Request for a digitally signed "boothd" file to support UEFI Secure Boot
So we need a full new Boot Loader Program to support UEFI Secure Boot.
https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-secure-boot-key-creation-and-management-guidance?view=windows-11
Issue
======
Secure Boot is activated in the UEFI BIOS. The boot sequence is PXE, Windows Bootloader etc..
During the boot process, contact is established with the boot server and the "boothd" file is downloaded via TFTP.
Before this is executed, it is apparently now checked whether it is digitally signed.
However, the file does not have a digital signature.
The following error message appears on the screen "Secure Boot Violation - Invalid signature detected".
Workaround
===========
- On Boot Servers, rename the file
<Install DIR>\CA\DSM\Server\SDBS\var\managedpc\images\dosboot\BOOTHD
to
<Install DIR>\CA\DSM\Server\SDBS\var\managedpc\images\dosboot\BOOTHD.OLD
- This is causing this problem as indicated by customer :
>>>
This basically avoids the problem.
However, an extremely unpleasant side effect occurs in systems with several network cards.
Since the PXE client can no longer download the file due to its lack on the boot server,
all network cards are scanned, which significantly increases the system reboot time.
>>>
For this side effect change this settings from configuration policy applied on the Boot Servers (DOMAIN and remote Boot Servers ) :
DSM/Scalability Server/OSIM/ManagedPC/Server/Time to wait for discovery answer = 3
The delay will be reduced from 10 to 3 seconds
-------------------------------------------