diff --git a/ciss_live_builder.sh b/ciss_live_builder.sh
index cc8af28..0f3bde5 100644
--- a/ciss_live_builder.sh
+++ b/ciss_live_builder.sh
@@ -219,7 +219,7 @@ fi
 
 check_hooks
 hardening_ssh
-#ciss_upgrades
+ciss_upgrades
 lb_config_start
 
 if [[ "${VAR_SUITE}" == "bookworm" ]]; then
diff --git a/config/hooks/live/0000_basic_chroot_setup.chroot b/config/hooks/live/0000_basic_chroot_setup.chroot
index 0deb97f..d1c69be 100644
--- a/config/hooks/live/0000_basic_chroot_setup.chroot
+++ b/config/hooks/live/0000_basic_chroot_setup.chroot
@@ -49,6 +49,9 @@ EOF
 
   return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f generate_ciss_xdg_profile
 
 #######################################
 # Generates '/etc/profile.d/ciss-xdg.sh'
@@ -124,6 +127,9 @@ EOF
 
   return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f generate_ciss_xdg_sh
 
 #######################################
 # Generates '/root/ciss_xdg_tmp.sh'
@@ -181,6 +187,9 @@ EOF
 
   return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f generate_ciss_xdg_tmp_sh
 
 generate_ciss_xdg_profile
 generate_ciss_xdg_sh
diff --git a/config/package-lists/live.list.amd64.chroot b/config/package-lists/live.list.amd64.chroot
index 310e55e..1f8664b 100644
--- a/config/package-lists/live.list.amd64.chroot
+++ b/config/package-lists/live.list.amd64.chroot
@@ -9,6 +9,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
+amd64-microcode
 grub-efi-amd64-signed
+intel-microcode
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
diff --git a/lib/lib_lb_config_write_trixie.sh b/lib/lib_lb_config_write_trixie.sh
index 015e909..7f6bac0 100644
--- a/lib/lib_lb_config_write_trixie.sh
+++ b/lib/lib_lb_config_write_trixie.sh
@@ -115,10 +115,12 @@ lb_config_write_trixie() {
   ### https://wiki.debian.org/ReproducibleInstalls/LiveImages
   ### https://reproducible-builds.org/docs/system-images/
   ### https://gitlab.tails.boum.org/tails/tails/-/blob/stable/config/chroot_local-includes/usr/share/tails/build/mksquashfs-excludes
-  #mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/rootfs"
-  #cat << 'EOF' >| "${VAR_HANDLER_BUILD_DIR}/config/rootfs/excludes"
-#EOF
-  #chmod 0644 "${VAR_HANDLER_BUILD_DIR}/config/rootfs/excludes"
+  mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/rootfs"
+  cat << 'EOF' >| "${VAR_HANDLER_BUILD_DIR}/config/rootfs/excludes"
+root/.wget-hsts
+tmp/*
+EOF
+  chmod 0644 "${VAR_HANDLER_BUILD_DIR}/config/rootfs/excludes"
 
   printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Writing new config done.\e[0m\n"
 
diff --git a/scripts/9999-cdi-starter b/scripts/9999-cdi-starter
index bd79567..1e3efd7 100644
--- a/scripts/9999-cdi-starter
+++ b/scripts/9999-cdi-starter
@@ -119,9 +119,12 @@ main() {
   declare    var_log="" var_mode=""
 
   var_log="/root/.ciss/cdi/log/9999-cdi-starter_$(date +"%Y-%m-%d_%H-%M-%S").log"
+  touch "${var_log}"
 
   ### Prepare logging.
+  install -d -m 0700 /root/.ciss/cdi
   install -d -m 0700 /root/.ciss/cdi/log
+
   # shellcheck disable=SC2312
   exec > >(tee -a "${var_log}") 2>&1