From 6c0ee8abc5d0472c2f9cb68df1e0efd5a3ee21b0 Mon Sep 17 00:00:00 2001 From: rbalsleyMSFT <53497092+rbalsleyMSFT@users.noreply.github.com> Date: Mon, 16 Mar 2026 11:19:08 -0700 Subject: [PATCH] Uses ADK BCDBoot to prevent issues with devices that have updated Secureboot certificates from using 2023 signed boot files --- FFUDevelopment/BuildFFUVM.ps1 | 22 +++++++++++++++---- .../WinPEDeployFFUFiles/ApplyFFU.ps1 | 2 +- 2 files changed, 19 insertions(+), 5 deletions(-) diff --git a/FFUDevelopment/BuildFFUVM.ps1 b/FFUDevelopment/BuildFFUVM.ps1 index a312c76..6a197fb 100644 --- a/FFUDevelopment/BuildFFUVM.ps1 +++ b/FFUDevelopment/BuildFFUVM.ps1 @@ -464,7 +464,7 @@ param( [switch]$Cleanup ) $ProgressPreference = 'SilentlyContinue' -$version = '2603.1' +$version = '2603.2' # Remove any existing modules to avoid conflicts if (Get-Module -Name 'FFU.Common.Core' -ErrorAction SilentlyContinue) { @@ -2781,11 +2781,25 @@ function Add-BootFiles { [string]$OsPartitionDriveLetter, [Parameter(Mandatory = $true)] [string]$SystemPartitionDriveLetter, + [Parameter(Mandatory = $true)] + [string]$AdkPath, + [Parameter(Mandatory = $true)] + [ValidateSet('x86', 'x64', 'arm64')] + [string]$WindowsArch, [string]$FirmwareType = 'UEFI' ) - WriteLog "Adding boot files for `"$($OsPartitionDriveLetter):\Windows`" to System partition `"$($SystemPartitionDriveLetter):`"..." - Invoke-Process bcdboot "$($OsPartitionDriveLetter):\Windows /S $($SystemPartitionDriveLetter): /F $FirmwareType" | Out-Null + # Use the ADK copy of BCDBoot so the boot binaries come from the validated ADK toolset + # instead of the local OS installation, which can differ based on Secure Boot servicing state. + $bcdBootArchitecture = if ($WindowsArch -ieq 'arm64') { 'arm64' } else { 'amd64' } + $bcdBootPath = Join-Path $AdkPath "Assessment and Deployment Kit\Deployment Tools\$bcdBootArchitecture\BCDBoot\bcdboot.exe" + + if (-not (Test-Path -Path $bcdBootPath)) { + throw "ADK BCDBoot was not found at $bcdBootPath" + } + + WriteLog "Adding boot files for `"$($OsPartitionDriveLetter):\Windows`" to System partition `"$($SystemPartitionDriveLetter):`" using ADK BCDBoot at `"$bcdBootPath`"..." + Invoke-Process $bcdBootPath "$($OsPartitionDriveLetter):\Windows /S $($SystemPartitionDriveLetter): /F $FirmwareType" | Out-Null WriteLog "Done." } @@ -7025,7 +7039,7 @@ try { WriteLog 'All necessary partitions created.' - Add-BootFiles -OsPartitionDriveLetter $osPartitionDriveLetter -SystemPartitionDriveLetter $systemPartitionDriveLetter[1] + Add-BootFiles -OsPartitionDriveLetter $osPartitionDriveLetter -SystemPartitionDriveLetter $systemPartitionDriveLetter[1] -AdkPath $adkPath -WindowsArch $WindowsArch #Add Windows packages if ($UpdateLatestCU -or $UpdateLatestNet -or $UpdatePreviewCU ) { diff --git a/FFUDevelopment/WinPEDeployFFUFiles/ApplyFFU.ps1 b/FFUDevelopment/WinPEDeployFFUFiles/ApplyFFU.ps1 index 6e48255..77b5878 100644 --- a/FFUDevelopment/WinPEDeployFFUFiles/ApplyFFU.ps1 +++ b/FFUDevelopment/WinPEDeployFFUFiles/ApplyFFU.ps1 @@ -835,7 +835,7 @@ $LogFileName = 'ScriptLog.txt' $USBDrive = Get-USBDrive New-item -Path $USBDrive -Name $LogFileName -ItemType "file" -Force | Out-Null $LogFile = $USBDrive + $LogFilename -$version = '2603.1' +$version = '2603.2' WriteLog 'Begin Logging' WriteLog "Script version: $version"