Problems imaging a Surface Go 4 using Configuration Manager

[anyweb]

Introduction

I got my hands on a test unit, a Microsoft Surface Go 4, and wanted to see if we could image it via SCCM as we currently are doing for Surface Go 3 models. However, the problems became apparent quickly.

Problem

The problems were lack of storage (no HDD detected) if using an Windows 10 ADK version 2004 that hasn’t been updated with the latest servicing stack and cumulative update to address CVE-2023-24932, or if using an ADK based on Windows 11, the partitioning steps hangs forever along with the other issues that ADK 11 has (preprovision bitlocker fails, no vbs support).

So how to fix this ? The easiest choice was to grab the driver pack from Microsoft and inject the missing storufs.inf driver into the Windows 10 ADK version 2004 boot wim. So I went down what I thought was the path of least resistance.

Download the drivers (MSI)

You can download the MSI drivers for the Surface Go 4 from here, select the appropriate OS (Windows 10 or Windows 11).

Extracting the drivers

Once you’ve downloaded the MSI, you’ll want to extract the drivers from the pack, to do that use the cmdline below, replace it with the MSI name you want to extract and point it to the exact folder you want the drivers to extract to. Do not have any spaces between TARGETDIR and the = sign.

MSIEXEC /a SurfaceGo4_Win10_19045_23.072.25310.0.msi /qb TARGETDIR=C:\drivers\SG4

But guess what, those UFS storage drivers are not available in the downloadable MSI. You will need to rip the needed drivers from the factory image so keep that in mind before you blow it away. I found the needed files in the following folder on the factory install:

C:\Windows\Inf

The drivers and were dated 2023/04/13 on my example unit, and the needed are:

• storufs.inf
• storufs.sys

However even with those files it’s not enough, you cannot import them into the boot.wim image as they are not signed (missing the CAT file). And the necessary CAT file is nowhere to be found in the factory install image.

So we are back to square one. I asked Microsoft to provide me with this signed driver but for some reason was declined. Instead they advised me to patch the boot images.

The solution

To fix this you’ll need to patch your ADK 10 version 2004 boot wim to include the latest SSU and CU updates. In my testing that was the October CU.

Here’s the script used, yes it’s a batch file but it works just fine, there is a PowerShell script available from Microsoft (here) but you’ll need to modify it heavily before starting.

Copy the downloaded CU to the appropriate folder before starting

REM use this to patch ADK 2004 with latest CU/SSU/optional components 
REM to start with, copy the CU to C:\dev\patch_winpe\CU 
REM make sure to REMOVE any pre-existing C:\winpe_amd64 before starting!
REM thanks to Microsoft for the script, modified by Niall Brady, 2023/11/23

REM - > copy a fresh boot.wim without any component (you can use the boot.wim from your Configuration Manager Installation as well to start with) 
REM CLEANUP if needed!

DISM.exe /Unmount-Wim /MountDir:C:\winpe_amd64\mount /discard 
DISM.exe /Cleanup-Wim

call "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\copype.cmd" amd64 c:\winpe_amd64

REM - Create some temp folders... 
MD c:\winpe_amd64\SSU 
MD c:\winpe_amd64\CU 
MD c:\winpe_amd64\temp

REM - > expand SSU 
expand.exe C:\dev\patch_winpe\CU\windows10.0-kb5031356-x64_65d5bbc39ccb461472d9854f1a370fe018b79fcc.msu -f:*ssu*.cab c:\winpe_amd64\SSU

REM - > expand CU 
expand.exe C:\dev\patch_winpe\CU\windows10.0-kb5031356-x64_65d5bbc39ccb461472d9854f1a370fe018b79fcc.msu -f:*Windows*x64.cab c:\winpe_amd64\CU


REM - > mount the boot.wim file for servicing operations 
dism.exe /Mount-Wim /WimFile:C:\winpe_amd64\media\sources\boot.wim /index:1 /MountDir:C:\winpe_amd64\mount

REM - > Apply SSU 
dism.exe /image:C:\winpe_amd64\mount\ /Add-Package /PackagePath:c:\winpe_amd64\SSU\


REM - > adding the core components (bare minimum requirement by Configuration Manager)

REM Scripting (WinPE-WMI) 
dism.exe /Add-Package /Image:"C:\winpe_amd64\mount" /PackagePath:"c:\program files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-WMI.cab" 
dism.exe /Add-Package /Image:"C:\winpe_amd64\mount" /PackagePath:"c:\program files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\WinPE-WMI_en-us.cab"

REM Scripting (WinPE-Scripting) 
dism.exe /Add-Package /Image:"C:\winpe_amd64\mount" /PackagePath:"c:\program files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-Scripting.cab" 
dism.exe /Add-Package /Image:"C:\winpe_amd64\mount" /PackagePath:"c:\program files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\WinPE-Scripting_en-us.cab"

REM Network (WinPE-WDS-Tools) 
dism.exe /Add-Package /Image:"C:\winpe_amd64\mount" /PackagePath:"c:\program files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-WDS-Tools.cab" 
dism.exe /Add-Package /Image:"C:\winpe_amd64\mount" /PackagePath:"c:\program files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-US\WinPE-WDS-Tools_en-us.cab"

REM Startup (WinPE-SecureStartup) 
dism.exe /Add-Package /Image:"C:\winpe_amd64\mount" /PackagePath:"c:\program files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-SecureStartup.cab" 
dism.exe /Add-Package /Image:"C:\winpe_amd64\mount" /PackagePath:"c:\program files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\WinPE-SecureStartup_en-us.cab"

REM - > adding optional / additional components (do not forget to add them, if needed)


REM HTML (WinPE-HTA) 
REM dism.exe /Add-Package /Image:"C:\winpe_amd64\mount" /PackagePath:"c:\program files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-HTA.cab" 
REM dism.exe /Add-Package /Image:"C:\winpe_amd64\mount" /PackagePath:"c:\program files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\WinPE-HTA_en-us.cab"

REM Database (WinPE-MDAC) 
REM dism.exe /Add-Package /Image:"C:\winpe_amd64\mount" /PackagePath:"c:\program files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-MDAC.cab" 
REM dism.exe /Add-Package /Image:"C:\winpe_amd64\mount" /PackagePath:"c:\program files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\WinPE-MDAC_en-us.cab"

REM Storage (WinPE-EnhancedStorage) 
REM dism.exe /Add-Package /Image:"C:\winpe_amd64\mount" /PackagePath:"c:\program files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-EnhancedStorage.cab" 
REM dism.exe /Add-Package /Image:"C:\winpe_amd64\mount" /PackagePath:"c:\program files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\WinPE-EnhancedStorage_en-us.cab"

REM Microsoft .NET (WinPE-NetFx) 
REM dism.exe /Add-Package /Image:"C:\winpe_amd64\mount" /PackagePath:"c:\program files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-NetFx.cab" 
REM dism.exe /Add-Package /Image:"C:\winpe_amd64\mount" /PackagePath:"c:\program files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\WinPE-NetFx_en-us.cab"

REM Windows PowerShell (WinPE-PowerShell) - this requires WinPE-NetFx to be added first 
REM dism.exe /Add-Package /Image:"C:\winpe_amd64\mount" /PackagePath:"c:\program files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-PowerShell.cab" 
REM dism.exe /Add-Package /Image:"C:\winpe_amd64\mount" /PackagePath:"c:\program files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\WinPE-PowerShell_en-us.cab"

REM Windows PowerShell (WinPE-DismCmdlets) - this requires WinPE-PowerShell to be added first 
REM dism.exe /Add-Package /Image:"C:\winpe_amd64\mount" /PackagePath:"c:\program files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-DismCmdlets.cab" 
REM dism.exe /Add-Package /Image:"C:\winpe_amd64\mount" /PackagePath:"c:\program files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\WinPE-DismCmdlets_en-us.cab"

REM Windows PowerShell (WinPE-StorageWMI) - this requires WinPE-PowerShell to be added first 
REM dism.exe /Add-Package /Image:"C:\winpe_amd64\mount" /PackagePath:"c:\program files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-StorageWMI.cab" 
REM dism.exe /Add-Package /Image:"C:\winpe_amd64\mount" /PackagePath:"c:\program files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\WinPE-StorageWMI_en-us.cab"

REM Windows Secure Boot Cmdlets (WinPE-SecureBootCmdlets) - this requires WinPE-PowerShell to be added first 
REM dism.exe /Add-Package /Image:"C:\winpe_amd64\mount" /PackagePath:"c:\program files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-SecureBootCmdlets.cab" 
REM dism.exe /Add-Package /Image:"C:\winpe_amd64\mount" /PackagePath:"c:\program files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\WinPE-SecureBootCmdlets_en-us.cab"




REM - > Apply CU

dism.exe /image:C:\winpe_amd64\mount\ /Add-Package /PackagePath:c:\winpe_amd64\CU\




REM pause here to add any custom stuff
pause
REM - > final step unmount the boot.wim and commit the changes

dism.exe /unmount-Wim /MountDir:C:\winpe_amd64\mount /commit

After patching the boot.wim, import it back into SCCM, distribute it to your distribution points and attach it to your task sequence.

Note: Keep in mind that you’ll also need the patched version of Windows 10/Windows 11 operating system wim file to the same CU level otherwise you’ll get a BSOD after applying the image.

I hope this helps someone

cheers

niall

Related reading

• Surface Go 4 drivers (MSI) – download
• October 2023 CU – download
• Windows 11 ADK 22H2 – download
• Surface Recovery Image download – Surface Recovery Image Download – Microsoft Support
• PowerShell script to modify boot images
• Manage boot images for CVE-2023-24932

[user39234234]

It's easier to use the Windows 11 22H2 ADK/WinPE since Windows 10/11 versions older than 22H2 don't support UFS disks.  This works to image a Surface Go 4 and other UFS devices, without having to add any drivers to Windows PE.  Download and install the Windows ADK | Microsoft Learn.  The newer "ADK 10.1.25398.1" has a known issue with UFS documented on that page, in addition to the known VBS issue you mentioned.  Also, Surface Go 4 is only supported on 22H2 and newer versions of Windows according to this article Surface supported operating systems - Microsoft Support, so I don't think WinPE 2004 is expected to work.

Similar experience on Asus.  They also direct you to 22H2 as the solution, though they do it by telling you to reimage with a fresh image created with the Media Creation Tool or update Windows (so you end up on 22H2/23H2) [Notebook] Troubleshooting - Universal Flash Storage (UFS) Controller Exclamation Mark and Inability to Enter System | Official Support | ASUS USA

 

Edited January 17 by user39234234

[anyweb]

but if your company uses Windows 10 currently and wants minimal impact to a working ConfigMgr infrastructure, then what ?,. that is the purpose of this blog post.

Surface Go 4 currently supports both windows 10 22h2 and windows 11 from Microsoft so the challenge here was to get it all to work with minimal impact to 'production'.

I did test with Windows 11 ADK and that has it's own issues including the inability to use bitlocker during imaging. See the known issues here https://learn.microsoft.com/en-us/mem/configmgr/core/plan-design/configs/support-for-windows-adk

[LinPie]

Hello Niall,

thanks for this awesome post!
We thought / hoped that the update would help, as we have the same problem within imaging the Surface Go 4.

We first had the problem of an old version of Windows ADK and PE, so we updated that to the latest 2004er version.
So at the moment we have Windows 10 Version 22H2 with CU of december, our boot image is also 22H2 with updates of december (we had the BSOD, because I thought it would be smart to directly apply CU of january, but for windows it was not yet available so boot.wim and windows.wim where on different level).

So as far as we know we are at the level where it should work, but I still get the error message before the ADK update that says in general, that it does not find the storage.

What else can we do?
We don't want windows 11 yet (maybe directly jump to Win12 if available).

I'm building a recovery usb for surface right now to have a look if the signed driver is available by now (I guess not).

Thanks for any help!
Best regards,
Lin

[anyweb]

hi Lin

did you run the script i posted to patch your boot.wim exactly as I explained ? if so then storage will not be a problem when pxe booting using that boot image, so i think you've missed something, please verify the steps i posted above again

[LinPie]

Hi Niall,

well I thought I did it correct as I did it twice (for updates january and december).
I did it know a 3rd time and it is working finally.
Might be another problem, but im fine now!

Thank you very much and sorry.
Have a great weekend,
Lin

[anyweb]

hi @LinPie

I'm happy to hear it's working now! thanks for the update

[IT Learner]

Hello
I appreciate this article.
I followed the same steps except for installing packages, which were already installed. However, I am still unable to see the disk.

I verified  the driver. it comes after patching the image

 

 

[anyweb]

did you distribute your updated boot.wim to all distribution points ?

[kujaku]

I ran the script and created a new a new boot.wim, now where do I import that in MDT,

Not sure if I need to replace the boot.wim inside the source folder in the Operating System or somewhere else that I overlook.