Recently I had to install windows through SCCM and Remote Distribution point with enabled PXE support in remote site which doesn’t have an IT technician available and this turned to a challenge for a regular user. I’m using MDT Task sequence and we support secure boot. In order to make it work few settings in the BIOS needs to changed, the factory default setup wouldn’t work.
- Under System Configuration
- Integrated NIC – Enabled w/PXE, make sure that Enable UEFI network stack is checked as well
- SATA Operation – AHCI
- Secure Boot – Enabled, Legacy Support Disabled – If your environment doesn’t support secure boot disable it, however, it’s not that hard to support it in SCCM (nowadays MEM), please do it, it’s a nice security feature. Pretty much all you have to do is ti add Microsoft Secure Boot Cmdlets(WinPE-SecureBootCmdlets) to your boot image and enabled it the BIOS
- In the MDT Task sequence the step that do the format for new computers is under UDI wizard and surprise, surprise is named Format and Partition Disk (UEFI) with the following settings
- Disk number – 0 (first in the workstation, check the bios if unsure)
- Disk Type – GPT
- Under Volume I have the following partitions:
- Windows RE Tools (Recovery) – 499MB, fixed size. NTFS file system
- EFI (EFI) – 512MB fixed size. FAT 32 file system
- MSR (MSR) – 128 MB fixed size, partition type is MSR, these 3 doesn’t have assigned letter
- OSDisk(Primary) – 100% of remaining free space. NTFS file system. I have drive letter stored in a variable OSDisk
This step is crucial, if skipped the task sequence will start, however, it will fail after the first reboot with “No bootable device found” error. IMHO every PXE boot should go through UEFI today.