Secure Boot Compatibility Guide for DS & GSS

All current versions of Deployment Solution (DS) and Ghost Solution Suite (GSS) support Secure Boot across all WinPE delivery methods, including PXE, Automation Folders, and external media.

1. Trust & Certificate Requirements

To ensure a successful boot, verify your BIOS/UEFI settings based on your chosen method:

• PXE / iPXE Booting: You must enable the "Microsoft 3rd Party UEFI CA" trust. The PXE bootloaders are signed by this specific authority.

• USB, ISO, or Automation Folders: While these can function with the 3rd Party CA trust disabled, keeping it enabled is recommended to prevent issues with unsigned drivers.

2. Imaging & Maintenance

DS and GSS are fully equipped to capture and restore images on Secure Boot-enabled Windows devices.

Pro Tip: To maintain seamless compatibility, ensure both your hardware BIOS/UEFI and Windows security patches are kept up to date.

3. Media Creation Best Practices

To avoid boot failures, follow these strict requirements for media creation:

• Use Native Tools: Always use the built-in Boot Disk Creator. Plug your USB drive directly into the DS or GSS server for external media creation.

• Avoid Third-Party Utilities: Tools like Rufus or Etcher often fail to write the necessary signatures required for Secure Boot validation.

• WIM Compatibility: Custom .WIM files generated outside of the GSS environment which do not support Secure Boot and may fail to load.