SecureStartup.cab` | Scripting/WinPE-WMI | Yes | -When adding optional components to any boot image used by Configuration Manager during the [Step 6: Add optional components to boot image](#step-6-add-optional-components-to-boot-image) step, make sure to first add the above required components in the above order to the boot image. After adding the required components to the boot image, add any additional desired optional components to the boot image. +When adding optional components to any boot image used by Configuration Manager during the [Step 6: Add optional components to boot image](#step-6-add-optional-components-to-boot-image) step, make sure to first add the above-required components in the above order to the boot image. After adding the required components to the boot image, add any additional desired optional components to the boot image. For a list of all available WinPE optional components including descriptions for each component, see [WinPE Optional Components (OC) Reference: WinPE Optional Components](/windows-hardware/manufacture/desktop/winpe-add-packages--optional-components-reference#winpe-optional-components). @@ -993,9 +993,9 @@ For a list of all available WinPE optional components including descriptions for After updating the `winpe.wim` boot image from the Windows ADK, generate a new `boot.wim` boot image for Configuration Manager so that it contains the cumulative update. A new `boot.wim` boot image can be generated by using the following steps: -1. Open the Microsoft Configuration manager console. +1. Open the Microsoft Configuration Manager console. -1. In the Microsoft Configuration manager console, navigate to **Software Library** > **Overview** > **Operating Systems** > **Boot Images**. +1. In the Microsoft Configuration Manager console, navigate to **Software Library** > **Overview** > **Operating Systems** > **Boot Images**. 1. In the **Boot Images** pane, select the desired boot image. @@ -1011,11 +1011,11 @@ After updating the `winpe.wim` boot image from the Windows ADK, generate a new ` 1. Once the boot image finishes building, the **The task "Update Distribution Points Wizard" completed successfully**/**Completion** page appears. Select the **Close** button. -This process updates the boot image used by Configuration Manager. It also updates the boot image and the bootmgr boot files used by any PXE enabled distribution points. +This process updates the boot image used by Configuration Manager. It also updates the boot image and the bootmgr boot files used by any PXE-enabled distribution points. > [!IMPORTANT] > -> If there are multiple boot images used in the environment for PXE enabled distribution points, make sure to update all of the PXE enabled boot images with the same cumulative update. This will ensure that the PXE enabled distribution points all use the version of the bootmgr boot files extracted from the boot images (if applicable). +> If there are multiple boot images used in the environment for PXE-enabled distribution points, make sure to update all of the PXE-enabled boot images with the same cumulative update. This will ensure that the PXE-enabled distribution points all use the version of the bootmgr boot files extracted from the boot images (if applicable). ### Updating Configuration Manager boot media @@ -1107,7 +1107,7 @@ For more information, see [wdsutil stop-server](/windows-server/administration/w --- -### WDS boot image is replaced with new updated boot image +### WDS boot image is replaced with the new updated boot image In the following boot image replacement scenario for WDS: @@ -1186,7 +1186,7 @@ then follow these steps to update the boot image in WDS: --- -### Add updated boot image as a new boot image in WDS +### Add the updated boot image as a new boot image in WDS In the following boot image scenario for WDS: From 87cd841d0b115b83c0c605ce43b1129859f20d53 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Fri, 27 Oct 2023 14:14:44 +0530 Subject: [PATCH 3/6] Update customize-boot-image.md --- windows/deployment/customize-boot-image.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/deployment/customize-boot-image.md b/windows/deployment/customize-boot-image.md index a35ba81cb1..490c8bc110 100644 --- a/windows/deployment/customize-boot-image.md +++ b/windows/deployment/customize-boot-image.md @@ -1043,7 +1043,7 @@ For Microsoft Deployment Toolkit (MDT) boot images to function correctly, it req | Startup/WinPE-SecureStartup | `WinPE-SecureStartup.cab` | Scripting/WinPE-WMI | Yes | | HTML/WinPE-HTA | `WinPE-HTA.cab` | Scripting/WinPE-WMI | Yes | -When adding optional components to any boot image used by MDT during the [Step 6: Add optional components to boot image](#step-6-add-optional-components-to-boot-image) step, make sure to first add the above required components in the above order to the boot image. After adding the required components to the boot image, add any additional desired optional components to the boot image. +When adding optional components to any boot image used by MDT during the [Step 6: Add optional components to boot image](#step-6-add-optional-components-to-boot-image) step, make sure to first add the above-required components in the above order to the boot image. After adding the required components to the boot image, add any additional desired optional components to the boot image. For a list of all available WinPE optional components including descriptions for each component, see [WinPE Optional Components (OC) Reference: WinPE Optional Components](/windows-hardware/manufacture/desktop/winpe-add-packages--optional-components-reference#winpe-optional-components). @@ -1107,7 +1107,7 @@ For more information, see [wdsutil stop-server](/windows-server/administration/w --- -### WDS boot image is replaced with the new updated boot image +### WDS boot image is replaced with new updated boot image In the following boot image replacement scenario for WDS: @@ -1186,7 +1186,7 @@ then follow these steps to update the boot image in WDS: --- -### Add the updated boot image as a new boot image in WDS +### Add updated boot image as a new boot image in WDS In the following boot image scenario for WDS: From 25bf695a0f09b04805b35989080f8da726ddbe6b Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Fri, 27 Oct 2023 15:37:25 -0400 Subject: [PATCH 4/6] Revert some changes Most of the changes were ok but there were some that were incorrect or not needed, so I reverted them back --- windows/deployment/customize-boot-image.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/windows/deployment/customize-boot-image.md b/windows/deployment/customize-boot-image.md index 490c8bc110..81a6276297 100644 --- a/windows/deployment/customize-boot-image.md +++ b/windows/deployment/customize-boot-image.md @@ -70,7 +70,7 @@ This walkthrough describes how to customize a Windows PE boot image including up > > - Microsoft Deployment Toolkit (MDT) doesn't support versions of Windows or the Windows ADK beyond Windows 10. If using MDT, the recommendation is to instead use the [ADK for Windows 10, version 2004](/windows-hardware/get-started/adk-install#other-adk-downloads). This version was the last version of the Windows ADK supported by MDT. > -> - The latest versions of the **Windows PE add-on for the Windows ADK** only include 64-bit boot images. If a 32-bit boot image is required, then the recommendation in this scenario is to also use the [ADK for Windows 10, version 2004](/windows-hardware/get-started/adk-install#other-adk-downloads). This version of the Windows ADK was the last version to include both 32-bit and 64-bit boot images. +> - The latest versions of the **Windows PE add-on for the Windows ADK** only includes a 64-bit boot image. If a 32-bit boot image is required, then the recommendation in this scenario is to also use the [ADK for Windows 10, version 2004](/windows-hardware/get-started/adk-install#other-adk-downloads). This version of the Windows ADK was the last version to include both 32-bit and 64-bit boot images. ## Step 2: Download cumulative update (CU) @@ -511,7 +511,7 @@ The problem occurs when the WinPE boot image that is being serviced requires the For scenarios where older versions of the Windows ADK and Windows PE need to be used, for example when using Microsoft Deployment Toolkit (MDT), the servicing stack update needs to be installed before installing the cumulative update. The servicing stack update (SSU) is contained within the cumulative update (CU). To obtain the servicing stack update (SSU) so that it can be applied, it can be extracted from the cumulative update (CU). -The following steps outline how to extract and then install the servicing stack update (SSU) to the boot image. Once the servicing stack update (SSU) has been installed in the boot image, then the cumulative update (CU) should be installed in the boot image without error: +The following steps outline how to extract and then install the servicing stack update (SSU) to the boot image. Once the servicing stack update (SSU) has been installed in the boot image, then the cumulative update (CU) should install to the boot image without error: > [!IMPORTANT] > @@ -530,7 +530,7 @@ The following steps outline how to extract and then install the servicing stack **Example**: ```powershell - Start-Process "expand.exe" -ArgumentList " -f:* `"C:\Updates\windows11.0-kb5029263-x64_4f5fe19bbec786f5e445d3e71bcdf234fe2cbbec.msu`" `"C:\Updates\Extract`"" -Wait -LoadUserProfile + Start-Process "expand.exe" -ArgumentList " -f:* `"C:\Updates\windows10.0-kb5028166-x64_fe3aa2fef685c0e76e1f5d34d529624294273f41.msu`" `"C:\Updates\Extract`"" -Wait -LoadUserProfile ``` For more information, see [Start-Process](/powershell/module/microsoft.powershell.management/start-process) and [expand](/windows-server/administration/windows-commands/expand). @@ -566,7 +566,7 @@ The following steps outline how to extract and then install the servicing stack **Example**: ```powershell - Add-WindowsPackage -PackagePath "C:\Updates\Extract\SSU-22621.2061.cab" -Path "C:\Mount" -Verbose + Add-WindowsPackage -PackagePath "C:\Updates\Extract\SSU-19041.3205-x64" -Path "C:\Mount" -Verbose ``` For more information, see [Add-WindowsPackage](/powershell/module/dism/add-windowspackage). @@ -930,7 +930,7 @@ This process has the following advantages: 1. Keeps `boot.wim` pristine. -1. Make sure that changes done to a boot image are being done to a pristine unmodified version of the boot image. This process helps avoid corruption when a boot image is updated multiple times. I can also correct issues with existing boot images. +1. Makes sure that changes done to a boot image are being done to a pristine unmodified version of the boot image. This process helps avoid corruption when a boot image is updated multiple times. I can also correct issues with existing boot images. 1. Helps manage components in the boot image. The process doesn't need to know what components may need to be removed from the boot image each time the boot image is rebuilt. Instead, it just needs to know what components need to be added to the boot image. @@ -938,7 +938,7 @@ This process has the following advantages: Configuration Manager updates the `boot.wim` boot image in two scenarios: -1. When Configuration Manager is upgraded between versions or hotfix roll-ups (HFRUs) is applied, `boot.wim` may be updated as part of the upgrade process. +1. When Configuration Manager is upgraded between versions or a hotfix roll-up (HFRU) is applied, `boot.wim` may be updated as part of the upgrade process. 1. When selecting the option **Reload this boot image with the current Windows PE version from the Windows ADK** in the **Update Distribution Points Wizard**. @@ -954,7 +954,7 @@ The `winpe.wim` boot image from the Windows ADK should be updated because if `bo > > Never manually update the `boot..wim` boot image. In addition to facing the same issues when manually updating the `boot.wim` boot image, the `boot..wim` boot image will also face additional issues such as: > -> - Any time any changes are done to the boot image, such as adding drivers, and enabling the command prompt. etc, any manual changes done to the boot image, including the cumulative update, will be lost. +> - Any time any changes are done to the boot image (adding drivers, enabling the command prompt, etc.), any manual changes done to the boot image, including the cumulative update, will be lost. > > - Manually changing the `boot..wim` boot image changes the hash value of the boot image. A change in the hash value of the boot image can lead to download failures when downloading the boot image from a distribution point. @@ -985,7 +985,7 @@ For Microsoft Configuration Manager boot images to function correctly, it requir | Network/WinPE-WDS-Tools | `WinPE-WDS-Tools.cab` | NA | Yes | | Startup/WinPE-SecureStartup | `WinPE-SecureStartup.cab` | Scripting/WinPE-WMI | Yes | -When adding optional components to any boot image used by Configuration Manager during the [Step 6: Add optional components to boot image](#step-6-add-optional-components-to-boot-image) step, make sure to first add the above-required components in the above order to the boot image. After adding the required components to the boot image, add any additional desired optional components to the boot image. +When adding optional components to any boot image used by Configuration Manager during the [Step 6: Add optional components to boot image](#step-6-add-optional-components-to-boot-image) step, make sure to first add the above required components in the above order to the boot image. After adding the required components to the boot image, add any additional desired optional components to the boot image. For a list of all available WinPE optional components including descriptions for each component, see [WinPE Optional Components (OC) Reference: WinPE Optional Components](/windows-hardware/manufacture/desktop/winpe-add-packages--optional-components-reference#winpe-optional-components). @@ -1043,7 +1043,7 @@ For Microsoft Deployment Toolkit (MDT) boot images to function correctly, it req | Startup/WinPE-SecureStartup | `WinPE-SecureStartup.cab` | Scripting/WinPE-WMI | Yes | | HTML/WinPE-HTA | `WinPE-HTA.cab` | Scripting/WinPE-WMI | Yes | -When adding optional components to any boot image used by MDT during the [Step 6: Add optional components to boot image](#step-6-add-optional-components-to-boot-image) step, make sure to first add the above-required components in the above order to the boot image. After adding the required components to the boot image, add any additional desired optional components to the boot image. +When adding optional components to any boot image used by MDT during the [Step 6: Add optional components to boot image](#step-6-add-optional-components-to-boot-image) step, make sure to first add the above required components in the above order to the boot image. After adding the required components to the boot image, add any additional desired optional components to the boot image. For a list of all available WinPE optional components including descriptions for each component, see [WinPE Optional Components (OC) Reference: WinPE Optional Components](/windows-hardware/manufacture/desktop/winpe-add-packages--optional-components-reference#winpe-optional-components). From 424931311d5246441fabb21483a5a403db2b4f52 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Fri, 27 Oct 2023 15:45:38 -0400 Subject: [PATCH 5/6] Reverting more changes Reverting more changes --- windows/deployment/customize-boot-image.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/deployment/customize-boot-image.md b/windows/deployment/customize-boot-image.md index 81a6276297..3b52b209f3 100644 --- a/windows/deployment/customize-boot-image.md +++ b/windows/deployment/customize-boot-image.md @@ -544,7 +544,7 @@ The following steps outline how to extract and then install the servicing stack **Example**: ```cmd - expand.exe -f:* "C:\Updates\windows11.0-kb5029263-x64_4f5fe19bbec786f5e445d3e71bcdf234fe2cbbec.msu" "C:\Updates\Extract" + expand.exe -f:* "C:\Updates\windows10.0-kb5028166-x64_fe3aa2fef685c0e76e1f5d34d529624294273f41.msu" "C:\Updates\Extract" ``` For more information, see [expand](/windows-server/administration/windows-commands/expand). @@ -566,7 +566,7 @@ The following steps outline how to extract and then install the servicing stack **Example**: ```powershell - Add-WindowsPackage -PackagePath "C:\Updates\Extract\SSU-19041.3205-x64" -Path "C:\Mount" -Verbose + Add-WindowsPackage -PackagePath "C:\Updates\Extract\SSU-19041.3205-x64.cab" -Path "C:\Mount" -Verbose ``` For more information, see [Add-WindowsPackage](/powershell/module/dism/add-windowspackage). @@ -582,7 +582,7 @@ The following steps outline how to extract and then install the servicing stack **Example**: ```cmd - DISM.exe /Image:"C:\Mount" /Add-Package /PackagePath:"C:\Updates\Extract\SSU-22621.2061.cab" + DISM.exe /Image:"C:\Mount" /Add-Package /PackagePath:"C:\Updates\Extract\SSU-19041.3205-x64.cab" ``` For more information, see [Add or Remove Packages Offline Using DISM](/windows-hardware/manufacture/desktop/add-or-remove-packages-offline-using-dism) and [DISM Operating System Package (.cab or .msu) Servicing Command-Line Options: /Add-Package](/windows-hardware/manufacture/desktop/dism-operating-system-package-servicing-command-line-options#add-package). From c509a2c67f6b22b66cbfab7b7d0290b5d97ac53e Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Mon, 30 Oct 2023 14:32:11 -0400 Subject: [PATCH 6/6] Review and update ms.date --- .../operating-system-security/system-security/trusted-boot.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/operating-system-security/system-security/trusted-boot.md b/windows/security/operating-system-security/system-security/trusted-boot.md index 364719eebb..431c65c17d 100644 --- a/windows/security/operating-system-security/system-security/trusted-boot.md +++ b/windows/security/operating-system-security/system-security/trusted-boot.md @@ -2,7 +2,7 @@ title: Secure Boot and Trusted Boot description: Trusted Boot prevents corrupted components from loading during the boot-up process in Windows 11 ms.topic: conceptual -ms.date: 09/21/2021 +ms.date: 10/30/2023 ms.reviewer: jsuther appliesto: - "✅ Windows 11"