VMware Communities
gww3
Contributor
Contributor

Problems deploying a Windows 10 image created in VM Workstation on physical machine with secure boot enabled

I am using VM Workstation 11.1.4 and I have the guest set to boot using EFI instead of BIOS where I am building my image. Everything installs fine and the image capture works without issue. However when I deploy the image to a physical machine with secure boot enabled, the system will blue screen when it restarts and begins to install. If I then shut down the guest and turn off secure boot and restart the image will being to install.

After doing a lot of testing I cannot find a cause or a solution. I did do one test where I installed just the main OS from a DvD and ran sysprep. I was able to deploy that system with secure boot and it worked. Any other test I did involved creating snap shots at 3 different points so customizations could be easily undone for future image updates. Anytime I created an image from a guest with snapshots fails to load with secure boot.

Has anyone run into this issue and hopefully have a solution?

Reply
0 Kudos
6 Replies
dariusd
VMware Employee
VMware Employee

Interesting.  I assume that the imaging process picks up the VMware platform drivers (VMware SVGA II, VMCI/vsock, VMware Tools...), and the Tools included with Workstation 11.1.4 are not certified for use with Secure Boot and are known to not work correctly with Secure Boot enabled.  I would have thought that they would have simply gone unused, but it is entirely possible that enabling Secure Boot creates a problem for those drivers even being present on the system.

ESXi 6.5 supports UEFI Secure Boot in its virtual machines, so you might wish to try installing the VMware Tools from ESXi 6.5 prior to imaging, and see if the problem still occurs.  Those VMware Tools should work just fine with Workstation 11.1.4 as well.

You can download the VMware Tools for ESXi 6.5 here: https://my.vmware.com/group/vmware/details?downloadGroup=VMTOOLS1015&productId=614  (You might need to register for the free VMware vSphere Hypervisor 6.5 before the download link works... I'm not sure about this.)

Cheers,

--

Darius

Reply
0 Kudos
gww3
Contributor
Contributor

I do not install the VMware tools. I just attach an ISO whenever I need to copy software over. It would appear to be an issue when creating the snapshots since I can create an image that will boot if I just install the OS disk and capture but it will not boot with secure boot if I install the OS and take snapshots then capture.

Reply
0 Kudos
dariusd
VMware Employee
VMware Employee

OK, I'm a bit confused here.  Are you talking about having Secure Boot enabled on a host, and then deploying the imaged OS directly onto that physical host (i.e. not deploying it into a virtual machine running in VMware Workstation on the host with Secure Boot enabled)?  Are you launching the imaging process from inside the virtual machine, or from the host (by pointing a host-side application at the virtual machine's files)?

If it's not too much hassle, I'd like to ask you to repeat your explanation of the steps you're following leading up to the problem, but assume that I know very little about OS imaging (because it's generally true) and assume that I'm perhaps being a bit stoopid (because... sometimes that's true too).  So, please be quite clear about what's being done on a physical host running Workstation versus what's being done on a physical host that's not running Workstation versus what's being done inside a virtual machine running inside Workstation.  You can assume that I'm quite familiar with VMware Workstation and installing Windows, but not necessarily familiar with OS imaging and deployment; I just need to better understand what you're doing so that I can try to figure out why it could possibly be failing.

Thanks for your understanding,

--

Darius

Reply
0 Kudos
gww3
Contributor
Contributor

Here is the basic rundown:

  • I have VM Workstation running on a Windows 7x64 host.
  • I created a guest with EFI boot and installed the Windows 10x64 OS and applications. Taking snapshots after the OS install and application install
  • Run sysprep and shut down the guest
  • Start up that guest and PXE boot to the network card
  • Capture image using WDS on an external physical server
  • Deploy this captured image to an external UEFI partitioned physical system with secure boot enabled.
Reply
0 Kudos
dariusd
VMware Employee
VMware Employee

So, to double-check my understanding, the "Deploy this capture image" step fails with a Windows BSOD on boot if (and only if) both of the following conditions are met:

1. At least one snapshot was taken of the virtual machine after OS installation and before imaging (even if there is never a snapshot revert/restore operation???); and

2. The physical system onto which the image is deployed has Secure Boot enabled.

So if you take a snapshot and then proceed to the imaging and deployment onto a physical machine with Secure Boot disabled, it works, and alternatively if you do not take a snapshot and proceed to imaging and deployment onto a physical machine with Secure Boot enabled, that also works?  It sounds like it.

(Again, sorry for going slowly here.  I've got very few (i.e. one) idea of a possible root cause, and it's a bit of an odd one and very tenuous, so I'd like to check that I'm understanding all the parameters correctly.)

If my understanding is correct, I would be most interested to see what would happen if you tried the following...  Create a fresh Windows 10 x64 virtual machine, and before powering it on, quit Workstation and edit its .vmx file to include the following line towards the end of the file:

   vmGenCounter.enable = "FALSE"

Then relaunch Workstation, power on the virtual machine, and proceed to install the OS and image it as before.  I would be extremely surprised if this made any difference, but it is the only idea I've got... Snapshots are supposed to be entirely invisible to the guest OS such that the VM can't change its behavior according to the existence of a snapshot, and the VM Generation Counter is the only place where it's made visible, and even then it should only be visible when there's a snapshot restore/revert operation, not merely when a snapshot is created.  If the result of the deployment is really different based upon whether or not a snapshot has been taken, something's going very wrong.

Thanks again,

--

Darius

Reply
0 Kudos
gww3
Contributor
Contributor

I am going to give this a try and report back. I just to create an image using Hyper-v since it has secure boot enabled on Gen2 and got the same results. I also just wanted to add the windows stop code I get is "0xc00000021a".

Reply
0 Kudos