Jump to content


Otura

SCCM 2012 R2 CU4 - Deploy Windows 7 SP1 with UEFI/SecureBoot fails

By Otura, in Configuration Manager 2012

Recommended Posts

Otura Newbie

Otura

Posted
Posted

Hello.

I've read million of posts saying so, but I would like to ask you for a confirmation. Please.

I have a SCCM 2012 MDT 2013 setup deploying Windows 7 x64 Enterprise SP1 (this is the current corporate image, so no way to go to Win10 yet).

The image deploys MBAM and then the laptop is "BitLockered" when the user logs in. For that, TPM 1.4 chip in the current hardware (Fujitsu Lifebook E734) is used with a PIN.

That setup was working fine, with legacy BIOS (no Secure Boot, no UEFI, MBR...)

 

Now, we have received a new batch of laptops (Fujitsu Lifebook E736). Those implement TPM 2.0. It seem that Bitlocker does not work with TPM 2.0 if UEFI/SecureBoot is not enabled.

I have modified the PXE settings in the DHCP to deliver the UEFI WDS package. I have configured the TS to boot with a x64 boot image and everything works.

The PXE triggers the WinPE, it offers a couple of Task Sequences advertised to the computer, I choose the right one, the TS installs the OS, the TS installs the SCCM client and the Task Sequence TRIES to reboot to the OS.

 

Yes, only tries. After that the laptop complains that it cannot find a bootable device.

 

Can you please confirm my guess (after reading like 1 million web pages) that nobody has found a workaround for this?

 

In short: Is there a way to install Windows 7 x64 on a UEFI/SecureBoot/GPT laptop? Is there anything I should do to make it boot?

 

Thanks in advance...

Share this post

Link to post
Share on other sites
anyweb Proficient

anyweb

Posted
Posted

Windows 7 does not support Secure boot in any way, so that's a big no no, you need Windows 8 or later to work with Secure Boot.

  • Like 1

Share this post

Link to post
Share on other sites
Otura Newbie

Otura

Posted
Posted

Thanks!

 

I've gone to the KB2920188 (https://support.microsoft.com/en-us/help/2920188/update-to-add-support-for-tpm-2.0-in-windows-7-and-windows-server-2008) that keilamym mentioned above and have seen that it mentions explicitly:

Quote

This article describes a hotfix that adds support for Trusted Platform Module (TPM) 2.0 in Windows 7 Service Pack 1 (SP1) and Windows Server 2008 R2 SP1. This update changes the TPM OS components and adds the ability to use BitLocker Drive Encryption with TPM 2.0

Note: You must apply this hotfix on a computer that supports to running x64-based versions of Windows and supports UEFI together with Compatibility Support Module (CSM) booting mode.

So, I've downloaded the hotfix, injected it in the WIM file using DISM, reverted back the BIOS to CSM/In-SecureBoot, reverted back the DHCP configuration to provide the non-UEFI wdsnbp.com and relaunched the image of a test laptop....

Fingers crossed...

I will let you know in a couple of hours if it works. If it doesn't most probably you will find a cheap lot of Fujitsus Lifebook E736 on eBay in the coming days....

Share this post

Link to post
Share on other sites
anyweb Proficient

anyweb

Posted
Posted

good luck, but you'll still need to disable Secure boot in the bios in order to boot Windows 7,

 

Windows 7 can work with UEFI mode when the CSM option is set in the bios, but you must disable Secure boot which while related to UEFI, is a separate component

Share this post

Link to post
Share on other sites
Otura Newbie

Otura

Posted
Posted

Yes, in order to enable the CSM I need to disable the Secure Boot first, so that's the combo: CSM / IN-secure boot. That sets the BIOS in legacy mode (BIOS, not UEFI) behavior/mode/whatever.

With that setup the Task Sequence works without any issue. Once the image is deployed, the MBAM client triggers the wizard:

- Verify if TPM is enabled and active: check

- Take ownership of the TPM and store the password in the MBAM database: check

- Encrypt the hard disk: fails miserably complaining that the OS cannot communicate with the TPM

 

That's seems to be because it's TPM 2.0, and it seems to require the Secure Boot enabled. That's why I tried UEFI (which does not work).

It seems that the hotfix allows the OS to communicate with a non-secure boot TPM 2.0.. that's my understanding... or, even more accurate, my hope.

Share this post

Link to post
Share on other sites
anyweb Proficient

anyweb

Posted
Posted

we've deployed Windows 7 with UEFI enabled, TPM enabled and with CSM mode enabled, but of course Secure boot DISABLED, on Lenovo laptops

so something else is going wrong for you, maybe you need to share some logs...

Share this post

Link to post
Share on other sites
Otura Newbie

Otura

Posted
Posted

Yes. I think I don't explain myself.

This table summarizes all the cases:

Case 1 2 3 4 5 6 7 8 9
BIOS type BIOS UEFI UEFI UEFI UEFI UEFI UEFI UEFI UEFI
Secure Boot N/A Enabled Disabled Disabled Enabled Disabled Disabled Disabled Disabled
CSM N/A N/A (Disabled) Disabled Enabled N/A (Disabled) Disabled Enabled Enabled Enabled
TPM 1.x 1.x 1.x 1.x 2 2 2 2 2
Win7x64SP1 Works No boot No boot Works No boot No boot Works Works Works
KB2920188  Not needed Not needed Not needed Not needed N/A N/A N/A Not Installed Installed
BitLocker  Functional Functional Functional Functional N/A N/A N/A Non functional ??

In case 1 you have an old computer with BIOS and TPM 1.x, so everything works fine. As expected.

Cases from 2 to 9 are UEFI cases.

In UEFI, if you have CSM disabled you can enable or not Secure Boot (cases 2,3,5,6), but Windows 7 x64 SP1 won't boot, as it is not compatible with UEFI "native mode" and needs the CSM for backwards compatibility.

In UEFI, you can only activate CSM if you disable Secure Boot, as Secure Boot is not compatible with the legacy/backwards compatibility mode that CSM provides. That is cases 4, 7, 8 and 9. Without Secure Boot and with CSM Windows 7 works. It boots and works normally.

Then, if you have a TPM 1.X (probably 1.4), you won't need KB2920188, as TPM 1.x can work without Secure Boot. (case 4).

But if you have a TPM 2.0 (case 7, 8 and 9) you will need KB2920188 so Windows can communicate with TPM 2.0 with CSM and without Secure Boot.

 

The case you talk about (Windows 7, UEFI, TPM, CSM and no-Secure Boot) works. Perfectly. That is cases 4, 7, 8 and 9 in the table.

In those cases, with TPM 1.4, you will not have any problem (as TPM 1.4 does not require Secure Boot) (case 4) and you will be able to use BitLocker without issues.

In cases with TPM 2.0 you would need to install KB2920188 in order to allow Windows to communicate with TPM 2.0 and use BitLocker.

 

UPDATE AS I WRITE: Even with KB2920188 I get the same error...  :( When the BitLocker wizard kicks-in it asks for the PIN, I provide it, it takes ownership of the TPM chip and then it fails. Message in Event Viewer is:

Quote

 

An error occurred while applying MBAM policies.
VolumeID: \\?\Volume {.....volume GUID here...}

Error code: -2144272392

Details:
The BIOS did not correctly communicate with the Trusted Platform Module (TPM). Contact the computer manufacturer for BIOS upgrade instructions.

Log Name: Microsoft-Windows-MBAM/Admin

Source: MBAM

EventID: 2

Level: Error

User: System

Task Category: VolumeEnactmentFailed

 

 

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.