PXE Windows PE under UEFI and Secure Boot Enabled

1. Download Windows PE add-on for the Windows ADK for Windows 11, version 22H2 and install.

In this example, Windows ADK Folder (default, C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment) is %PEFOLDER% and the TFTP Server Root is %TFTPROOT%

2. Patch BCD in %PEFOLDER%\amd64\Media\EFI\Microsoft\Boot\

  • Change the path of Boot Manager to our file, \bootx64.efi
    > bcdedit /store BCD /set {bootmgr} path \bootx64.efi
  • Disable Integritycheck and Change Bootmenupolicy to Legacy
    > bcdedit /store BCD /set {bootmgr} nointegritychecks Yes
    > bcdedit /store BCD /set {default} bootmenupolicy Legacy
  • Since linux file system treats file and directory names as case-sensitive, ramdisksdipath need to be modified in case that PXE is served on linux server
    > bcdedit /store BCD /set {7619dcc8-fafe-11d9-b411-000476eba25f} ramdisksdipath \Boot\boot.sdi
  • Entries of patched BCD should be identical to:
    > bcdedit /store BCD /enum all
    Windows Boot Manager
    identifier              {bootmgr}
    path                    \bootx64.efi
    description             Windows Boot Manager
    locale                  en-US
    inherit                 {globalsettings}
    nointegritychecks       Yes
    flightsigning           Yes
    default                 {default}
    displayorder            {default}
    toolsdisplayorder       {memdiag}
    timeout                 30
    Windows Boot Loader
    identifier              {default}
    device                  ramdisk=[boot]\sources\boot.wim,{7619dcc8-fafe-11d9-b411-000476eba25f}
    path                    \windows\system32\boot\winload.efi
    description             Windows Setup
    locale                  en-US
    inherit                 {bootloadersettings}
    isolatedcontext         Yes
    osdevice                ramdisk=[boot]\sources\boot.wim,{7619dcc8-fafe-11d9-b411-000476eba25f}
    systemroot              \windows
    bootmenupolicy          Legacy
    detecthal               Yes
    winpe                   Yes
    ems                     No
    Windows Memory Tester
    identifier              {memdiag}
    device                  boot
    path                    \efi\microsoft\boot\memtest.efi
    description             Windows Memory Diagnostic
    locale                  en-US
    inherit                 {globalsettings}
    EMS Settings
    identifier              {emssettings}
    bootems                 No
    Debugger Settings
    identifier              {dbgsettings}
    debugtype               Serial
    debugport               1
    baudrate                115200
    Global Settings
    identifier              {globalsettings}
    inherit                 {dbgsettings}
    Boot Loader Settings
    identifier              {bootloadersettings}
    inherit                 {globalsettings}
    Hypervisor Settings
    identifier              {hypervisorsettings}
    description             Hypervisor Settings
    hypervisordebugtype     Serial
    hypervisordebugport     1
    hypervisorbaudrate      115200
    Device options
    identifier              {7619dcc8-fafe-11d9-b411-000476eba25f}
    ramdisksdidevice        boot
    ramdisksdipath          \Boot\boot.sdi

3. Upload required files to TFTP server (For linux servers, capitalization DOES matter)

  • %PEFOLDER%\amd64\Media\EFI\Boot\bootx64.efi to %TFTPROOT%\bootx64.efi
  • %PEFOLDER%\amd64\Media\Boot\boot.sdi to %TFTPROOT%\Boot\boot.sdi
  • %PEFOLDER%\amd64\en-us\winpe.wim to %TFTPROOT%\sources\boot.wim
    Or customized windows 11 based .wim file can be used, depending on the purposes
  • patched BCD to %TFTPROOT%\Boot\BCD

PXE would fail if TFTP directory and file structures are not properly set (e.g. capitalization mismatch on linux server)

4. Verify with hyper V

Windows Defender Credential Guard Prevents RDP from Using Saved Credentials

After recent windows update, Windows Defender Credential Guard blocks Saved Credentials when connecting to remote desktop.

AutomationId and ClassName of Fields

I modified my previous codes, and it now works for both types of RDP credential window.

CredentialAutoInput class can be used as following simple codes.

namespace UI
    internal class Uimain
        static void Main(string[] args)
            var u = new CredentialAutoInput();
                case "myid1":
                    u.Connect("myid1", "mypass1");

                case "myid2":
                    u.Connect("myid2", "mypass2");

BitLocker with CMD

To lock the volume,
C:\>manage-bde -lock [volume]

To unlock the volume,
C:\>manage-bde -unlock -pw [volume]

Windows Equivalents for Chown and Chmod

TAKEOWN [/S system [/U username [/P [password]]]] /F filename [/A] [/R [/D prompt]]

This tool allows an administrator to recover access to a file that
was denied by re-assigning file ownership.

Parameter List:
/F – Specifies the filename or directory name pattern.
/A – Gives ownership to the administrators group instead of the current user.
/R – Recurse: instructs tool to operate on files in specified directory and all subdirectories.


ICACLS name [/grant[:r] Sid:perm[…]]

Sid:perm grants the specified user access rights.

Parameter List:
/T  – Recurse

Permission List:
N – no access
F – full access
M – modify access
RX – read and execute access
R – read-only access
W – write-only access
D – delete access

ICACLS * /grant “Administrators:(F)” /T