Improve Make2023BootableMedia.ps1: auto-download oscdimg, path handling, boot.stl, NTFS enforcement#361
Merged
Flickdm merged 2 commits intomicrosoft:mainfrom Mar 14, 2026
Conversation
…ng, boot.stl, NTFS enforcement - Add Download-Oscdimg function to download oscdimg.exe from the Microsoft public symbol server when not found locally, with architecture detection (AMD64/ARM64/x86) and user confirmation prompt. Previously downloaded copies in %TEMP% are reused automatically. Addresses microsoft#333. - Fix path handling: normalize ISOPath to absolute early via ConvertTo-AbsolutePath to prevent crash when bare filenames are passed. Replace fragile Substring/LastIndexOf with Split-Path in Create-ISOMedia. Replace unsafe Substring(0,1) drive letter extraction with Split-Path -Qualifier in Initialize-StagingDirectory and Validate-Parameters. Add null/empty input guard and use TrimEnd in ConvertTo-AbsolutePath. - Copy boot.stl from boot.wim (Windows\Boot\EFI\boot.stl) to staged media (EFI\Microsoft\Boot\boot.stl) when present and not already at destination. - Require NTFS for StagingDir and NewMediaPath since WIM mounting relies on reparse points not fully supported on ReFS. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Updates the Windows media update PowerShell script to be more robust in real-world usage by improving dependency handling (oscdimg), fixing path normalization edge cases, and ensuring media staging works reliably with newer Windows boot requirements and filesystem constraints.
Changes:
- Add
Download-Oscdimgand prompt-driven fallback to downloadoscdimg.exewhen missing. - Normalize and harden path handling (absolute ISOPath, safer
Split-Pathusage, drive qualifier parsing, null/empty guards). - Enforce NTFS for staging/LOCAL media paths and copy
boot.stlfromboot.wimwhen present.
Comments suppressed due to low confidence (1)
scripts/windows/Make2023BootableMedia.ps1:711
ConvertTo-AbsolutePathtrims trailing backslashes and then returns early for any^[a-zA-Z]:path. This turns a drive root likeC:\intoC:, which in PowerShell is drive-relative (current directory on that drive) and can cause staging/output paths to resolve unexpectedly. Handle drive roots explicitly (e.g., normalize^[A-Za-z]:\\?$toX:\) and avoid returning drive-relative paths likeC:foowithout expanding them to a fully qualified path.
$tmpPath = $Path.TrimEnd('\')
# If a root drive path (C:\), return as-is
if ($tmpPath -match "^[a-zA-Z]:") {
return $tmpPath
}
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
- Replace Authenticode signature checks with SHA256 hash validation for downloaded and cached oscdimg.exe (binary is not Authenticode-signed on the symbol server). Known hashes defined once in global variable. - Download to temp filename first, validate hash, then move into place to avoid partial/corrupt files at the final path. - Cached copies in %TEMP% are hash-validated before reuse; invalid copies are deleted and the download prompt is shown instead. - Change ADK URLs from http:// to https:// in user-facing messages. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Flickdm
approved these changes
Mar 14, 2026
Javagedes
approved these changes
Mar 14, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Add Download-Oscdimg function to download oscdimg.exe from the Microsoft public symbol server when not found locally, with architecture detection (AMD64/ARM64/x86) and user confirmation prompt. Previously downloaded copies in %TEMP% are reused automatically. Addresses [Feature]: Make2023BootableMedia should have an option to download oscdimg if not present #333.
Fix path handling errors found in testing: normalize ISOPath to absolute early via ConvertTo-AbsolutePath to prevent crash when bare filenames are passed. Replace fragile Substring/LastIndexOf with Split-Path in Create-ISOMedia. Replace unsafe Substring(0,1) drive letter extraction with Split-Path -Qualifier in Initialize-StagingDirectory and Validate-Parameters. Add null/empty input guard and use TrimEnd in ConvertTo-AbsolutePath.
Copy boot.stl from boot.wim (Windows\Boot\EFI\boot.stl) to staged media (EFI\Microsoft\Boot\boot.stl) when present and not already at destination. Recent OS servicing introduced a new dependency on boot.stl.
Require NTFS for StagingDir and NewMediaPath since WIM mounting relies on reparse points not fully supported on ReFS.
Impacts functionality?
Impacts security?
Breaking change?
Includes tests?
Includes documentation?
How This Was Tested
Tested on ISO, USB, and LOCAL media creation flows on both X64 and ARM64 systems.
Integration Instructions
N/A