Tranquil IT Forum

Contact us
at https://forum.tranquil.it/

[SOLVED] Windows 11/Secure boot installation via WAPT

https://forum.tranquil.it/viewtopic.php?t=3647

Page 1 of 1

[SOLVED] Windows 11/Secure boot installation via WAPT

Published: October 10, 2023 - 11:31
by PaulSLA
Hello,

OS-Server: Ubuntu 22.04.3 LTS,
WAPT Version: 2.4.0.14143.

We have a working WAPT server through which we deploy our machines.

We are currently migrating to Windows 11, which requires Secure Boot. The problem is that, with Secure Boot enabled, we are encountering the classic error message stating that WinPE is not signed (as far as we understand).

In the FAQ, we found this passage:

"
Does WAPT IPXE work with Secure Boot?

No, we use the IPXE file from the official IPXE website, which is not compatible with Secure Boot. To do this, you have two options: Have a signed IPXE file (with IPXE Anywhere, for example) or download the ".wim" file via TFTP (which is slower).
"
Signed IPXE appears to be a paid service in the few cases we have looked into. We are trying to download the .wim file via TFTP.
We have a working TFTP server on the WAPT server (tested with ipxe.efi).

However, we don't understand what else we need to do for it to be considered OK by Secure Boot. Do we simply send the boot.efi file of a Windows 11 ISO to the server via TFTP?

Thank you in advance for your answers.

Sincerely,
Paul.

Re: Windows 11/Secure boot installation via WAPT

Published: October 11, 2023 - 1:53 PM
by sfonteneau
Good morning
PaulSLA wrote: Oct 10, 2023 - 11:31 We are currently upgrading to Windows 11 which requires Secure Boot. The problem is, with Secure Boot enabled, we are encountering the classic error message stating that WinPE is not signed (as far as we understand).
Windows 11 requires a secure bootable machine, but secure boot does not necessarily have to be enabled.

I just tried it with an ISO: Win11_22H2_French_x64v2 and it works without Secure Boot enabled. You can also enable Secure Boot later if you really want to.

Secure boot can be performed with Wapt in two ways:

- By using a signed IPXE (difficult to find or requiring payment), for your information we do have a project to get our own IPXE signed, but the process is long and complex with Microsoft.

- By abandoning IPXE. In this case, booting from the WinPE image will be done entirely via TFTP, which is five times slower at startup. And you will lose some features such as Linux deployment or automatic network booting.

Here is the procedure to do it:

Currently, wapttftpserver does not handle this, so it needs to be disabled:

Code: Select all

systemctl stop wapttftpserver
systemctl disable wapttftpserver
Add to /opt/wapt/conf/waptserver.ini:

Code: Select all

copy_winpe_x64_in_tftp_folder=True
then restart the waptserver:

Code: Select all

systemctl restart waptserver
* Restart the creation of a WinPE from the console

Next, install tftpd-hpa:

Code: Select all

apt-get install tftpd-hpa

Modify the tftpd-hpa configuration

/etc/default/tftpd-hpa:

Code: Select all

TFTP_USERNAME="tftp"
TFTP_DIRECTORY=/var/www/wads/pxe
TFTP_ADDRESS="0.0.0.0:69"
TFTP_OPTIONS="-v --secure -m /etc/tftpd.map"
and /etc/tftpd.map

Code: Select all

rg \\ /
rg boot/ Boot/
rg efi/ EFI/
rg /microsoft /Microsoft
restart tftpd:

Code: Select all

systemctl restart tftpd-hpa
In your DHCP configuration, the file to mention is no longer ipxe.efi but:

Code: Select all

filename "efi/boot/bootmgfw.efi";
Please note that you need to be patient during your tests; the boot process is much longer.

Re: Windows 11/Secure boot installation via WAPT

Published: Dec 4, 2023 - 2:12 PM
by PaulSLA
Hello,

thank you for these answers.
We preferred to simply disable Secure Boot and re-enable it afterward.

Sincerely,
Time zone set to UTC+02:00
Page 1 of 1

Developed by phpBB® Forum Software © phpBB Limited

Official French translation © Qiaeru