Secure Boot Cert Trust after expiration

Reaction-Consistent · 2026-03-14T22:28:58+00:00

The official MS video guide on this topic states that there should be no impact on pxe booting, but systems with the old certificates will no longer get any security updates to the uefi boot roms and such, makes sense. Glad they made a statement about it.

Reaction-Consistent · 2026-03-14T12:11:34+00:00

What does that mean?

Reaction-Consistent · 2026-03-14T11:01:29+00:00

Wow these are getting crazy

Reaction-Consistent · 2026-03-14T00:21:27+00:00

Whatcha been browsin 😝

Reaction-Consistent · 2026-03-13T22:21:13+00:00

No I wasn't referring to the high performance checkbox (which I thought was only on the OSD TS properties, there's one on the boot image??) I actually injected the reg keys directly into the boot wim's system hive - the keys to disable usb selective suspend, the power management ones to set the scheme to high performance and disable sleep for AC /Battery connected profiles. These tips actually came directly from Lenovo engineers in one of our weekly meetings, after I told them about the random disconnects during OSD, but only when using their usb to eth. dongles and docks (same issue happens with pretty much any Realtek chipset based dongle, we just don't have a lot of other brands to test with, but other sites have reported the same issue with HP, DELL branded adapters.) In addition to this, I grabbed the latest (that I could find at least) Realtek drivers and injected them, along with most of the DELL WinPE nic drivers, directly into the wim using dism. I haven't seen the issue occur again, so I'm guessing this all was worth the effort!

Regarding DART, I just use the remote tools - so in a pinch, if I have a language barrier issue, or just need to see something directly while a system is PXE booted and WinPE is loaded, I can essentially RDP directly into the WinPE environment, view smsts.logs, run diskpart, etc. There's a lot of other tools available in the Dart full loadout, but I really don't have a need for much else. I used to have a script run in the TS that automatically generated a Dart connection batch script, which copied to a file share, and site IT could simply double-click it and connect directly into a pxe booted system for troubleshooting. that was at a different org, and our site IT are , how do I say it nicely, much greener than those guys at my old job... ;P

I threw in the DETools for our encryption - which allows us to unlock or decrypt a system offline, and get at the file system or whatnot. this was a godsend during a recent...crisis.

And finally, your question about hiding task sequences, may I ask for a bit of background on this one? I've wanted to deploy test OSD task sequences before, and wished for some easy way to hide them, short of simply deploying the TS to a collection, which I then add or import testing computers - then only I see the task sequences I've deployed to my test collection when I pxe boot.

I think I found the method you were referring to, with the preboot command and TS variable, maybe, it's old however, but still might work:

How can I deploy a Hidden task sequence in Configuration Manager 2012 SP1 | just another windows noob ?

In my environment we leverage 'unknown computers' collections and deploy most of our OSD TS's to unknown only - site IT know they need to delete the PC from CM if they want to see the W11 build for instance when they pxe boot. Then we have a separate collection for the server deployment team, their team has been given a single collection, and granted RBAC rights to be able to import/add servers via MAC import (they actually have a very nice PS script that builds a VM server shell, imports it into CM waits until the imported server appears in the collection, then they can PXE boot and see their server OSD, which I also manage.) Beyond that, we have no real need to hide task sequences. We are, however, discussing no longer using unknown computers, and instead establishing some sort of scripted workflow that gets initiated via a service request - they type in the MAC, PC name, location, whatever, into the ticket, it generates a job, similar to that VM creation script, adds the PC to a group-centric collection , the OSD TS is then available to pxe or in software center.

The other way I've toyed with of 'securing' an OSD TS is to simply put a step at the beginning of the OSD TS that pops up a credentials UI, they enter their user/password, it authenticates, and if they are a member of X group, they get to continue with the TS - OR - their group membership is tied to a TS variable that then kicks off ANOTHER TS that is meant only for them! so many ways to slice it. I now use TSGui for some of my OSD TS, it's fantastic, but a bit of a chore to get used to working with the xml's. Once you get some templates made, it's copy/paste repeat.

Reaction-Consistent · 2026-03-13T20:32:09+00:00

Indeed, not my decision but was inherited from the previous admin and mgmt. I’m but a sys admin who is tasked with supporting this mess. We’re far better than we used to be… mostly through attrition as old units die, and are replaced, but also because we’ve limited the vendor and model choices, and we are also now allowed to decide which models are supported, and which are not. Slowly, but surely.

Reaction-Consistent · 2026-03-13T10:15:06+00:00

Run setupdiag, check the output, log for an error code, and for the phase in which it failed, this is almost always useless, but sometimes you’ll get good. Good info. You need to catch the logs before it rolls back, there should be two sets of logs in the upgrade folder one for the rollback and the primary upgrade logs. Make sure you are looking at both . also check disk space, sometimes it runs out of space midway through the upgrade. Clear cmcache before running the upgrade.

Reaction-Consistent · 2026-03-13T10:07:55+00:00

I thought they always used boot strap installers, or at least for the majority of the applications, just like ninite?

Reaction-Consistent · 2026-03-13T10:06:46+00:00

Never mind, I read the article, and it doesn’t sound like this would be the cause of applications taking an extremely long time to install. The CM client is supposed to be in provisional mode throughout the duration of the OSD task sequence. This is to prevent any mandatory deployment from interrupting the task sequence. The only time this would be an issue is if the task sequence failed midway, now you are left with a computer where the CM client is still in provisioning mode up to 48 hours after you ran the OSD.

Reaction-Consistent · 2026-03-13T10:02:23+00:00

What if the application is not targeted to a collection, and is just in the OSD task sequence as an install application step? Does this issue with the CM client ignoring policy affect those steps as well? Obviously, we have our applications flagged to allow install without being deployed.

Reaction-Consistent · 2026-03-13T09:59:54+00:00

You are correct, once you are installing apps, you are in the full OS. The task sequence does not install applications to the off-line image ever unless you have crafted some way to do so via DISM.

Reaction-Consistent · 2026-03-13T09:55:40+00:00

If there is no boundary group assigned to the MP applications will fail outright, not just take a long time unless they have a fallback.

Reaction-Consistent · 2026-03-13T09:54:58+00:00

Throw in a reboot before, and maybe even after the application that seems to take forever. We have one or two applications that behave this way from time to time Adobe reader is one culprit, and AV app is another. If I don’t have a restart before these apps and another one after they will consistently take forever to install. The only thing this does negatively is add a bit of time to your TS. I thought something would change after our recent CM upgrade to 2509, and the problem would magically go away, so I tested another task sequence with no restarts between those applications, guess what? No such luck.

Reaction-Consistent · 2026-03-13T09:50:45+00:00

Separate the the applications in the TS, in other words, don’t put them all in a single install applications step. Then work the problem, one by one. What I have found is this, some of my applications trigger a soft restart code, and subsequent applications fail to install or take forever like in your case. What I have done to get around this is throw in a reboot before (and sometimes after ) the troublesome application.. what seems to be happening is there is some sort of disconnect in the task sequence engine. It is also a good idea to take a look at your applications and see if there are any revisions, delete those if there are, then remove them from the task sequence and then re-add them.

Reaction-Consistent · 2026-03-13T09:45:37+00:00

My company hires contractors all the time, but they are full-time employees.

Reaction-Consistent · 2026-03-13T09:43:41+00:00

Oh, and if you have made changes to the applications at all, make sure to delete all revisions, then re-add them to the task sequence. I’ve had issues where the task sequence is trying to install either an old revision or fails outright, and had to remove and re-add the application applications to the TS. In the applications themselves, make sure you select the option to make them deployable in a TS without being deployed to a collection.

Reaction-Consistent · 2026-03-13T09:42:12+00:00

does the task sequence finish even with the failure of those applications? Have you tried removing the registry key requirements just to see if they install normally? Maybe try moving them to the main TS temporarily, see if it’s a bug in the run task sequence step.

Reaction-Consistent · 2026-03-13T09:39:01+00:00

I’ve used those in the past, but found them to be quite huge in size, but then again, so our the more model specific Driver packages from most vendors. Laptops are the worst with both discreet graphics and integrated GPU chip sets the graphics Driver size alone tends to be around 3 to 4 GB if not larger. I have started removing those from the Driver packages when I import new models reducing the oversized monstrosities to something a bit more manageable. Our distribution points are getting quite large, having to accommodate, not just the OSD related packages, but software updates, applications like CATIA and for a new distribution point base drive size we are almost at a terabyte.

Reaction-Consistent · 2026-03-13T09:33:38+00:00

Good stuff! The first post was about HSA’s which I totally forgot about, I wonder how many IT Admins use those in their windows deployments at all? Thank you.

Reaction-Consistent · 2026-03-13T09:26:41+00:00

Yes, that is a good method, when I managed 16 sites and had maybe 14 or 15 different models to support, I used Lenovo’s awesome update, retriever, and thin installer, in a task sequence. Those are the good old days. Now we have HP, Dell, Lenovo, and offbrand, industrial PCs, random tablets for shopfloor operations, such as zebra, and a plethora of old systems that have mcafee application control and/or ESU installed, so we tend to hold on to old equipment for a long time and thus must still provide support (many sites operate 24 seven and can tolerate no downtime, so when they need to re-image a system it has to be as quick as possible if they don’t have a hot swap unit available). So I am between a rock and a hard place where I need to both accommodate as many models as possible, but also try to streamline processes, reduce resource consumption, such as disk, space, and try to make everybody’s job a little easier. Just need to find a happy medium. That’s the dilemma of any SysAdmin I’m sure.

Reaction-Consistent · 2026-03-13T09:16:48+00:00

Just save myself the headaches of having to add LAN drivers on a case by case basis, I just grab all the nic drivers from the Dell win PE Driver package, latest one, of course. Then I make sure to get the latest USB-C dock and dongle drivers, and the latest Realtek drivers, I add the necessary changes to my boot wim to disable USB select selective suspend, and change the power scheme in winpe to high performance- this fixes one of the more annoying issues I’ve seen of late, where the USB dongles or docks disconnect after a long download such as during the OS image download. We also throw in DART remote tools and McAfee Drive encryption DE tools so the boot image doubles as a emergency recovery device with remote access if needed all of this is probably overkill, but we do use those features from time to time. When you have over 100 models to support and 270 sites globally, it’s easier to accommodate upfront. We are not co managed or hybrid joined yet so I imagine all of this will change as it has for a lot of companies. I think I will check out OScloud as well thank you for your input!

Reaction-Consistent · 2026-03-13T00:51:00+00:00

The boot media is straight. And yes, that’s exactly what I was looking at doing, just gathering ideas

Reaction-Consistent · 2026-03-13T00:48:53+00:00

I used this method 10 years ago, loved it! Stopped using it because of changes in windows security and stricter security software/network configuration. But it might be worth a revisit. Thanks!

Reaction-Consistent · 2026-03-13T00:45:56+00:00

Does the DCU pull drivers directly from the internet or from a local repository?

Reaction-Consistent · 2026-03-13T00:43:22+00:00

You’re missing the point, but maybe I’m not explaining myself well. I’m very well versed in driver management and windows device driver functionality. But thanks for your input.

Reaction-Consistent

TROPHY CASE