When attempting to PXE boot UEFI-based client machines with Secure Boot enabled, the boot process fails and cannot initialize. This behavior typically occurs on Deployment Solution (DS) environments running version 8.8.0 or earlier.

IT Management Suite (ITMS) / Deployment Solution (DS) 8.8.0 and earlier

PXE / iPXE 

UEFI Mode with Secure Boot enabled

Certificate Expiration: 
The underlying BStrap.efi binaries distributed with DS 8.8.0 and older were signed using the "Microsoft UEFI CA 2011" certificate. Following its expiration, modern UEFI firmware with Secure Boot enabled rejects these binaries as untrusted.

This is fix currently targeted for our ITMS 8.8.2 release.

Workaround for those with ITMS 8.8 or earlier versions:

NOTE: If you are using ITMS 8.8.1, refer to KB PXE Boot Fails on Secure Boot Enabled Devices after Upgrading to ITMS 8.8.1

Step-by-Step Fix Implementation

1. Stop Network Services:
   On your PXE/SBS server, open the Windows Services (services.msc), locate the following services, and Stop them:

   Symantec Network Boot Service (PXE)

   Symantec Network Boot Service (TFTP)

2. Extract Hotfix Files: Locate the workaround archive PXE_files_DS_8_8_0.zip. (attached to this KB article)
   Note: The archive contains updated PXE boot binaries equivalent to those provided in the Deployment Solution 8.8.1 Point Fix, along with an additional update to SbsMtftp.exe for compatibility purposes.
   
   
3. Deploy Updated SMP Files:
   Copy the updated files from the extracted PXE_files_DS_8_8_0\SMP directory and paste them into the following path on your Symantec Management Platform (SMP) Server:

   ...\Deployment\BDC\Bootwiz\Platforms\iPXE

4. Deploy Updated Site Server (SbsServer) Files:
   Copy the files from the extracted PXE_files_DS_8_8_0\SbsServer directory and replace the corresponding files on your target PXE Server using the paths below:

   C:\Program Files\Altiris\Altiris Agent\Agents\Deployment\SBS

5. Restart Network Services:
   Return to the Windows Services management console and Start the services previously stopped in Step 1:
   

   Symantec Network Boot Service (PXE)

   Symantec Network Boot Service (TFTP)

6. Regenerate Affected PXE Images:

   Regenerate only the PXE boot images that have the iPXE option enabled. PXE images that do not use iPXE do not require regeneration:

   • Identify all PXE images configured with Use iPXE = true and regenerate those images from the Symantec Management Console.

   • To identify affected images, review the Use iPXE column in the PXE Configuration page. Only PXE images with Use iPXE enabled require updating.

     Note: PXE images with Use iPXE = false are not affected by this issue and do not require regeneration.

     

As an alternative to regenerating images, administrators may replace the iPXE binary within the affected PXE image with the updated version provided by this fix.

Validation Steps

To verify that the implementation was successful:

1. Boot a target client machine configured for UEFI with Secure Boot enabled.
2. Monitor the network boot sequence.
3. Verify that the client successfully receives and executes the updated BStrap.efi binary without Secure Boot signature validation errors.
4. Confirm that the client successfully enters the pre-boot environment.