Windows 7 Deployment via PXE to an UEFI + secure boot enabled Lenovo system.

Similar Messages

• UEFI - Secure Boot & System partition

  What is role of System partition in Windows 8.1 & 7 for configuring UEFI & secure boot. Is it possible to deploy OS using SCCM - OSD configured without System partition and configure UEFI & secure boot. 
  Thanks in advance. 

  Any Ideal if UEFI is compatible with sata or scsi drives ?. is it compatible with SSD ?.. 
  Thanks,
  Jijukar 
  my box has UEFI and it support secure boot, and it only has SATA
  so in short, yes it will work fine
  SSD and hard disks are both fine
  secure boot works best with a trusted platform module if available
  Place your rig specifics into your signature like I have, makes it 100x easier!
  Hardcore Games Legendary is the Only Way to Play!
  Vegan Advocate How can you be an environmentalist and still eat meat?

• [Request] UEFI Secure boot Bios for: GTX660

  My old motherboard died so i have replaced my computer, I now have:
  4690K
  32gig ram
  Asus Maximus hero Vii mobo.
  All set to using secure boot / UEFI.
  Have installed windows on a fresh GPT partition with secure boot and Im currently using the On Chip HD4600 graphics.
  My GTX660 is sat beside me on the desk. (It's *waving* , currently feeling neglected)   
  Im unable to boot to Win 8.1 with the card plugged in as the computer complains about a non UEFI device.
  Info from GFX card box:
  912-V287-001
  N660 TF 2GD5/OC
  PCI - E,N660,2G,GDDR5,Twin Frozr,OC,
  DL - DVI - I,DL - DVI - D,HDMI,DP,
  Power Cable,SLI
  S/N:602 - V287 - 04SB120902****
  I do not know the current BIOS on the card.
  1) As im currently unable to boot to windows with the card installed can the entire flash procedure be done from a DOS enviro?
  techpowerup.com/downloads/2257/nvflash-5-136 - I think it can.
  2) Can somone provide me with a suitable bios file please?
  3) Once I perform this flash will I be able to use this GTX660 an old non UEFI system? (I plan to sell this card on , and get a MSI GTX970 next paycheck)

  Use the attached.
  Decompress the provided .rar archive with Winrar: http://www.rarlab.com/download.htm
  Then flash the included file with Nvflash for dos: http://www.guru3d.com/files_details/nvflash_download.html
  To do so rename the included file to .rom and create a dos bootstick (https://forum-en.msi.com/index.php?topic=165175.0)
  Put nvflash and the vbios file on it and boot from the stick. Then type nvflash -4 -5 -6 gop.rom (if renamed vbios that way) and hit enter. Confirm the questions and let the tool flash
  Quote from: farrantcj on 06-June-15, 15:52:09
  3) Once I perform this flash will I be able to use this GTX660 an old non UEFI system? (I plan to sell this card on , and get a MSI GTX970 next paycheck)
  Old boards with a legacy bios will have no problem as the vbios is hybrid and can work in UEFI and legacy mode. Only older boards with a UEFI bios that is not GOP compliant might run into issues.

• MJG's signed Shim for UEFI Secure Boot now available

  There have been a number of posts about EFI and Secure Boot recently, so I thought some people might be interested in this:
  http://mjg59.dreamwidth.org/20303.html
  That's Matthew Garrett's announcement of a signed binary version of his Shim boot loader. Basically, this program will boot on a computer with Secure Boot active in its default mode (with Microsoft's keys in the firmware) and then launch another boot loader (called grubx64.efi, although it could be something other than GRUB in that filename) that you sign with your keys. The end result is something that's more secure than disabling Secure Boot entirely and easier than installing your own Secure Boot keys. I haven't yet tried this version of the binary, so I can't provide help beyond pointing you to MJG's own blog, but I thought some people might want to know about it.
  FWIW, although you could sign and launch my rEFInd boot manager with this version of Shim, the current version (0.4.7) won't be very useful when signed in this way, since it doesn't yet "talk" to Shim. I'm working on changing that, so that rEFInd will launch binaries signed in a way that Shim supports.

  kristof wrote:A signed bootloader is nice, but unless the Arch developers start distributing a version of the kernel that's also signed with a MOK, secure boot isn't being fully utilized.
  Largely true, but:
  Secure Boot is here, and seems likely to stay. Given this fact, all Linux distributions (including Arch) need a way to cope with it. There are basically two choices: Provide instructions on how to deal with it (difficult because of system-to-system differences) or provide signed binaries (a boot loader at a minimum, or preferably a boot loader and kernel).
  It's possible to "provide" a signed binary by generating the key locally and signing it locally. This could be done by scripts in the installation process, for example. Of course, that still leaves a need to get the installer booted on a Secure Boot system, but that could be handled with the Linux Foundation's pre-bootloader.
  To be truly effective, Secure Boot really requires support all the way up the software chain. Signing a kernel does no good if the kernel can load unsigned modules, for instance. Fedora's taking steps to provide such security, but Ubuntu seems to be going with a more relaxed approach. In truth, Linux isn't as bothered by malware as is Linux, so it's unclear that going with a Fedora-esque approach is really helpful; but OTOH, it's conceivable that malware authors will start using Linux as a vector to install boot-time malware if Windows becomes sufficiently locked down, so maybe some paranoia is in order.
  At the moment and as a practical matter, technical Linux users (including most Arch users) will find it quicker and easier to disable Secure Boot than to use shim. As shim and various support tools (signing utilities, boot managers, etc.) mature, though, this may not be the case. It may also be desirable or even necessary to leave Secure Boot enabled, in which case adopting shim now may make sense. Likewise if you want to learn about it now so that you can use it in the future.

• Problems with *.zmg Image deploy via PXE

  Hi all,
  I am currently faced with the following problem unfortunately:
  We use ZCM pre boot (pxe) to image our clients with a windows7.zmg image which was configured with sysprep.
  The image is created on a PC, which has a 300GB HDD. The windows partition is over the total size of the hdd.
  This imaging process on a new pc is as following script shows:
  Code:
  # Delete + MBR partition table
  dd if = /dev/zero of=/dev/sda bs=512 count=1
  # partition
  fdisk /dev/sda << EOF
  w
  EOF
  # imaging
  img rp server IP path/to/image.zmg
  This works quite well so far, with the only problem, that the partition on the new PC has the maximum of 300 GB. So if I image this image on a pc, which hdd has 500 GB, 200 GB will remain unpartitioned.
  I have redesigned the imaging now follows:
  Code:
  # imaging
  img pc1 NTFS
  img rp server IP path/to/image.zmg a1: p1
  img pa1
  Now the entire HDD is used for the partition, but after the imaging the PC doesn`t boot, and stops with a black screen and a blinking cursor.
  I am typing this on a problem with the mbr, but does not know how to fix it: (
  I have to modify the imaging-process, that i can use the image on every HDD size with the result, that always the max partitionsize is used.

  hi all, i am having an issue where found out that Imaging Script cannot be used to multicast so i am running in to a problem now. If i push out an image via zcm script bundle it works fine with your suggestions but i cannot seem to figure out why the image wipes out all the hard drives in the systems during multicast image set or a single image load via pxe boot.
  First problem:
  if i push out an image via Zenworks Image preboot bundle file set is set to 1 it wipes out all the hardrvie in the system (tow hard drive, disk 0 and disk 1. i can certainly fix the disk resizing issue by adding a script to unattaned file after the image is loaded to resize the disk automatically using diskpart commands. which works fine.
  Second problem:
  here is what i did:
  1. created an multicast Image Set
  2. number of clients needed set to 1
  3. Time out in five minutes
  It does not load the image znd waits for session to start.
  how can i automate this via zcm to make sure on pxe boot the both pcs receive the image as scheduled in zcm.
  Please assist.
  thank you.

• Am currently running Windows 7 (under VMWare Fusion 5.x) on a Macbook Pro. When running Windows 8 Upgrade ***'t, I get a Secure Boot compatibility notification

  The Microsoft Upgrade Assistant identifies several issues related to compatibility of my system with a Windows 8 upgrade which I'm considering on my Macbook Pro (which is runnng OS X 10.8.2).  The message indicates that there is a firmware incompatibility with Microsoft's recently introduced Secure Boot.  Is there a resolution on the Apple side?  If there is not and none can be expected, does this rule out installation of Windows 8 altogether on my system?

  Given that what the MUA is seeing is a virtual computer created by the Fusion environment, the problem lies more in VMWare's realm, rather than Apple's. Which would be the case if you were running on BootCamp instead.
  Am running Fusion 4 and haven't upgraded (long story), so I have no knowledge if the latest update to Fusion 5 already incorporates the Windows 8 profile when creating, updating or running a VM, so as to satisfy MS's paranoid requirements. So, assuming you are running Fusion 5, maybe checking in VMWare's forums may yield more up to date info.
  OTOH, given that MS is betting the whole farm on Win8, would not suprise me in the least that they would shut down virtualization support in all but a special, more expensive, Win8Virtual edition.......
  Edit: BTW, the latest Oracle VirtualBox does incorporate Win8 profiles in both 32 and 64 bit versions, so it would not suprise me that the latest Fusion 5 did as well.

• UEFI secure boot

  To my great surprise, I have just noticed that Ubuntu use a Microsoft signed version of grub that accept to boot unsigned kernel. https://wiki.ubuntu.com/SecurityTeam/SecureBoot. An attacker can easily use the Ubuntu signed version of grub together with an unsigned kernel to do all the evil things he wants. I don't understand how this has been accepted.
  Moreover it seems that secure boot has already been hacked http://securityaffairs.co/wordpress/254 … -uefi.html .
  Was security the real purpose of secure boot. I can't think so.
  Last edited by olive (2014-10-09 08:15:28)

  olive wrote:An attacker can easily use the Ubuntu signed version of grub together with an unsigned kernel to do all the evil things he wants.
  I always thought that this can be avoided by locking the boot entries and boot order in the UEFI/BIOS settings, and configuring a administrator password in the UEFI/BIOS that protects these settings.
  Even on a computer that does not use SecureBoot setting an administrator password for the UEFI/BIOS is a good idea to keep others from changing the settings.
  The fact that a lot of SecureBoot systems are vulnerable is no surprise to me given the large amount of bugs showing up in the UEFI firmwares. The UEFI bugs can be found in numerous threads on the forums.

• Windows Deployment Services PXE Installation of Windows 10 Preview and Server vNext Technical Preview Failed

  The automated answer file associated with Windows 10 Enterprise Technical Preview x64 (9481) and the Windows Server Technical Preview x64 (9841) seem to be incompatible. No problem adding both wim files to WDS, this completes without issue.
  When trying to install both the Server vNext Technical Preview and Windows 10 Enterprise Technical Preview Via Network Installation (PXE) both encounter errors. The Server PXE Installation wont even commence after choosing the vNext Operating system installation,
  and choosing the Windows 10 operating system encounters a "answer configuration error" towards the end (maybe the generalization pass?). 
  Anyone have a work around for configuring the answer file? or maybe a more positive experience?

  We're playing around with Windows 10 TP and Server vNext also. For Windows 10 TP i got PXE based deployment running with unattend.xml from Windows 8.1. But i still did not get Server vNext deployment working. 
  I would also be happy if there's somebody out who has an idea on that topic. 

• Problem with Windows Deployment via LiteTouch on remote subnet

  This is a very odd problem.  It did not happen until I updated everything to the new WinPE for Windows 8.
  I could deploy Win 7 via litetouch all day long on all of our subnets.  When I updated the MDT to the latest version, my remote subnet no longer can image over the network.  It boots to the usb drive and authenticates to the network.  It even
  pulls up the list of deployment packages that we can select from.  We can choose either our Win 7 or Win 8 deployment and it will act like it's starting, but will get the attached error every time.  
  The same boot disk works fine for both Windows 7 and Windows 8 on the subnet local to the MDT server share.
  I'm pretty baffled as to what happened and what to do about it.  I know that it's attaching and communicating on the network because the litetouch wizard obviously authenticates.  It seems that it's network related, but how and why?  It does
  this on both older and newer hardware on the remote subnet.
  Any suggestions out there?

  That's weird, looks like you lost network connectivity?!?!
  D:\>err 0x80070040
  # as an HRESULT: Severity: FAILURE (1), Facility: 0x7, Code 0x40
  # for hex 0x40 / decimal 64 :
  ...# /* system error */
  ERROR_NETNAME_DELETED winerror.h
  # The specified network name is no longer available.
  Can you open a cmd.exe window using F8 and get to the network server using normal methods?
  dir Z:\
  Ping \\srever
  net use * \\server
  Keith Garner - keithga.wordpress.com

• Lenovo Yoga 2 Pro Installing Windows OS via PXE SCCM

  Hello everyone,
  I have 2 Lenovo Yoga 2 Pro here in our company environment, because our CEO really like using touchpads with pens =).
  Since the Yoga 2 does not have a LAN connector i have been unable to install windows via our SCCM Server.
  I contacted telephone support and basically got told, this is a consumer device and pxe is not prossible. Which seems weird since there are pxe drivers and a management driver pack for the yoga 2 available.
  What I tried this far.
  Use the One Dock -> Doesnt recognize lancard
  Use USB Networdcard Startech USB21000S2 (7500 chipset) -> Not recognised by BIOS
  Use pptical boot media -> boots to pxe environment but cant connect to the server and aborts
  SCCM 2012 SP1 CU4
  OS to install: Windows 7 Ent
  All standard and pxe drivers are incorporated into the install image.
  Does anybody know, if or how it is possible to get this Notebook integrated in my SCCM environment?
  Thanks in advance

  Hi Jerry133, welcome to the forums,
  the following thread may be of interest to you; it would appear the USB ethernet dongle for the ThinkPad X1 Carbon works with the Yoga 2 Pro for PXE boot.
  http://forums.lenovo.com/t5/Idea-Windows-based-Tablets-and/Yoga-2-Pro-PXE-boot/m-p/1516628#M20051
  The part number for the dongle is 4X90E51405 and should be the first article on the following page;
  http://lenovoquickpick.com/deu/accessorycategory/33/networking-i-o
  More Info on the dongle can be found here;
  http://support.lenovo.com/en_US/detail.page?DocID=PD029741
  Andy  ______________________________________
  Please remember to come back and mark the post that you feel solved your question as the solution, it earns the member + points
  Did you find a post helpfull? You can thank the member by clicking on the star to the left awarding them Kudos Please add your type, model number and OS to your signature, it helps to help you. Forum Search Option T430 2347-G7U W8 x64, Yoga 10 HD+, Tablet 1838-2BG, T61p 6460-67G W7 x64, T43p 2668-G2G XP, T23 2647-9LG XP, plus a few more. FYI Unsolicited Personal Messages will be ignored.
    Deutsche Community     Comunidad en Español    English Community Русскоязычное Сообщество
  PepperonI blog 

• WDS for custom image deployment via PXE

  I've recently spun up a 2012R2 server and I'd like to use it so I can netboot clients to it and install a custom image on the machine, no hassle.  I have figured out how to take an image from a Windows 7 install disk and add drivers to it.
  However, I'm wondering the best way that I could configure an image to use that has all programs, profiles, updates, and drivers on it for a 'universal' install. Is this possible?
  For example, can I have a 32-bit image that has Chrome, FireFox, and some other programs on it, complete with any drivers that might be needed for NIC and WLAN cards, graphics adapters, etc? And then a 64-bit image for the same thing. Ideally, these
  would house drivers for any of our machines, so I could PXE boot a 64- or 32-bit desktop or laptop, regardless of the model (They're all one manufacturer) and have them install the image and be configured, ready to go?
  I would also like to know how I could create a custom image/ISO from a machine that is already ready-to-go as a template.
  Thank you for answers in advance.
  If it helps, i'm on a Windows 8.1 x64 machine myself, but the machines I'd like to image are Windows 7 (both x86 and x64).

  Yea.  In a nut shell:
  1. Do the install and create the needless account the setup process forces you to create.
  2. On first log in enable the original default Administrator account and give it a password
  3. Log in with the default Administrator account.
  4. Delete the local account that setup forced you to create
  5. Go to Advanced system Settings --> User Profiles, and remove the profile for that account.  This is important,...this removes the registry entries for the Profile as well (just deleting the folder structure under "C:\Users" does not,
  and problems can result).
  6. Build your image model from this point using the original default local Administrator account.  This is the only account that Sysprep will leave on the machine when it is run. Note the machine is not a Domain Member when I am at this point. 
  I only join the machine that I apply the image to when I finally deploy the machine to be used .
  7. Run Sysprep on the machine to prepare it for duplication, then shutdown or reboot.  When starting up you do not want to allow it to boot into the OS or you will have to rerun Sysprep again.   You can use WDS to "capture" an image
  after doing a network boot from the Nic.  You can also boot the machine using a Windows PE bootdisk and manually capture an image with ImageX (comes with WAIK for Win7).  But ImageX is commandline only and annoying,...there is a GUI alternative called
  GImageX (google it). Then manually copy the captured image to the WDS Server.  Note when you capture an image,..you are only capturing the Boot Partition,...not the entire drive.
  The details of all this you can sort out by studying "how to use" WDS and WAIK (Win7).  That should put you on the right track.
  A source for creating a bootable Windows PE disk is here.
  http://winbuilder.net/

• Windows Deployment Services Unable to PXE boot clients PXE-E53: No Boot Filename Received

  Hi
  I'm trying to configure WDS/MDT to deploy Windows 8.1. I've captured an image and I'm ready to deploy the image to a workstation, as per the above title when I attempt to PXE boot a test workstation it just times out with the following error message PXE-E52:No
  Boot Filename Recieved. I've tried a few tweaks to get it working however no such luck.
  The setup is as follows it's a virtual Windows 2012 R2 machine, just a fresh member server with microsoft deployment toolkit installed and WDS role installed with the nesscary framework features installed.
  I've tried tweaking the properties of most of the settings within the server settings in WDS with no such luck.
  I'm a novice at WDS but from what I've read I shouldn't need configure that much in the first place to get it working.
  I'm willing to bet it will be something I've overlooked so I need a 2nd opinon, could anyone provide any troubleshooting tips. If you require anymore information please let me know.
  Cheers   

  Hi Joel,
  This error may caused by the WDS server is not pushing the images because PXE Clients are not able to download or communicate with the TFTP server.
  The image can’t be download generally caused by the the Vlan is not enabled IP helper/DHCP relay agent configured on it, all DHCP broadcasts on UDP port 67 by client computers
  should be forwarded directly to both the DHCP server and the Windows Deployment Services PXE server.
  The related KB:
  PXE clients computers do not start when you configure the Dynamic Host Configuration Protocol server to use options 60, 66, 67
  http://support.microsoft.com/kb/259670
  The similar thread:
  PXE-E53: No boot filename received
  http://social.technet.microsoft.com/Forums/systemcenter/en-US/8de3bd6a-f8ec-41d9-ae0f-5b2fdb9e5831/pxee53-no-boot-filename-recieved?forum=configmgrosd
  WDSServer (Windows Deployment Server) Fails to Start
  http://social.microsoft.com/Forums/en-US/d96b0b86-f2b0-49a5-8946-19ab515f23e6/wdsserver-windows-deployment-server-fails-to-start?forum=windowshpcitpros
  I’m glad to be of help to you!
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• MSI Z87 G45 + MSI R9 280X + Windows 8.1 secure boot difficulties

  After updating to Windows 8.1 Pro I had the "Secure Boot isn't configured properly" watermark as many others. I determined my disk is GPT partitioned, I enabled UEFI on the GPU by moving the physical switch from the 2 position to the 1 position, and enabled Windows 8 Feature + Secure Boot with standard settings in the G45 bios (ver 1.5). After doing save and reboot I'm presented with a blank screen with my monitor showing a "DVI no input" message. I reset the CMOS to allow me to boot again, but after a couple more tries with the secure boot settings such as enabling/disabling Fast Boot I have not been able to get it to work.
  System:
  MSI Z87 G45
  8GB DDR3 1600mhz Crucial ram
  I5-4670k
  MSI R9 280X
  Samsung 840 SSD 250gb
  Asus cd/dvd drive

  I want to know the same thing. I bought a MSI Z87-G45 Gaming motherboard this month and I can't activate Secure Boot on it because it's still in Setup Mode. I have no idea how to put the motherboard into User Mode and Google doesn't help me much further either. How to activate a key? I have a I5-5670K and GTX 770 by the way.

• Secure Boot Status: DISABLED. Cannot enable Secure Boot via BIOS.

  BIOS Security Page displays:
  Secure Boot ENABLED
  Secure Boot Status DISABLED
  I have attempted to ENABLE Secure Boot multiple times but Secure Boot Status remains DISABLED
  This problem occured after BIOS Upgrade to v3.07
  I have Lenovo G510 Laptop
  Windows 8.1
  BIOS Version 79CN48WW (v3.07)
  I have tried the recommended solution of "Reset to Setup Mode" and "Restore Factory Keys".
  This did not solve the problem, Secure Boot Status still indicates DISABLED.
  Please suggest an alternative solution to this problem.

  I was scared to attempt the recommended solution of "Reset to Setup Mode" and "Restore Factory Keys", but it actually worked for me!
  U430p

• Dual booting S540 and linux with Secure Boot?

  At some point I intend to install archlinux with dual boot on my Thinkpad S540 which currently runs Windows 8.1.
  All the current advice about dual boot on UEFI machines seems to indicate that the way to go is to disable Secure Boot (and Fastboot) for Windows, and then do the linux install choosing a linux bootloader to allow booting either O/S. I believe I know the steps needed to do that.
  Does anyone have any experience with dual booting Windows 8.1 and ArchLinux on the S540?  I would like to retain Secure Boot for Windows, and in the ideal world have Secure Boot running for ArchLinux also. However Secure Boot is fraught with problems for Linux. There are a few distributions such as Ubuntu which will in principle support Secure Boot but I only use ArchLinux and want to install that particular flavour of linux on my machine. It is of course possible to keep switching Secure Boot on and off in the BIOS before booting either of the two installed operating systems but it would be neater and cleaner to have it all with Secure Boot on, or all with it off.
  This is all very new stuff so there may well be a lot of problems, but it is worth exploring. I use rEFInd as my bootloader on another UEFI desktop computer to boot ArchLinux so I am familiar with that bootloader, but dual boot is another thing, and Secure Boot with the fast moving developments in that area is something that until now very few people have tinkered with.
  Any replies and guidance/suggestions appreciated.

  I'm guessing /boot can run from ntfs, however probably not as efficiently as if it were running on ext3/4. Mine runs on Ext4.
  To add confusion, you only create one Extended partition, all partitions you create within the Extended partition are called Logical partitions. You should be able to create enough Logical partitions for your needs.
  Primary/Extended partitions are normally sda1-4 and Logical partitions will usually start from sda5 on modern Sata HDD systems.
  For /boot I would create a small 100mb Ext4 Logical partition. This partition cannot be inside LVM nor encrypted when using Grub1.  I'm not familiar with Grub2.