Wiki Home Installation Diskless boot with UEFI SECURE BOOT
Diskless boot with UEFI SECURE BOOT
2023-08-12
diskless, boot, client, uefi, secureboot
After CCBooCloud 2023 ver 0812 Secure boot supported (Upgrate server and image)
- Verify UEFI Compatibility
Check if your motherboard firmware supports UEFI and Secure Boot for Windows 10/11. If not, update the motherboard's firmware to the latest version available on the official motherboard website.
If your bios version is very old you must update 1 by 1 the versions from oldest to latest version.
- Prepare an USB format in FAT32 and download Youngzsoft.cer , which is a custom certificate created by our company. This certificate is essential for secure boot access.
- For realtek NIC (network drivers) , you need to download the NIC version from the link below (DON'T use the lastest driver, it's not working) - https://update.youngzsoft.com/icafecloud/update/realtekwin11.zip
MSI Secure boot
- Access the BIOS settings and navigate to the boot page. (Figure 1)
Figure 1
- Set secure boot as windows UEFI mode (Figure 2)
Figure 2
- Next on the secure boot page at KEY management import the Youngzsoft.cer from the usb prepare earlier, in DB Management. (Figure 3)
(*DBX is black list of secure boot key, DO NOT IMPORT ON DBX)
Figure 3
- When you choose DB Management, it will prompt you to select the input file format. Choose 'Public Key Certificate'. (Figure 4)
Figure 4
- When prompted to append key, click 'No' to continue from USB drive.(Figure 5)
Figure 5
- Select the USB and next will show the Youngzsoft.cer on the list click on it. (Figure 6)
Figure 6
- Once you done save the changes of BIOS and go back to create a UEFI boot image
- Once the image is ready on iCafeCloud admin panel in Boot section , edit the client PC and select secureboot in PXE field. (Figure 7)
Figure 7
- In case the Append key failed remove the mouse USB and use only keyboard or follow the steps below (Figure 8)
Figure 8
- Here is how you update bios and get the secure boot to work
Step 1 - Ensure that you update the BIOS to the latest version.
Step 2 - After the BIOS update is complete, reboot your system.
Step 3 - Unplug the flash drive
Step 4 - Navigate to the BIOS settings and choose either IEXPO or XMP Profile 1 (Figure 9)
Step 5 - Reboot your system to apply the selected profile.
Step 6 - Load back into the BIOS, go to the Security tab, and follow the steps outlined in the wiki..
Use only keyboard and unplug mouse for this to work !!
Figure 9
GIGABYTE Secure boot
- Open BIOS then go to IO ports (Figure 1).
Figure 1
- Then go to “Settings>Network Stack Configuration” (Figure 2).
Figure 2
- Enable the network stack if it is disabled (Figure 3).
Figure 3
- Then in the “Boot” tab, check the settings as in the following figures 4 and 5.
Figure 4
Figure 5
- Finally save and exit(Figure 6).
Figure 6
- Once reboot done Open Secure boot page again. (Figure 7)
Figure 7
- Navigate to Key management.(Figure 8)
Figure 8
- On the Key management page click on the ‘Authenticated Signatures” and import the Youngszoft.cer that you previously created. (Figure 9)
Figure 9
- When opting for "Authenticated Signatures," the system will prompt you to choose the input file format. Select 'Public Key Certificate.'
- Following that, it will inquire whether you want to append Youngzsoft.cer , click Yes to proceed.
- Once you done save the changes of BIOS and go back to create a UEFI boot image
- Once the image is ready on iCafeCloud admin panel in Boot section , edit the client PC and select secureboot in PXE field. (Figure 10)
Figure 10
- If a "Failed" error persists after disconnecting the mouse as (Secure boot violation) (Figure 11)
Follow the steps beflow
Figure 11
- Locate a PC that can successfully import keys (based on user experience approximately 1/2 of all PCs).
- Import the keys on this PC, save the changes, and navigate to "Export all DB keys".
- Save these keys onto a USB drive.
- Connect the USB drive to the PC that is unable to import keys manually.
- Instead of attempting to append keys from Youngzsoft.cer, update the authorized keys using the record from the USB drive (on Gigabyte motherboards, this file is typically named "db").
- Save the changes and exit.
Asrock Secure boot
- Go to advance mode(Figure 1)
Figure 1
- Then select security and click on secure boot to enable it(Figure 2)
Figure 2
- On the Secure boot mode select custom (Figure 3)
Figure 3
- Select the key management (Figure 4)
Figure 4
- Click on the Authorized Signatures (Figure 5)
Figure 5
- A popup window will open with 2 options select Append (Figure 6)
Figure 6
- Once Appened will ask you to load factory reset click “NO” (Figure 7)
Figure 7
- You will get the option to load from the USB click enter to continue (Figure 8)
Figure 8
- Click on the usb that you have prepared from before with the Youngzsoft.cer (Figure 9)
Figure 9
- And select the Public key Certificate (Figure 10)
Figure 10
- Next will ask you to append the Youngzsoft.cer click YES (Figure 11)
Figure 11
- Your done save changed and exit
Figure 12
ASUS Secure boot
- On Bios select Advanced mode(Figure 1)
Figure 1
- Navigate to “Boot” and click on the secure boot. (Figure 2)
Figure 2
- Select OS type “Windows UEFI mode” and secure boot mode “Custom”.(Figure 3)
Figure 3
- Next click on the Key management. (Figure 4)
Figure 4
- On the list with the option to select ,click on the “DB Management”. (Figure 5)
Figure 5
- On DB Management select Append key.(Figure 6)
Figure 6
- On Append key will ask to load factory default select No. (Figure 7)
Figure 7
- Next select the USB you prepared earlier as requested on the start on this manual .(Figure 8)
Figure 8
- Next select the Youngzsoft.cer file ( You can find if on the start of this manual) (Figure 9)
Figure 9
- On input file format select “Public key Certificate”. (Figure 10)
Figure 10
- Next it will ask to append key select Yes. (Figure 11)
Figure 11
- Save and exit changes. (Figure 12)
Figure 12