Ghost Solution Suite

 View Only

 BSOD on images delivered using WinPE via PXE/iPXE with SecureBoot enabled

Jump to Best Answer
JOHN FRY's profile image
JOHN FRY posted Feb 18, 2022 03:42 AM

NOTE: Thread changed to reflect recent findings (26/04/2022)....

Hi, 

We are trying to deploy our Windows 10 21H2 images to our machines using PXe/iPXE using WinPE, but whenever we have SecureBoot enabled in the BIOS we get a BSOD, as per the images below.

I raised a case with Broadcom support, who replied with the following, which has left more questions than answers:

BROADCOM "Might it be related to Secure Boot being enabled?
We assume same client machine being tested, and so when this client loading TFTP PXE boot with same Secure Boot or/and TPT settings?
The error 0xc000000f is related directly with the Boot Manager values, and maybe Winpe files sent through iPXE are not "signed" properly?"

I then found the following online: https://ipxe.org/appnote/etoken

which states: "UEFI Secure Boot requires UEFI binaries to be signed by Microsoft. This page documents the work in progress to obtain signed versions of iPXE and wimboot."

I've also found the following article from Broadcom, which flips between supported / not supported / turn it off, etc! https://knowledge.broadcom.com/external/article/163312/ghost-solution-suite-support-for-secure.html
ipxe_failing_007.PNG
ipxe_failing_008.PNG

As you can see from the reply below from Cody Dirrigle,  he has managed to get this working, so I have no idea what we're doing wrong?! Unfortunately, the information from Broadcom re this topic is pretty much non existent.

In the hope that someone can help us, here's a run-down of our build process:

INSTALL COMPONENTS

  1. Gather components:

#

Component

Download Location

Latest URL

Notes

1

64-bit International English, ISO image for the Installer for the OS you are installing

Microsoft Partner site

https://partner.microsoft.com/en-us/dashboard/mpn/membership/benefits/software

 

Make sure it’s x64 and International English.

2

Windows Assessment and Deployment Kit (Windows ADK)

Microsoft website

https://docs.microsoft.com/en-us/windows-hardware/get-started/adk-install

Read the info on the website, as its critical to a successful deployment to get the correct version of the ADK that match the OS version you are deploying.

3

Windows PE add-on for the ADK

Microsoft website

https://docs.microsoft.com/en-us/windows-hardware/get-started/adk-install

Must match the ADK version.

4

Latest GSS (Ghost Solution Suite) Release Update (GSS RU) that supports the OS you are deploying.

Broadcom download

https://support.broadcom.com/

There are few streams of GSS. We are currently using GSS 3.3.

Also, you will need the Ghost Solution Suite / not tools.

5

Preferably a running copy of the latest version of VMware Workstation Pro

VMware download centre

https://www.vmware.com/uk.html

Must be the latest version – to support the OS you are deploying.

License key is available from the My VMware site.

 

  1. Extract the latest Windows Operating System ISO to a server share *We are Windows 10 21H2 64bit OS.
  2. Uninstall old ADK and WinPE ADK from the GSS Server
  3. Install the new matching ADK and WinPE ADK on the GSS Server *We are using Windows ADK and WinPE add-on for ADK version 0, 10.0.22000.1
  4. Install ADK deployment tools on a VMware guest running the same OS you are going to deploy **We are using Windows ADK version 0, 10.0.22000.1
  5. Update GSS to support the OS you are going to deploy, ensuring you install / update iPXE
  6. Update remote iPXE servers
  7. In GSS, build the Boot Disk Image, for example:

Windows PE 11.0 10.0.22000.1

Map M: to \\servername\express

Map G: to \\distributionpoint\images

 

Operating system: WinPE 11.0

OEM extension: <all>

File server type: Microsoft Windows

Transport: TCP/IP

Screenlock: Disabled

Firewall: Disabled

Compression: Compressed

Installed packages:

  ADO=True

  HTA=True

  WINPE-ENHANCEDSTORAGE=True

  WMI=Required

  WSH=True

IP address: Use DHCP

Network adapter: Autodetect

Workgroup: DOMAINNAMEGOESHERE

User: USERNAMEGOESHERE

Drive mappings:

  G: \\distributionpint\images

  M: \\servername\eXpress

Command line: "-pxe" "WinPE11_PXE" "-nonetboot" "-os" "winpe" "-bdc" "BDC\MenuOption131.bdc" "-rootpath" "\\servername\eXpress\PXE\MasterImages\MenuOption131.tmp" "-x86" "X86PC" "-x64" "X64"

 PREP

  1. Logon to VMware Guest OS, open Windows System Image Manager and select the install.wim from step 2 above
  2. In WSIM, choose the OS you want to deploy and create the catalog file
  3. Copy the catalog file to the extracted files from step 2
  4. Still in WSIM, create an XML answer file for a scripted OS installation
  5. Then create an XML answer file for an imaged OS installation
  6. Copy these XML answer files to the express\deploy share on the GSS server

PUTTING IT TOGETHER

Scripted OS Installation

  1. In GSS, create a “Scripted OS install” using the extracted image from step 2 above and the scripted OS install XML file from step 12 above.
  2. Push the scripted OS install to the target machine
  3. Make changes to the machine and run ‘Sysprep OOBE, Generalize, Shutdown’ for imaging

Capture and Clean

  1. Capture the image using GSS
  2. Clean the image using image explorer – pagefile etc.

Create Image Job

  1. Create a new Distribute Image Task
    1. Point to newly capture .gho files from above
    2. Use Sysprep / Image answer file from step 13 above
    3. Set additional parameters: -CLONE,MODE=RESTORE,SRC=%IMAGE_FILENAME%,DST=1 -sure
    4. Set pre-boot to iPXE

 Deploy Image Job – generally to Lenovo X1 Carbon Gen7/8/9 laptops

  1. Deploy image to a machine with the latest BIOS update, and SecureBoot enabled = Blue Screen 0xc000000f
  2. Deploy image to the same machine with the latest BIOS update, and SecureBoot disabled = Build deploys successfully

Many thanks!
John
JOHN FRY's profile image
JOHN FRY posted May 04, 2022 01:05 PM Best Answer

We've managed to get to the bottom of this. I hope this post helps others...

For the Lenovo devices: X1, X270, X280 etc, we had to:

1. Go into the BIOS settings
2. Within the BIOS, choose Secure Boot settings
3. Within the Secure Boot settings, choose "Reset to Setup Mode"

NB: This puts the Platform mode into "Setup Mode" and the Secure Boot Mode into "Custom Mode"

4. At this point deploy the image via iPXE with WinPE boot (this time, no BSOD was experienced). 

5. After the OS was deployed, go back to the Secure Boot settings in the BIOS and choose "Restore Factory Keys".

NB: This puts the Platform mode into "User Mode" and the Secure Boot Mode into "Standard Mode". 

6. Boot into the OS, open 'System Information' app, and confirm Secure Boot State = On

JOHN FRY's profile image
JOHN FRY posted Feb 25, 2022 04:37 PM

I raised a case with Broadcom support, who replied with the following, which has left more questions than answers:

BROADCOM "Might it be related to Secure Boot being enabled?
We assume same client machine being tested, and so when this client loading TFTP PXE boot with same Secure Boot or/and TPT settings?
The error 0xc000000f is related directly with the Boot Manager values, and maybe Winpe files sent through iPXE are not "signed" properly?"

Cody Dirrigle's profile image
Cody Dirrigle posted Mar 04, 2022 07:43 AM
Is this new requirement? We have been doing ipxe with uefi/secure boot for 2 years now and no issues
JOHN FRY's profile image
JOHN FRY posted Mar 04, 2022 07:49 AM
Are you using WinPE with ipxe?
Cody Dirrigle's profile image
Cody Dirrigle posted Mar 04, 2022 08:16 AM
Yes