PXE Windows PE under UEFI and Secure Boot Enabled

1. Download Windows PE add-on for the Windows ADK for Windows 11, version 22H2 and install.

In this example, Windows ADK Folder (default, C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment) is %PEFOLDER% and the TFTP Server Root is %TFTPROOT%

2. Patch BCD in %PEFOLDER%\amd64\Media\EFI\Microsoft\Boot\

  • Change the path of Boot Manager to our file, \bootx64.efi
    > bcdedit /store BCD /set {bootmgr} path \bootx64.efi
  • Disable Integritycheck and Change Bootmenupolicy to Legacy
    > bcdedit /store BCD /set {bootmgr} nointegritychecks Yes
    > bcdedit /store BCD /set {default} bootmenupolicy Legacy
  • Since linux file system treats file and directory names as case-sensitive, ramdisksdipath need to be modified in case that PXE is served on linux server
    > bcdedit /store BCD /set {7619dcc8-fafe-11d9-b411-000476eba25f} ramdisksdipath \Boot\boot.sdi
  • Entries of patched BCD should be identical to:
    > bcdedit /store BCD /enum all
    
    Windows Boot Manager
    --------------------
    identifier              {bootmgr}
    path                    \bootx64.efi
    description             Windows Boot Manager
    locale                  en-US
    inherit                 {globalsettings}
    nointegritychecks       Yes
    flightsigning           Yes
    default                 {default}
    displayorder            {default}
    toolsdisplayorder       {memdiag}
    timeout                 30
    
    Windows Boot Loader
    -------------------
    identifier              {default}
    device                  ramdisk=[boot]\sources\boot.wim,{7619dcc8-fafe-11d9-b411-000476eba25f}
    path                    \windows\system32\boot\winload.efi
    description             Windows Setup
    locale                  en-US
    inherit                 {bootloadersettings}
    isolatedcontext         Yes
    osdevice                ramdisk=[boot]\sources\boot.wim,{7619dcc8-fafe-11d9-b411-000476eba25f}
    systemroot              \windows
    bootmenupolicy          Legacy
    detecthal               Yes
    winpe                   Yes
    ems                     No
    
    Windows Memory Tester
    ---------------------
    identifier              {memdiag}
    device                  boot
    path                    \efi\microsoft\boot\memtest.efi
    description             Windows Memory Diagnostic
    locale                  en-US
    inherit                 {globalsettings}
    
    EMS Settings
    ------------
    identifier              {emssettings}
    bootems                 No
    
    Debugger Settings
    -----------------
    identifier              {dbgsettings}
    debugtype               Serial
    debugport               1
    baudrate                115200
    
    Global Settings
    ---------------
    identifier              {globalsettings}
    inherit                 {dbgsettings}
                            {emssettings}
    
    Boot Loader Settings
    --------------------
    identifier              {bootloadersettings}
    inherit                 {globalsettings}
                            {hypervisorsettings}
    
    Hypervisor Settings
    -------------------
    identifier              {hypervisorsettings}
    description             Hypervisor Settings
    hypervisordebugtype     Serial
    hypervisordebugport     1
    hypervisorbaudrate      115200
    
    Device options
    --------------
    identifier              {7619dcc8-fafe-11d9-b411-000476eba25f}
    ramdisksdidevice        boot
    ramdisksdipath          \Boot\boot.sdi
    

3. Upload required files to TFTP server (For linux servers, capitalization DOES matter)

  • %PEFOLDER%\amd64\Media\EFI\Boot\bootx64.efi to %TFTPROOT%\bootx64.efi
  • %PEFOLDER%\amd64\Media\Boot\boot.sdi to %TFTPROOT%\Boot\boot.sdi
  • %PEFOLDER%\amd64\en-us\winpe.wim to %TFTPROOT%\sources\boot.wim
    Or customized windows 11 based .wim file can be used, depending on the purposes
  • patched BCD to %TFTPROOT%\Boot\BCD


PXE would fail if TFTP directory and file structures are not properly set (e.g. capitalization mismatch on linux server)

4. Verify with hyper V

Windows Defender Credential Guard Prevents RDP from Using Saved Credentials

After recent windows update, Windows Defender Credential Guard blocks Saved Credentials when connecting to remote desktop.

CredentialUIBroker
AutomationId and ClassName of Fields

I modified my previous codes, and it now works for both types of RDP credential window.

CredentialAutoInput class can be used as following simple codes.

namespace UI
{
    internal class Uimain
    {
        static void Main(string[] args)
        {
            var u = new CredentialAutoInput();
            switch(u.GetId())
            {
                case "myid1":
                    u.Connect("myid1", "mypass1");
                    break;

                case "myid2":
                    u.Connect("myid2", "mypass2");
                    break;
            }
        }
    }
}

BitLocker with CMD

To lock the volume,
C:\>manage-bde -lock [volume]

To unlock the volume,
C:\>manage-bde -unlock -pw [volume]

Windows Equivalents for Chown and Chmod

TAKEOWN [/S system [/U username [/P [password]]]] /F filename [/A] [/R [/D prompt]]

Description:
This tool allows an administrator to recover access to a file that
was denied by re-assigning file ownership.

Parameter List:
/F – Specifies the filename or directory name pattern.
/A – Gives ownership to the administrators group instead of the current user.
/R – Recurse: instructs tool to operate on files in specified directory and all subdirectories.

Examples:
TAKEOWN /?
TAKEOWN /F * /R /A


ICACLS name [/grant[:r] Sid:perm[…]]

Description:
Sid:perm grants the specified user access rights.

Parameter List:
/T  – Recurse

Permission List:
N – no access
F – full access
M – modify access
RX – read and execute access
R – read-only access
W – write-only access
D – delete access

Examples:
ICACLS /?
ICACLS * /grant “Administrators:(F)” /T