Fixing a secureboot problem on computers imaged with sysprep
Posted by No_Actuator_4762@reddit | sysadmin | View on Reddit | 5 comments
I’ve got a bunch of computers that were imaged using sysprep. Most computers are the same or similar, and there are a few that are a different Manufacturer, but that doesn’t seem to come into play here.
With secureboot off, which is necessary to restore my image to disk, every computer boots without issue to Windows. After finishing the oobe, they work great. Intune managed windows updates are doing an okay job from there.
With secureboot enabled, signature verification fails.
I’ve tried bios update,
bootrec /fixmbr
bootrec /fixboot
bootrec /rebuildbcd (0 os is found when scanned)
The other thing I’ve done, and may be the actual problem come to think, is use gparted to move and expand partitions as needed. Image was created with a 256GB disk and most workstation have .5TB or 1TB capacity.
Does anyone with more experience with secureboot know how I’m breaking, and how I can NOT break or repair the disks boot? I’d really like to be able to use secureboot in my compliance policy in intune….
Thank you.
enterprisedatalead@reddit
This usually comes down to a mismatch between how the image was created and what Secure Boot expects at boot time. If the image wasn’t prepared in full UEFI mode or the bootloader wasn’t properly signed, Secure Boot will block it even though everything looks fine otherwise.
In my experience, the common fixes are rebuilding the boot files after imaging or making sure the system is actually using UEFI with GPT and not falling back to legacy settings. I’ve also seen cases where imaging tools didn’t correctly recreate the EFI partition, and running something like bcdboot to rebuild the boot configuration fixed it. This lines up with known issues where boot failures happen if firmware and bootloader trust chain don’t match
Are you seeing this on all imaged machines or only specific hardware models, and are you using a standardized image process across them?
No_Actuator_4762@reddit (OP)
Same process across all of them, which, in hindsight is flawed. The only way to even create the image required disabling secureboot. Clonezilla via “rescuezilla” is the suite used to both create, restore, and then gparted the partition table thereafter.
I’d have to give it a closer look but it’s safe to say it’s all the workstations needing a fix. A handful seem to be able to boot right back into windows with secureboot enabled.
I didn’t spend a lot of time attempting, but on the one machine I was working with, I want to say bcdboot wasnt able to detect the OS installation. I’m sure going down that path could be fruitful.
Any advice considering that tidbit?
Darkhexical@reddit
Update your certificate.
No_Actuator_4762@reddit (OP)
That looks like quite a project. In short, are you talking about me reimagining all the workstations? That’s not an option at the moment. I’ll continue to look into it.
Darkhexical@reddit
No. You just have to update the bios.