Deploying Windows 10/11 via PXE with UEFI/Secure Boot

Hello,

Sorry for my rookie questions, we had a plan to leverage Microsoft WDS for distribution of images, but due to $$$ we were unable to do so. Now I am rushing to replace WDS with an alternate PXE solution.

We have created our base images using MDT and they can be successfully deployed via WDS and PXE to BIOS, UEFI and UEFI with Secure Boot.

I am trying to distribute the same via Tiny PXE > ipxe > wimboot. I have been successful for BIOS and UEFI, but not UEFI with Secure Boot. (for BIOS I am using "filename=ipxe.pxe" and for UEFI "filename=ipxe-x86_64.efi")

All imaging is being performed with target on the same subnet as the PXE server and no changes to DHCP have been made. The subnets all have DHCP provided by a network device and I have Tiny PXE set as proxyDHCP.

When I PXE boot a UEFI w/ Secure Boot client I very briefly see "Downloading NBP file..." and it immediately returns to the hosts boot menu.

Can anyone advise? What am I missing for Secure Boot?

Notes/configs are below for reference.

Thank you!

Config.ini (removed comments where the settings aren't configured to reduce size - no active settings removed)

	[arch]
	[dhcp]
	;below is applicable only if proxydhcp=0
	rfc951=1
	;needed to tell TFTPd where is the root folder
	root=E:\pxesrv\files\
	filename=ipxe-x86_64.efi
	;alternative bootp filename if request comes from ipxe or gpxe
	altfilename=menu.ipxe
	;start HTTPd
	httpd=1
	binl=0
	start=0
	dnsd=0
	;if you have a dhcp server on your lan, set proxydhcp=1
	proxydhcp=1
	;default=1
	bind=1
	;tftpd=1 by default
	;will share (netbios) the root folder as PXE
	smb=0
	;will log to log.txt
	log=0
	optextra=175.6.1.1.1.8.1.1
	;if log=1, will log to log.txt - not recommended, rather, use the syslog feature
	log=0
	opt1=255.255.255.0
	opt3=10.11.108.1
	opt6=10.11.108.10
	opt28=10.11.108.255
	opt43=0
	opt51=3600
	opt54=10.11.108.228
	next-server=10.11.108.228
	opt60=PXEClient
	poolstart=10.11.108.229
	poolsize=10
	syslog=127.0.0.1
	[web]
	port=80
	;php-5.6.38-nts-Win32-VC11-x86 tested with success
	php=c:\php\php.exe
	;cscript.exe file.vbs param1=value1 //nologo
	vbs=C:\Windows\System32\cscript.exe
	js=C:\Windows\System32\cscript.exe
	;python.exe file.py param1=value1
	py=C:\Python27\python.exe
	;the below will be used if you turn on dnsd
	[mydomain.fr]
	ip=10.0.0.254
	[10.0.0.253]
	host=mydomain2.fr
	[frmDHCPServer]
	top=182
        left=182

Menu.ipxe (removed comments where the settings aren't configured to reduce size - no active settings removed)

	#!ipxe
	# WORKING - BIOS & UEFI (non-Secure)
	## Using two different config.ini for BIOS/UEFI
	## UEFI set "filename=ipxe-x86_64.efi"
	## BIOS set "filename=ipxe.pxe"
	
	set boot-url http://${next-server}
	
	# Setup some basic convenience variables
	set menu-timeout 10000
	set submenu-timeout ${menu-timeout}
	
	# Ensure we have menu-default set to something
	isset ${menu-default} || set menu-default exit
	
	######## MAIN MENU ###################
	:start
	menu Welcome to iPXE's Boot Menu
	item
	item --gap -- ------------------------- Utilities ------------------------------
	item winpe WinPE
	
	########## UTILITY ITEMS ####################
	
	################################# winpe
	:winpe
	menu Boot WinPe
	item wimboot    Boot WinPE via wimboot
	item back Back to top menu...
	iseq ${menu-default} menu-recovery && isset ${submenu-default} && goto menu-recovery-timed ||
	choose selected && goto ${selected} || goto start
	:menu-recovery-timed
	choose --timeout ${submenu-timeout} --default ${submenu-default} selected && goto ${selected} || goto start
	
	:wimboot
	  kernel ${boot-url}/wimboot pause
	  initrd -n bootmgr.exe   ${boot-url}/BOOTMGR	      			bootmgr ||
	  initrd -n bootx64.efi   ${boot-url}/BOOTx64.EFI     			bootx64.efi ||      
	  initrd -n bcd           ${boot-url}/BOOT/BCD        			bcd
	  initrd -n boot.sdi      ${boot-url}/BOOT/BOOT.SDI   			boot.sdi   
	  initrd -n boot.wim      ${boot-url}/BOOT/LiteTouchPE_x64.WIM  	boot.wim
	  boot || goto failed
	  goto start

Booting a VMware VM that is UEFI w/ Secure Boot enabled

	12:50:35 PM DHCPc:discovering for another DHCPd on LAN
	12:50:35 PM ROOT=E:\pxesrv\files\
	12:50:35 PM DHCPd 10.11.108.228:4011 started...
	12:50:35 PM DHCPd 10.11.108.228:67 started...
	12:50:35 PM TFPTd 10.11.108.228:69 started...
	12:50:35 PM HTTPd:80 started...
	12:50:40 PM DHCPc:another DHCPd detected on your LAN @ 10.11.108.1
	12:51:19 PM DHCPd:DISCOVER received, MAC:00-50-56-BC-6A-DE, XID:887D8425
	12:51:19 PM DHCPd:OFFER sent, IP:0.0.0.0, XID:887D8425
	12:51:23 PM DHCPd:REQUEST discarded, MAC:00-50-56-BC-6A-DE, XID:887D8425
	12:51:23 PM PDHCPd:REQUEST received, MAC:00-50-56-BC-6A-DE, IP:10.11.108.205, XID:631C1C88
	12:51:23 PM Proxy boot filename empty?
	12:51:23 PM PDHCPd:DHCP_ACK sent, IP:10.11.108.205:4011, xid:631C1C88
        12:51:24 PM TFTPd:DoReadFile:ipxe-x86_64.efi B:1468 T:0

Booting a VMware VM that is UEFI without Secure Boot (working)

1:21:50 PM DHCPc:discovering for another DHCPd on LAN
1:21:50 PM ROOT=E:\pxesrv\files\
1:21:50 PM DHCPd 10.11.108.228:67 started...
1:21:50 PM DHCPd 10.11.108.228:4011 started...
1:21:50 PM TFPTd 10.11.108.228:69 started...
1:21:50 PM HTTPd:80 started...
1:21:55 PM DHCPc:another DHCPd detected on your LAN @ 10.11.108.1
1:22:01 PM DHCPd:DISCOVER received, MAC:00-50-56-BC-6A-DE, XID:55AA9007
1:22:01 PM DHCPd:OFFER sent, IP:0.0.0.0, XID:55AA9007
1:22:05 PM DHCPd:REQUEST discarded, MAC:00-50-56-BC-6A-DE, XID:55AA9007
1:22:05 PM PDHCPd:REQUEST received, MAC:00-50-56-BC-6A-DE, IP:10.11.108.205, XID:FF8059DE
1:22:05 PM Proxy boot filename empty?
1:22:05 PM PDHCPd:DHCP_ACK sent, IP:10.11.108.205:4011, xid:FF8059DE
1:22:06 PM TFTPd:DoReadFile:ipxe-x86_64.efi B:1468 T:0
1:22:12 PM DHCPd:DISCOVER received, MAC:00-50-56-BC-6A-DE, XID:4688D620
1:22:13 PM DHCPd:iPXE user-class detected
1:22:13 PM DHCPd:OFFER sent, IP:0.0.0.0, XID:4688D620
1:22:13 PM DHCPd:REQUEST discarded, MAC:00-50-56-BC-6A-DE, XID:4688D620
1:22:16 PM TFTPd:DoReadFile:menu.ipxe B:1432 T:2087
1:22:25 PM HTTPd:Connect: 10.11.108.239, TID=7864
1:22:25 PM HTTPd:Client: 10.11.108.239 [GET] /wimboot
1:22:25 PM HTTPd:Server : Returning /wimboot
1:22:25 PM HTTPd:Client: 10.11.108.239 [GET] /BOOTMGR
1:22:25 PM HTTPd:Server : Returning /BOOTMGR
1:22:25 PM HTTPd:Client: 10.11.108.239 [GET] /BOOTx64.EFI
1:22:25 PM HTTPd:Server : Returning /BOOTx64.EFI
1:22:25 PM HTTPd:Client: 10.11.108.239 [GET] /BOOT/BCD
1:22:25 PM HTTPd:Server : Returning /BOOT/BCD
1:22:25 PM HTTPd:Client: 10.11.108.239 [GET] /BOOT/BOOT.SDI
1:22:25 PM HTTPd:Server : Returning /BOOT/BOOT.SDI
1:22:25 PM HTTPd:Client: 10.11.108.239 [GET] /BOOT/LiteTouchPE_x64.WIM
1:22:25 PM HTTPd:Server : Returning /BOOT/LiteTouchPE_x64.WIM
1:22:47 PM HTTPd:DisConnect: TID=7864

Signed for efi ipxe is a bit of the graal...

Thus there are two versions I know it :

-one in the 2pint software but it embeds a script so i am not sure this one is usable

-one in the vmware autodeploy package : a bit outdated but can boot wimboot, etc ...

I am bit lazy right now to provide url's or upload it there but be my guest

/Erwan

Thanks Erwan

I found this http://reboot.pro/in...=34#entry212697and the entry they refer to, but obviously they are pros and I am a rookie because after hours of research and tested I came to a dead end. Just too many missing pieces for me to fill in....

I did see mentions about the vmware autodeploy package, but I have a requirement to deploy to a pretty odd piece of hardware so I am doubtful that package would be compatible out of the box.

#1 10-96-Tim

#2 erwan.l

#3 10-96-Tim

#4 erwan.l

#5 Jamal2

#6 10-96-Tim

#7 10-96-Tim

#8 egorvetrov

1 user(s) are reading this topic