Ghost Solution Suite

  • Private Community
 View Only

  • 1.  GSS 3.3r12 secure boot not working with my WIN11PE boot disk

    Posted Mar 12, 2025 12:35 PM

    BIOS with secure boot enabled causes disk WIN11PE to crash.

    Symantec_Ghost_Standard_Tools_3_3_12 using bootwiz.exe

    Windows ADK= 10.1.26100.2454

    Windows PE Addons = 10.1.26100.2454

    Using bootwiz.exe.  Created a config called "Win11"
    Selected the Windows PE 11.0 for the preboot operating system, <all> OEM extensions, and click next
    Checked "Autodetect all device drivers" and click next
    Leave DHCP selected and click next
    SELECTED : WMI,WSH,HTA,ADO,WINPE-ENHANCEDSTORAGE,WINPE-DISMCMDLETS,WINPE-SECURESTARTUP,WINPE-STORAGEWMI,WINPE-PLATFORMID,WINPE-SECURBOOTCMDLETS

    Created using  "ISO" and "NETWORK BOOT" then click NEXT

    Question 1:  Was there an option somewhere I forgot to check?

    Question 2:  Does secure boot work on an older ADK or maybe Windows PE 10.0 for the preboot operating system?



  • 2.  RE: GSS 3.3r12 secure boot not working with my WIN11PE boot disk

    Broadcom Employee
    Posted Mar 13, 2025 10:11 AM

    Hello Real

    First thing is if this is older hardware does it support windows 11 if it does not then chances are that winpe11 will not work. 

    If it does support windows 11 verify the order of which the winpe options were installed. This microsoft document show the dependencies of which the options should be installed: https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/winpe-add-packages--optional-components-reference?view=windows-11. Use the up\down toggles in the options window to install the dependcies first. The order of install is dependencies should be at the top.

    There is a method to see if the otions are being install in the correct order and that is with logging: here is a document to enable bootwiz logging: https://knowledge.broadcom.com/external/article/178699/how-to-enable-bootwiz-logging-for-ghost.html

    Look for errors in the log file.

    I always go back to the basics with winpe and use the default options then build the winpe envirionment. Also, as a test,  turn off secure boot in the bios and see if it boots into winpe. 

    If you still are unable to get the winpe to run on the system please open a case with support to look into the issue further



    ------------------------------
    Scott Andreas
    Broadcom Technical Supprt
    GSS\DS\ITMS
    ------------------------------

    Original Message


  • 3.  RE: GSS 3.3r12 secure boot not working with my WIN11PE boot disk

    Posted Mar 21, 2025 08:49 AM

    I got secure boot working fine with WIN10PE instead for now using these steps:

    Download the "Windows ADK for Windows 10", version 2004 and "Windows PE add-on for the ADK, version 2004"
       -https://go.microsoft.com/fwlink/?linkid=2120254
       -https://go.microsoft.com/fwlink/?linkid=2120253
    Note: ADK 10.1.25398.1 (Republished in January 2025) did not work with secure boot and I will retest later.
    Run each setup and select the "download" option
    Copy %userprofile%\Downloads\Windows Kits\10\*.* to USB
    Go to your offline Windows 10 Machine
    Uninstall Trellix Antivirus to be safe  (Or disable)
    Disable UAC
    Browse to you USB
    Install ADK\adksetup.exe
    Leave default options and install it (You could uncheck everything except "Deployment Tools")
    Install adkwinpeaddons\adkwinpesetup.exe and hit next until done.
    Install "Symantec_Ghost_Standard_Tools_3_3_12.exe"
    Run C:\Program Files (x86)\Symantec\Ghost\bootwiz\bootwiz.exe
    Select WinPE 10.0 x64 and use the preinstalled ADK option  (Press ctrl+o if needed to open preboot os files popup)
    Select WinPE 10.0 x32 and use the preinstalled ADK option  (Press ctrl+o if needed to open preboot os files popup)
    Create "C:\Program Files (x86)\Symantec\Ghost\bootwiz\Platforms\Winpe10\x64\Drivers\custom\drivers" folder
    Copy custom drivers subfolders if you have any previous ones to "C:\Program Files (x86)\Symantec\Ghost\bootwiz\Platforms\Winpe10\x64\Drivers\custom\drivers"
    Example: "C:\Program Files (x86)\Symantec\Ghost\bootwiz\Platforms\Winpe10\x64\Drivers\custom\drivers\VMXNET3"
    Create a config called "Win10"
    Select the Windows PE 10.0 for the preboot operating system (Default if no others loaded), <all> OEM extensions, and click next
    Check "Autodetect all device drivers" and click next
    Leave DHCP selected and click next
    SELECT: 
    WMI,WINPE-NETFX,WSH,HTA,ADO,WINPE-SECURESTARTUP,WINPE-ENHANCEDSTORAGE,WINPE-DISMCMDLETS,WINPE-PLATFORMID,WINPE-POWERSHELL,WINPE-SECURBOOTCMDLETS,WINPE-STORAGEWMI
    Use arrows to match order above
    then click next.
    Click next on the details screen 
    Click complete and WAIT for it to create the folders in GUI
    Under the "Win10" config
    Right-click on "WIN10" config and "Create Boot Disk"
    Select "ISO" , "NETWORK BOOT" , and  "x64" then click NEXT
    Example Boot Disk final output:
        Path: C:\Program Files (x86)\Symantec\Ghost\bootwiz\iso-imgs\WinPE 10.0\x64\Win10.iso
        Pre-boot OS: WinPE 10.0
        Processor: x64
        Media: iso
        Task: network

    Original Message


  • 4.  RE: GSS 3.3r12 secure boot not working with my WIN11PE boot disk

    Posted Feb 09, 2026 12:59 PM

    Well I was hoping GSS 3.3 r13 would be better at making secure boot win11pe iso or pxe disks...Sadly it is not:

    Can someone provide a PROVEN way to make a secure boot compatible iso?

    ADK Version?  Packages to add in correct order?  I have tested with VMs, old hardware, and new hardware.

    Please help!

    -------------------------------------------

    Original Message


  • 5.  RE: GSS 3.3r12 secure boot not working with my WIN11PE boot disk

    Posted Feb 12, 2026 04:27 PM

    Issue is solved:

    Most reliable for Secure Boot with GSS 3.3.x

    Windows 11 ADK 10.1.22621.5337 (Win11 22H2, republished May 2025) + matching WinPE add‑on. This is the newest Win11 ADK broadly known to work with GSS 3.3

    -------------------------------------------

    Original Message


  • 6.  RE: GSS 3.3r12 secure boot not working with my WIN11PE boot disk

    Posted Mar 04, 2026 04:19 PM

    The bootx64.efi in the PXE image made using the Windows 11 ADK 10.1.26100.2454 and PE Addons is signed with the Windows UEFI CA 2023. I learned this while preparing for the Windows Secure Boot certificate expiration and CA updates in June 2026.

    On computers that trust the Windows UEFI CA 2023 trust chain, you can now boot with Secure Boot enabled. I would try updating your firmware and testing what is the oldest model you have that supports CA 2023.

    -------------------------------------------

    Original Message


  • 7.  RE: GSS 3.3r12 secure boot not working with my WIN11PE boot disk

    Posted Mar 04, 2026 04:20 PM

    Update your system's firmware. In preparation for the Windows UEFI CA 2023 enforcement (June 2026), I noticed that the manually updated test systems would now PXE boot into Ghost using an image created with the Windows 11 ADK 10.1.26100.2454 (December 2024). There was a break in this functionality about 2-3 years ago. At the time we had to disable Secure Boot to PXE boot.

    The computers that support the Windows UEFI CA 2023 trust chain will PXE boot with Secure Boot on now. I then checked the PXE image's bootx64.efi and it was signed using the Windows UEFI CA 2023 certificate.

    This also works on older Windows 11 supporting systems that support the UEFI CA 2023 in their Active DB but will not get OEM firmware updates to their dbdefault.

    -------------------------------------------

    Original Message


  • 8.  RE: GSS 3.3r12 secure boot not working with my WIN11PE boot disk

    Posted 21 days ago
    Edited by RealGenius 21 days ago

    I will have to try that one.

    -------------------------------------------

    Original Message


  • 9.  RE: GSS 3.3r12 secure boot not working with my WIN11PE boot disk

    Posted 21 days ago

    Nevermind, we tested  10.1.26100.2454 without success.  I am sticking with ADK 10.1.22621.5337.  Another odd thing was we had to use SQL Server Express 2022 x64 (SQLEXPRADV_x64_ENU 2022.160.1000.6

    -------------------------------------------

    Original Message