Event details
We use SCCM in our environment for client deployment. A few months ago, we updated the boot image with the latest compatible Windows ADK, but when I checked the bootloader certificates, they appeared to still be the old ones. What does the update process look like in this case? I know that a new feature for certificate updates was added in SCCM 25.09. Is this sufficient to update an existing image and continue using PxE boot for all clients? Or does the boot image actually need to be completely rebuilt?
Hi JonasKrueger​
Maybe I can help you on this point.
The new option "Use Windows Boot Loader signed with Windows UEFI CA 2023" is only for PXE Responder without Windows Deployment Service. If you don't configure the PXE with "Eanble a PXE responder wihtout Windows Deployment Service" the UEFI CA 2023 option has no effect.
If you still want to rely on PXE with WDS you need to copy wdsmgfw.efi and bootmgfw.efi from %windir%\System32\RemInst\boot_EX\x64 from your up to date server to %RemoteInstallFolder%\SMSBoot\x64. Then remove the "_EX" suffix from the files.
I hope this information helps.
Kind regards,
Matias
Thank you, I will try this out. I have been mounting and patching winpe.wim trying to get a 2023 signed copy of bootmgfw.efi to copy out to ADK as bootx64.efi as I'm sure I had done about a year and a half ago, and I just keep getting 2011 signed .efi files except for bootmgfw_EX.efi. I kept the files to manually swap out, but trying to avoid that if possible. I don't recall simply renaming and overwriting, but maybe that's what I had done.
Then the next step was to try to address for WDS and I haven't been able to get any AMA replies about this, or even on my opened MS case via 3rd party. If struggling with WDS, next step to try moving away from it working with the NET team on iphelpers and DHCP options.