After image deployment, the computer won't boot to Windows with secure boot enabled
Article ID: 419052
Updated On:
Products
Issue/Introduction
After capturing an image and deploying it to another computer, the image target computer doesn't boot to Windows with Secure Boot enabled in the BIOS
This may be observed when capturing an image from a virtual machine or physical computer and deploying it to virtual or physical machines with different UEFI firmware
Environment
Ghost Solution Suite 3.x.x
Deployment Solution 8.x.x
Cause
Secure Boot Signature Database UEFI certificate mismatch
The image was captured from a VM or hardware with the boot application signed by Windows UEFI CA 2023 certificate and deployed to hardware/firmware with an older Microsoft Windows Production PCA 2011 signing certificate (versions may vary)
Resolution
Run the following PowerShell commands one at a time as administrator on the source and destination (image target) computer
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Microsoft Windows Production PCA 2011'
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI dbx).bytes) -match 'Microsoft Windows Production PCA 2011'
If the first command returns 'True' on the source machine but not the destination, there is likely a signing certificate mismatch.
Updating the UEFI Firmware on the machine with the older signing certificate will likely resolve the issue. If the image source machine's certificate is updated from the 2011 cert, the image should be recaptured and redeployed. If the image target machine has the older signing certificate, simply updating the firmware should resolve the problem.
Keep in mind, this is not an issue or limitation with Ghost Solution Suite or Deployment Solution. It is a limitation based on secure boot certificates' computer manufacturers send or don't send with new UEFI firmware.
If a UEFI Firmware update doesn't also update the signing certificate, please refer to the following Microsoft document, which has instructions for a manual update from the 2011 cert to 2023 (Refer to section 'Mitigation deployment guidelines'):
https://support.microsoft.com/en-us/topic/how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d
If issues persist, contact the device manufacturer for the computer with the older 2011 signing certificate. The latest firmware upgrades generally include the newer signing certificate.
Feedback
