Hello everybody,

a somewhat strange thing:
I have an image of a 1909 (18363.900) installation which I am restoring to the same device.
More specifically, only the Windows partition, the UEFI partitions (100MB system, 16MB MSR, recovery) come from a 2004 installation.

As soon as the device goes online, it only takes a few minutes until the acpi.sys is deleted, whereupon the system then of course no longer boot.
Furthermore it is also not longer possible to open the mmc (message: "This app has been blocked for your protection").

Conversely (C: from 2004, the rest from 1909 image) this behavior does not occur.

Of course it sounds like nasty malware or even third-party access, but according to Sysinternals Process Monitor, wuauserv (Windows Update) deletes the acpi.sys.
Which does not mean anything, after all, the service could also be misused, but the system appears to be clean.

The Windows eventlog is unremarkable at the time of deletion.
Have already tried a lot, disabled driver updates via WU and/or the device manager, and much more - all without success.
What helps is of course to deactivate the service wuauserv, but of course it is not a solution.

Strange thing... apart from the fact that it makes sense to restore the entire disk anyway, especially with a version step,
(so also to restore the UEFI partitions from the 1909 image), I wonder what the reason for this behavior is.

Has anyone happened to experience something similar or an explanation for it?

Thanks and greetings,
Martin