Issues with Windows Boot Manager

brianjpugh

I’m working with security oriented customized versions of Windows 10 and Windows Server 2016 and when I let the FOG network boot timeout to the first harddrive, it won’t boot. I have messed with the Exit settings and it didn’t change anything. It is similar to the flashing cursor on a blank screen, but in this case it has “call cmain()…” (or similar). I did have secure boot turned on at the time, but a stock Windows 10 Enterprise install didn’t have these issues.

For the Windows 10 image, I was able to create install media with Microsoft Deployment Toolkit then install that to a bare machine. The image was then captured from it. Reimaging the machine works, but I can’t tell FOG to boot the first hard drive. In my BIOS (ASUS UEFI) it lists both the hard drive it is on, along with a entry for “Windows Boot Manager”. Of course, only selecting the WBM will allow the system to boot.

My Windows server image is more restricted. The Security customization left me with only a virtual machine in Hyper-V to capture my image from. I’m still able to grab the image with FOG and install it to bare machines just fine. Once again, “boot from first harddrive” isn’t working because of the Windows Boot Manager entry.

My requirements dictate that the machines have to boot from the FOG server first, or I would just change the boot order on them.

Update

I have disabled the secure boot from my bios and reinstalled the Windows 10 SHB from the install disk the process created. I grabbed an image after that with FOG (no changes to settings), redeployed, and tried it out. No Problems Encountered (and thus nothing useful to help resolve the original issue.).

As far as Windows Server 2016 SHB, if I go through the process again on a machine with secure boot disabled, it would work. The process for Server doesn’t create an installer disk, just a virtual machine in Hyper-V.

george1421

What do you have configured (In FOG as a uefi exit mode for this host?

brianjpugh

Exit to Hard drive type: GRUB
Exit to Hard drive type (EFI): REFINED_EFI

I have tried all the different settings for Exit to Hard drive (but not the EFI one) with various results, but nothing that worked. I disabled secure boot on the machine since, but I still have to deal with the windows boot manager.

Sebastian Roth

@brianjpugh said in Issues with Windows Boot Manager:

security oriented customized versions of Windows 10 and Windows Server 2016

What exactly do you mean by that? Can mean a lot of things I suppose. Please be more specific. Have you tried on different hardware? Possibly it’s just the ASUS having an issue with exiting from iPXE to boot from disk?

george1421

@brianjpugh For UEFI systems, we find that refind works the best. Is your firmware up to date on the ASUS unit?

brianjpugh

@sebastian-roth I’m having to work with Department of Defense “Secure Host Baseline” versions of Windows. They use Microsoft Deployment Toolkit to create install media or Hyper-V virtual machines for which I have very little control over. I could try to re-install the Windows 10 I have to and regrab a image to see if that resolves any problems I have. For the Windows Server, it is via a Hyper-V machine so I have no control over the BIOS settings there.

Sebastian Roth

@brianjpugh I’ve just been wondering if this is a hardware (ASUS) related issue or something to do with FOG itself or the "Secure Host Baseline” versions of Windows. To take this discussion one step further we need to rule out one after the other. Maybe start by installing plain Windows 10 on your ASUS hardware and see

“boot from first harddrive” isn’t working because of the Windows Boot Manager entry.

I am not sure what exactly you are referring to when saying “Windows Boot Manager entry”. Sounds a bit like you are talking about an UEFI boot entry but not sure. Maybe best if you could post a picture of what you see/mean.

For the Windows Server, it is via a Hyper-V machine so I have no control over the BIOS settings there.

Haven’t used Hyper-V much yet but I am fairly sure this has some kind of BIOS/UEFI settings just as all other visualization solutions have!

george1421

@brianjpugh STIG or NIST security controls have no impact on this. The issue is finding the right combination between UEFI firmware and refind settings to allow refind to detect this hard dirive. Sometimes we see issues in flaky UEFI firmware on the target computer, or the uefi drive not being in the location that refind is looking.

When you select refind as a uefi exit mode for this hardware what happens? Screen shots would help, if you are allowed (since you are running under DoD controls).

Lee Rowlett

check BIOS for multiple windows boot manager entries this could potentially be adding to the issue?
for example:

brianjpugh

@lee-rowlett I only have one in my list, but it is causing all my problems. I’m still given the option to boot from the hard drive that WBM is pointing too, but it doesn’t boot and kicks me back to the BIOS configuration (no errors given).