Hello,
OS-Server: Ubuntu 22.04.3 LTS,
WAPT Version: 2.4.0.14143.
We have a working WAPT server through which we deploy our machines.
We are currently migrating to Windows 11, which requires Secure Boot. The problem is that, with Secure Boot enabled, we are encountering the classic error message stating that WinPE is not signed (as far as we understand).
In the FAQ, we found this passage:
"
Does WAPT IPXE work with Secure Boot?
No, we use the IPXE file from the official IPXE website, which is not compatible with Secure Boot. To do this, you have two options: Have a signed IPXE file (with IPXE Anywhere, for example) or download the ".wim" file via TFTP (which is slower).
"
Signed IPXE appears to be a paid service in the few cases we have looked into. We are trying to download the .wim file via TFTP.
We have a working TFTP server on the WAPT server (tested with ipxe.efi).
However, we don't understand what else we need to do for it to be considered OK by Secure Boot. Do we simply send the boot.efi file of a Windows 11 ISO to the server via TFTP?
Thank you in advance for your answers.
Sincerely,
Paul.
[SOLVED] Windows 11/Secure boot installation via WAPT
Forum Rules
Community Forum Rules
* English support on www.reddit.com/r/wapt
* French community support is available on this forum
* Please prefix the topic title with [RESOLVED] if it is resolved.
* Please do not edit a topic that is tagged [RESOLVED]. Open a new topic referencing the old one.
* Specify the installed WAPT version, full version, and build number (2.2.1.11957 / 2.2.2.12337 / etc.) as well as the Enterprise/Discovery edition.
* Versions 1.8.2 and earlier are no longer supported. The only questions accepted regarding version 1.8.2 are related to upgrading to a supported version (2.1, 2.2, etc.).
* Specify the server OS (Linux/Windows) and version (Debian Buster/Bullseye - CentOS 7 - Windows Server 2012/2016/2019).
* Specify the OS of the administration/package creation machine and the machine with the problematic agent, if applicable (Windows 7/10/11/Debian 11/etc.).
* Avoid asking multiple questions when opening a topic, otherwise it may be ignored. If there are multiple topics, open separate topics, preferably one after the other and not all at the same time (i.e., do not spam the forum).
* Include code snippets, screenshots, and other images directly in the post. Links to Pastebin, Bitly, and other third-party sites will be systematically removed.
* As with any community forum, support is provided voluntarily by members. If you require commercial support, you can contact Tranquil IT's sales department at 02.40.97.57.55
Community Forum Rules
* English support on www.reddit.com/r/wapt
* French community support is available on this forum
* Please prefix the topic title with [RESOLVED] if it is resolved.
* Please do not edit a topic that is tagged [RESOLVED]. Open a new topic referencing the old one.
* Specify the installed WAPT version, full version, and build number (2.2.1.11957 / 2.2.2.12337 / etc.) as well as the Enterprise/Discovery edition.
* Versions 1.8.2 and earlier are no longer supported. The only questions accepted regarding version 1.8.2 are related to upgrading to a supported version (2.1, 2.2, etc.).
* Specify the server OS (Linux/Windows) and version (Debian Buster/Bullseye - CentOS 7 - Windows Server 2012/2016/2019).
* Specify the OS of the administration/package creation machine and the machine with the problematic agent, if applicable (Windows 7/10/11/Debian 11/etc.).
* Avoid asking multiple questions when opening a topic, otherwise it may be ignored. If there are multiple topics, open separate topics, preferably one after the other and not all at the same time (i.e., do not spam the forum).
* Include code snippets, screenshots, and other images directly in the post. Links to Pastebin, Bitly, and other third-party sites will be systematically removed.
* As with any community forum, support is provided voluntarily by members. If you require commercial support, you can contact Tranquil IT's sales department at 02.40.97.57.55
-
sfonteneau
- WAPT Expert
- Messages: 2318
- Registered: July 10, 2014 - 11:52 PM
- Contact :
Good morning
I just tried it with an ISO: Win11_22H2_French_x64v2 and it works without Secure Boot enabled. You can also enable Secure Boot later if you really want to.
Secure boot can be performed with Wapt in two ways:
- By using a signed IPXE (difficult to find or requiring payment), for your information we do have a project to get our own IPXE signed, but the process is long and complex with Microsoft.
- By abandoning IPXE. In this case, booting from the WinPE image will be done entirely via TFTP, which is five times slower at startup. And you will lose some features such as Linux deployment or automatic network booting.
Here is the procedure to do it:
Currently, wapttftpserver does not handle this, so it needs to be disabled:
Add to /opt/wapt/conf/waptserver.ini:
then restart the waptserver:
* Restart the creation of a WinPE from the console
Next, install tftpd-hpa:
Modify the tftpd-hpa configuration
/etc/default/tftpd-hpa:
and /etc/tftpd.map
restart tftpd:
In your DHCP configuration, the file to mention is no longer ipxe.efi but:
Please note that you need to be patient during your tests; the boot process is much longer.
Windows 11 requires a secure bootable machine, but secure boot does not necessarily have to be enabled.
I just tried it with an ISO: Win11_22H2_French_x64v2 and it works without Secure Boot enabled. You can also enable Secure Boot later if you really want to.
Secure boot can be performed with Wapt in two ways:
- By using a signed IPXE (difficult to find or requiring payment), for your information we do have a project to get our own IPXE signed, but the process is long and complex with Microsoft.
- By abandoning IPXE. In this case, booting from the WinPE image will be done entirely via TFTP, which is five times slower at startup. And you will lose some features such as Linux deployment or automatic network booting.
Here is the procedure to do it:
Currently, wapttftpserver does not handle this, so it needs to be disabled:
Code: Select all
systemctl stop wapttftpserver
systemctl disable wapttftpserverCode: Select all
copy_winpe_x64_in_tftp_folder=TrueCode: Select all
systemctl restart waptserver
Next, install tftpd-hpa:
Code: Select all
apt-get install tftpd-hpaModify the tftpd-hpa configuration
/etc/default/tftpd-hpa:
Code: Select all
TFTP_USERNAME="tftp"
TFTP_DIRECTORY=/var/www/wads/pxe
TFTP_ADDRESS="0.0.0.0:69"
TFTP_OPTIONS="-v --secure -m /etc/tftpd.map"
Code: Select all
rg \\ /
rg boot/ Boot/
rg efi/ EFI/
rg /microsoft /Microsoft
Code: Select all
systemctl restart tftpd-hpa
Code: Select all
filename "efi/boot/bootmgfw.efi";
