diff --git a/.mingw/Makefile.am b/.mingw/Makefile.am
index eb979f9f..cb131d61 100644
--- a/.mingw/Makefile.am
+++ b/.mingw/Makefile.am
@@ -19,7 +19,7 @@ TARGET := $(word 1,$(subst -, ,$(TUPLE)))
DEF_SUFFIX := $(if $(TARGET:x86_64=),.def,.def64)
.PHONY: all
-all: dwmapi-delaylib.lib wintrust-delaylib.lib
+all: dwmapi-delaylib.lib version-delaylib.lib wintrust-delaylib.lib
%.def64: %.def
$(AM_V_SED) "s/@.*//" $< >$@
diff --git a/.mingw/Makefile.in b/.mingw/Makefile.in
index 0af7e49c..0dda8fb1 100644
--- a/.mingw/Makefile.in
+++ b/.mingw/Makefile.in
@@ -367,7 +367,7 @@ uninstall-am:
.PHONY: all
-all: dwmapi-delaylib.lib wintrust-delaylib.lib
+all: dwmapi-delaylib.lib version-delaylib.lib wintrust-delaylib.lib
%.def64: %.def
$(AM_V_SED) "s/@.*//" $< >$@
diff --git a/.mingw/version.def b/.mingw/version.def
new file mode 100644
index 00000000..3ee9c727
--- /dev/null
+++ b/.mingw/version.def
@@ -0,0 +1,4 @@
+EXPORTS
+ GetFileVersionInfoSizeW@8
+ GetFileVersionInfoW@16
+ VerQueryValueA@16
diff --git a/.vs/rufus.vcxproj b/.vs/rufus.vcxproj
index 6693b2f2..7266623b 100644
--- a/.vs/rufus.vcxproj
+++ b/.vs/rufus.vcxproj
@@ -133,12 +133,12 @@
/utf-8 $(ExternalCompilerOptions) %(AdditionalOptions)
- advapi32.lib;comctl32.lib;comdlg32.lib;crypt32.lib;gdi32.lib;ole32.lib;dwmapi.lib;setupapi.lib;shell32.lib;shlwapi.lib;wintrust.lib;%(AdditionalDependencies)
+ advapi32.lib;comctl32.lib;crypt32.lib;gdi32.lib;ole32.lib;dwmapi.lib;setupapi.lib;shell32.lib;shlwapi.lib;version.lib;wintrust.lib;%(AdditionalDependencies)
RequireAdministrator
true
Windows
MachineX86
- advapi32.dll;comctl32.dll;comdlg32.dll;crypt32.dll;gdi32.dll;ole32.dll;dwmapi.dll;setupapi.dll;shell32.dll;shlwapi.dll;wintrust.dll;%(DelayLoadDLLs)
+ advapi32.dll;comctl32.dll;crypt32.dll;gdi32.dll;ole32.dll;dwmapi.dll;setupapi.dll;shell32.dll;shlwapi.dll;version.dll;wintrust.dll;%(DelayLoadDLLs)
_UNICODE;UNICODE;%(PreprocessorDefinitions)
@@ -162,12 +162,12 @@
/utf-8 $(ExternalCompilerOptions) %(AdditionalOptions)
- advapi32.lib;comctl32.lib;comdlg32.lib;crypt32.lib;gdi32.lib;ole32.lib;dwmapi.lib;setupapi.lib;shell32.lib;shlwapi.lib;wintrust.lib;ole32.lib;advapi32.lib;gdi32.lib;shell32.lib;comdlg32.lib;%(AdditionalDependencies)
+ advapi32.lib;comctl32.lib;crypt32.lib;gdi32.lib;ole32.lib;dwmapi.lib;setupapi.lib;shell32.lib;shlwapi.lib;version.lib;wintrust.lib;ole32.lib;advapi32.lib;gdi32.lib;shell32.lib;comdlg32.lib;%(AdditionalDependencies)
RequireAdministrator
true
Windows
C:\Program Files (x86)\Windows Kits\10\Lib\10.0.15063.0\um\arm
- advapi32.dll;comctl32.dll;comdlg32.dll;crypt32.dll;gdi32.dll;ole32.dll;dwmapi.dll;setupapi.dll;shell32.dll;shlwapi.dll;wintrust.dll;ole32.dll;advapi32.dll;gdi32.dll;shell32.dll;comdlg32.dll;%(DelayLoadDLLs)
+ advapi32.dll;comctl32.dll;crypt32.dll;gdi32.dll;ole32.dll;dwmapi.dll;setupapi.dll;shell32.dll;shlwapi.dll;version.dll;wintrust.dll;ole32.dll;advapi32.dll;gdi32.dll;shell32.dll;comdlg32.dll;%(DelayLoadDLLs)
_UNICODE;UNICODE;%(PreprocessorDefinitions)
@@ -193,12 +193,12 @@
/utf-8 $(ExternalCompilerOptions) %(AdditionalOptions)
- advapi32.lib;comctl32.lib;comdlg32.lib;crypt32.lib;gdi32.lib;ole32.lib;dwmapi.lib;setupapi.lib;shell32.lib;shlwapi.lib;wintrust.lib;ole32.lib;advapi32.lib;gdi32.lib;shell32.lib;comdlg32.lib;%(AdditionalDependencies)
+ advapi32.lib;comctl32.lib;crypt32.lib;gdi32.lib;ole32.lib;dwmapi.lib;setupapi.lib;shell32.lib;shlwapi.lib;version.lib;wintrust.lib;ole32.lib;advapi32.lib;gdi32.lib;shell32.lib;comdlg32.lib;%(AdditionalDependencies)
RequireAdministrator
true
Windows
C:\Program Files (x86)\Windows Kits\10\Lib\10.0.16299.0\um\arm64
- advapi32.dll;comctl32.dll;comdlg32.dll;crypt32.dll;gdi32.dll;ole32.dll;dwmapi.dll;setupapi.dll;shell32.dll;shlwapi.dll;wintrust.dll;ole32.dll;advapi32.dll;gdi32.dll;shell32.dll;comdlg32.dll;%(DelayLoadDLLs)
+ advapi32.dll;comctl32.dll;crypt32.dll;gdi32.dll;ole32.dll;dwmapi.dll;setupapi.dll;shell32.dll;shlwapi.dll;version.dll;wintrust.dll;ole32.dll;advapi32.dll;gdi32.dll;shell32.dll;comdlg32.dll;%(DelayLoadDLLs)
_UNICODE;UNICODE;%(PreprocessorDefinitions)
@@ -229,12 +229,12 @@
/utf-8 $(ExternalCompilerOptions) %(AdditionalOptions)
- advapi32.lib;comctl32.lib;comdlg32.lib;crypt32.lib;gdi32.lib;ole32.lib;dwmapi.lib;setupapi.lib;shell32.lib;shlwapi.lib;wintrust.lib;%(AdditionalDependencies)
+ advapi32.lib;comctl32.lib;crypt32.lib;gdi32.lib;ole32.lib;dwmapi.lib;setupapi.lib;shell32.lib;shlwapi.lib;version.lib;wintrust.lib;%(AdditionalDependencies)
RequireAdministrator
true
Windows
MachineX64
- advapi32.dll;comctl32.dll;comdlg32.dll;crypt32.dll;gdi32.dll;ole32.dll;dwmapi.dll;setupapi.dll;shell32.dll;shlwapi.dll;wintrust.dll;%(DelayLoadDLLs)
+ advapi32.dll;comctl32.dll;crypt32.dll;gdi32.dll;ole32.dll;dwmapi.dll;setupapi.dll;shell32.dll;shlwapi.dll;version.dll;wintrust.dll;%(DelayLoadDLLs)
_UNICODE;UNICODE;%(PreprocessorDefinitions)
@@ -260,13 +260,13 @@
true
- advapi32.lib;comctl32.lib;comdlg32.lib;crypt32.lib;gdi32.lib;ole32.lib;dwmapi.lib;setupapi.lib;shell32.lib;shlwapi.lib;wintrust.lib;%(AdditionalDependencies)
+ advapi32.lib;comctl32.lib;crypt32.lib;gdi32.lib;ole32.lib;dwmapi.lib;setupapi.lib;shell32.lib;shlwapi.lib;version.lib;wintrust.lib;%(AdditionalDependencies)
RequireAdministrator
false
Windows
MachineX86
/BREPRO %(AdditionalOptions)
- advapi32.dll;comctl32.dll;comdlg32.dll;crypt32.dll;gdi32.dll;ole32.dll;dwmapi.dll;setupapi.dll;shell32.dll;shlwapi.dll;wintrust.dll;%(DelayLoadDLLs)
+ advapi32.dll;comctl32.dll;crypt32.dll;gdi32.dll;ole32.dll;dwmapi.dll;setupapi.dll;shell32.dll;shlwapi.dll;version.dll;wintrust.dll;%(DelayLoadDLLs)
_UNICODE;UNICODE;%(PreprocessorDefinitions)
@@ -292,13 +292,13 @@
true
- advapi32.lib;comctl32.lib;comdlg32.lib;crypt32.lib;gdi32.lib;ole32.lib;dwmapi.lib;setupapi.lib;shell32.lib;shlwapi.lib;wintrust.lib;ole32.lib;advapi32.lib;gdi32.lib;shell32.lib;comdlg32.lib;%(AdditionalDependencies)
+ advapi32.lib;comctl32.lib;crypt32.lib;gdi32.lib;ole32.lib;dwmapi.lib;setupapi.lib;shell32.lib;shlwapi.lib;version.lib;wintrust.lib;ole32.lib;advapi32.lib;gdi32.lib;shell32.lib;comdlg32.lib;%(AdditionalDependencies)
RequireAdministrator
false
Windows
C:\Program Files (x86)\Windows Kits\10\Lib\10.0.15063.0\um\arm
/BREPRO %(AdditionalOptions)
- advapi32.dll;comctl32.dll;comdlg32.dll;crypt32.dll;gdi32.dll;ole32.dll;dwmapi.dll;setupapi.dll;shell32.dll;shlwapi.dll;wintrust.dll;ole32.dll;advapi32.dll;gdi32.dll;shell32.dll;comdlg32.dll;%(DelayLoadDLLs)
+ advapi32.dll;comctl32.dll;crypt32.dll;gdi32.dll;ole32.dll;dwmapi.dll;setupapi.dll;shell32.dll;shlwapi.dll;version.dll;wintrust.dll;ole32.dll;advapi32.dll;gdi32.dll;shell32.dll;comdlg32.dll;%(DelayLoadDLLs)
_UNICODE;UNICODE;%(PreprocessorDefinitions)
@@ -326,13 +326,13 @@
true
- advapi32.lib;comctl32.lib;comdlg32.lib;crypt32.lib;gdi32.lib;ole32.lib;dwmapi.lib;setupapi.lib;shell32.lib;shlwapi.lib;wintrust.lib;ole32.lib;advapi32.lib;gdi32.lib;shell32.lib;comdlg32.lib;%(AdditionalDependencies)
+ advapi32.lib;comctl32.lib;crypt32.lib;gdi32.lib;ole32.lib;dwmapi.lib;setupapi.lib;shell32.lib;shlwapi.lib;version.lib;wintrust.lib;ole32.lib;advapi32.lib;gdi32.lib;shell32.lib;comdlg32.lib;%(AdditionalDependencies)
RequireAdministrator
false
Windows
C:\Program Files (x86)\Windows Kits\10\Lib\10.0.16299.0\um\arm64
/BREPRO %(AdditionalOptions)
- advapi32.dll;comctl32.dll;comdlg32.dll;crypt32.dll;gdi32.dll;ole32.dll;dwmapi.dll;setupapi.dll;shell32.dll;shlwapi.dll;wintrust.dll;ole32.dll;advapi32.dll;gdi32.dll;shell32.dll;comdlg32.dll;%(DelayLoadDLLs)
+ advapi32.dll;comctl32.dll;crypt32.dll;gdi32.dll;ole32.dll;dwmapi.dll;setupapi.dll;shell32.dll;shlwapi.dll;version.dll;wintrust.dll;ole32.dll;advapi32.dll;gdi32.dll;shell32.dll;comdlg32.dll;%(DelayLoadDLLs)
_UNICODE;UNICODE;%(PreprocessorDefinitions)
@@ -363,13 +363,13 @@
true
- advapi32.lib;comctl32.lib;comdlg32.lib;crypt32.lib;gdi32.lib;ole32.lib;dwmapi.lib;setupapi.lib;shell32.lib;shlwapi.lib;wintrust.lib;%(AdditionalDependencies)
+ advapi32.lib;comctl32.lib;crypt32.lib;gdi32.lib;ole32.lib;dwmapi.lib;setupapi.lib;shell32.lib;shlwapi.lib;version.lib;wintrust.lib;%(AdditionalDependencies)
RequireAdministrator
false
Windows
MachineX64
/BREPRO %(AdditionalOptions)
- advapi32.dll;comctl32.dll;comdlg32.dll;crypt32.dll;gdi32.dll;ole32.dll;dwmapi.dll;setupapi.dll;shell32.dll;shlwapi.dll;wintrust.dll;%(DelayLoadDLLs)
+ advapi32.dll;comctl32.dll;crypt32.dll;gdi32.dll;ole32.dll;dwmapi.dll;setupapi.dll;shell32.dll;shlwapi.dll;version.dll;wintrust.dll;%(DelayLoadDLLs)
_UNICODE;UNICODE;%(PreprocessorDefinitions)
diff --git a/src/Makefile.am b/src/Makefile.am
index 59dfabd3..ef0d0436 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -1,11 +1,11 @@
SUBDIRS = ../.mingw bled ext2fs ms-sys syslinux/libfat syslinux/libinstaller syslinux/win libcdio/iso9660 libcdio/udf libcdio/driver ../res/loc
# As far as I can tell, the following libraries are *not* vulnerable to side-loading, so we link using their regular version:
-NONVULNERABLE_LIBS = -lsetupapi -lole32 -lgdi32 -lshlwapi -lcrypt32 -lcomdlg32 -lcomctl32 -luuid
+NONVULNERABLE_LIBS = -lsetupapi -lole32 -lgdi32 -lshlwapi -lcrypt32 -lcomctl32 -luuid
# The following libraries are vulnerable (or have an unknown vulnerability status), so we link using our delay-loaded replacement:
# Ideally there would also be virtdisk and wininet as delaylib's below, but the MinGW folks haven't quite sorted out delay-loading
# for x86_32 so as soon as you try to call APIs from these, the application will crash!
# See https://github.com/pbatard/rufus/issues/1877#issuecomment-1109683039 as well as https://github.com/pbatard/rufus/issues/2272
-VULNERABLE_LIBS = -ldwmapi-delaylib -lwintrust-delaylib
+VULNERABLE_LIBS = -ldwmapi-delaylib -lversion-delaylib -lwintrust-delaylib
noinst_PROGRAMS = rufus
diff --git a/src/Makefile.in b/src/Makefile.in
index 0fe9fa5a..70d31a54 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -275,12 +275,12 @@ top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
SUBDIRS = ../.mingw bled ext2fs ms-sys syslinux/libfat syslinux/libinstaller syslinux/win libcdio/iso9660 libcdio/udf libcdio/driver ../res/loc
# As far as I can tell, the following libraries are *not* vulnerable to side-loading, so we link using their regular version:
-NONVULNERABLE_LIBS = -lsetupapi -lole32 -lgdi32 -lshlwapi -lcrypt32 -lcomdlg32 -lcomctl32 -luuid
+NONVULNERABLE_LIBS = -lsetupapi -lole32 -lgdi32 -lshlwapi -lcrypt32 -lcomctl32 -luuid
# The following libraries are vulnerable (or have an unknown vulnerability status), so we link using our delay-loaded replacement:
# Ideally there would also be virtdisk and wininet as delaylib's below, but the MinGW folks haven't quite sorted out delay-loading
# for x86_32 so as soon as you try to call APIs from these, the application will crash!
# See https://github.com/pbatard/rufus/issues/1877#issuecomment-1109683039 as well as https://github.com/pbatard/rufus/issues/2272
-VULNERABLE_LIBS = -ldwmapi-delaylib -lwintrust-delaylib
+VULNERABLE_LIBS = -ldwmapi-delaylib -lversion-delaylib -lwintrust-delaylib
AM_V_WINDRES_0 = @echo " RC $@";$(WINDRES)
AM_V_WINDRES_1 = $(WINDRES)
AM_V_WINDRES_ = $(AM_V_WINDRES_$(AM_DEFAULT_VERBOSITY))
diff --git a/src/hash.c b/src/hash.c
index 79d84316..3f2c0df6 100644
--- a/src/hash.c
+++ b/src/hash.c
@@ -2119,8 +2119,10 @@ BOOL IsFileInDB(const char* path)
int IsBootloaderRevoked(const char* path)
{
+ version_t* ver;
uint32_t i;
uint8_t hash[SHA256_HASHSIZE];
+
if (!PE256File(path, hash))
return -1;
for (i = 0; i < ARRAYSIZE(pe256dbx); i += SHA256_HASHSIZE)
@@ -2129,6 +2131,12 @@ int IsBootloaderRevoked(const char* path)
for (i = 0; i < pe256ssp_size * SHA256_HASHSIZE; i += SHA256_HASHSIZE)
if (memcmp(hash, &pe256ssp[i], SHA256_HASHSIZE) == 0)
return 2;
+ ver = GetExecutableVersion(path);
+ // Blanket filter for Windows 10 1607 (excluded) to Windows 10 20H1 (excluded)
+ // TODO: Revoke all bootloaders prior to 2023.05 once Microsoft does
+// uprintf("Found UEFI bootloader version: %d.%d.%d.%d", ver->Major, ver->Minor, ver->Micro, ver->Nano);
+ if (ver != NULL && ver->Major == 10 && ver->Minor == 0 && ver->Micro > 14393 && ver->Micro < 19041)
+ return 3;
return 0;
}
diff --git a/src/rufus.c b/src/rufus.c
index ef248a72..79ba301d 100755
--- a/src/rufus.c
+++ b/src/rufus.c
@@ -93,7 +93,7 @@ static unsigned int timer;
static char uppercase_select[2][64], uppercase_start[64], uppercase_close[64], uppercase_cancel[64];
extern HANDLE update_check_thread, wim_thread;
-extern BOOL enable_iso, enable_joliet, enable_rockridge, enable_extra_hashes;
+extern BOOL enable_iso, enable_joliet, enable_rockridge, enable_extra_hashes, is_bootloader_revoked;
extern BYTE* fido_script;
extern HWND hFidoDlg;
extern uint8_t* grub2_buf;
@@ -1432,6 +1432,7 @@ static DWORD WINAPI BootCheckThread(LPVOID param)
char tmp[MAX_PATH], tmp2[MAX_PATH], c;
syslinux_ldlinux_len[0] = 0; syslinux_ldlinux_len[1] = 0;
+ is_bootloader_revoked = FALSE;
safe_free(grub2_buf);
if (ComboBox_GetCurSel(hDeviceList) == CB_ERR)
@@ -1631,6 +1632,7 @@ static DWORD WINAPI BootCheckThread(LPVOID param)
}
r = IsBootloaderRevoked(tmp);
if (r > 0) {
+ is_bootloader_revoked = TRUE;
r = MessageBoxExU(hMainDialog, lmprintf(MSG_339,
(r == 1) ? lmprintf(MSG_340) : lmprintf(MSG_341, "Error code: 0xc0000428")),
lmprintf(MSG_338), MB_OKCANCEL | MB_ICONWARNING | MB_IS_RTL, selected_langid);
diff --git a/src/rufus.h b/src/rufus.h
index 4c485b92..012530a6 100644
--- a/src/rufus.h
+++ b/src/rufus.h
@@ -546,6 +546,13 @@ enum WindowsVersion {
WINDOWS_MAX = 0xFFFF,
};
+typedef struct {
+ DWORD Major;
+ DWORD Minor;
+ DWORD Micro;
+ DWORD Nano;
+} version_t;
+
typedef struct {
DWORD Version;
DWORD Major;
@@ -608,6 +615,7 @@ extern char sysnative_dir[MAX_PATH], app_data_dir[MAX_PATH], *image_path, *fido_
* Shared prototypes
*/
extern void GetWindowsVersion(windows_version_t* WindowsVersion);
+extern version_t* GetExecutableVersion(const char* path);
extern const char* WindowsErrorString(void);
extern void DumpBufferHex(void *buf, size_t size);
extern void PrintStatusInfo(BOOL info, BOOL debug, unsigned int duration, int msg_id, ...);
diff --git a/src/rufus.rc b/src/rufus.rc
index 1eb885ff..652ed4eb 100644
--- a/src/rufus.rc
+++ b/src/rufus.rc
@@ -33,7 +33,7 @@ LANGUAGE LANG_NEUTRAL, SUBLANG_NEUTRAL
IDD_DIALOG DIALOGEX 12, 12, 232, 326
STYLE DS_SETFONT | DS_MODALFRAME | DS_CENTER | WS_MINIMIZEBOX | WS_POPUP | WS_CAPTION | WS_SYSMENU
EXSTYLE WS_EX_ACCEPTFILES
-CAPTION "Rufus 4.2.2071"
+CAPTION "Rufus 4.2.2072"
FONT 9, "Segoe UI Symbol", 400, 0, 0x0
BEGIN
LTEXT "Drive Properties",IDS_DRIVE_PROPERTIES_TXT,8,6,53,12,NOT WS_GROUP
@@ -392,8 +392,8 @@ END
//
VS_VERSION_INFO VERSIONINFO
- FILEVERSION 4,2,2071,0
- PRODUCTVERSION 4,2,2071,0
+ FILEVERSION 4,2,2072,0
+ PRODUCTVERSION 4,2,2072,0
FILEFLAGSMASK 0x3fL
#ifdef _DEBUG
FILEFLAGS 0x1L
@@ -411,13 +411,13 @@ BEGIN
VALUE "Comments", "https://rufus.ie"
VALUE "CompanyName", "Akeo Consulting"
VALUE "FileDescription", "Rufus"
- VALUE "FileVersion", "4.2.2071"
+ VALUE "FileVersion", "4.2.2072"
VALUE "InternalName", "Rufus"
VALUE "LegalCopyright", "© 2011-2023 Pete Batard (GPL v3)"
VALUE "LegalTrademarks", "https://www.gnu.org/licenses/gpl-3.0.html"
VALUE "OriginalFilename", "rufus-4.2.exe"
VALUE "ProductName", "Rufus"
- VALUE "ProductVersion", "4.2.2071"
+ VALUE "ProductVersion", "4.2.2072"
END
END
BLOCK "VarFileInfo"
diff --git a/src/stdfn.c b/src/stdfn.c
index 20fd172f..6d4d148a 100644
--- a/src/stdfn.c
+++ b/src/stdfn.c
@@ -453,6 +453,46 @@ void GetWindowsVersion(windows_version_t* windows_version)
safe_sprintf(vptr, vlen, " (Build %lu)", windows_version->BuildNumber);
}
+/*
+ * Why oh why does Microsoft make it so convoluted to retrieve a measly executable's version number ?
+ */
+version_t* GetExecutableVersion(const char* path)
+{
+ static version_t version, *r = NULL;
+ uint8_t* buf = NULL;
+ UINT uLen;
+ DWORD dwSize, dwHandle;
+ VS_FIXEDFILEINFO* version_info;
+
+ memset(&version, 0, sizeof(version));
+
+ dwSize = GetFileVersionInfoSizeU(path, &dwHandle);
+ if (dwSize == 0)
+ goto out;
+
+ buf = malloc(dwSize);
+ if (buf == NULL)
+ goto out;;
+ if (!GetFileVersionInfoU(path, dwHandle, dwSize, buf))
+ goto out;
+
+ if (!VerQueryValueA(buf, "\\", (LPVOID*)&version_info, &uLen) || uLen == 0)
+ goto out;
+
+ if (version_info->dwSignature != 0xfeef04bd)
+ goto out;
+
+ version.Major = (version_info->dwFileVersionMS >> 16) & 0xffff;
+ version.Minor = (version_info->dwFileVersionMS >> 0) & 0xffff;
+ version.Micro = (version_info->dwFileVersionLS >> 16) & 0xffff;
+ version.Nano = (version_info->dwFileVersionLS >> 0) & 0xffff;
+ r = &version;
+
+out:
+ free(buf);
+ return r;
+}
+
/*
* String array manipulation
*/
diff --git a/src/wue.c b/src/wue.c
index 62970dfa..5e76609b 100644
--- a/src/wue.c
+++ b/src/wue.c
@@ -44,6 +44,7 @@ const char* bypass_name[] = { "BypassTPMCheck", "BypassSecureBootCheck", "Bypass
int unattend_xml_flags = 0, wintogo_index = -1, wininst_index = 0;
int unattend_xml_mask = UNATTEND_DEFAULT_SELECTION_MASK;
char *unattend_xml_path = NULL, unattend_username[MAX_USERNAME_LENGTH];
+BOOL is_bootloader_revoked = FALSE;
extern uint32_t wim_nb_files, wim_proc_files, wim_extra_files;
@@ -481,7 +482,9 @@ BOOL CopySKUSiPolicy(const char* drive_name)
char src[MAX_PATH], dst[MAX_PATH];
struct __stat64 stat64 = { 0 };
- if ((target_type != TT_UEFI) || !IS_WINDOWS_1X(img_report) || pe256ssp_size == 0)
+ // Only copy SkuPolicy if we warned about the bootloader being revoked.
+ if ((target_type != TT_UEFI) || !IS_WINDOWS_1X(img_report) ||
+ (pe256ssp_size == 0) || !is_bootloader_revoked)
return r;
static_sprintf(src, "%s\\SecureBootUpdates\\SKUSiPolicy.p7b", system_dir);