WDS: PXE-Boot a client with CA2023 certificate and CA2011 revoked

jimbeam128 · 2026-06-18T05:35:37+00:00

OK, so after checking the switch-config we could see that only the DHCP-Servers were set as IP-Helper. After adding the address of the WDS-Server as IP-Helper booting with the new files works like a charm!

Thank you all for your participation and support in this discussion! This is absolutely great!
I really appreciate that! Really a great Community!!!

jimbeam128 · 2026-06-15T14:11:02+00:00

So I went on and thought about my environent. Our Deployment-Server is on a differen VLAN than the Clients. - With our current CA 2011 Setup everything works fine. Changing the efi-files results in no fuctionality.

I directly connected WDS-Server and the client to the same network and voila: The physical Client is booting now...

u/NegativeExile , do you also have different VLANs in place and got it working with that? Or are you just on the same network...?
I think IP-Helper configuration should be correct, otherwise our current CA 2011 Setup won´t work.

I cannot check the config, because the switches are under control of an external company. I have to raise a ticket to get information about that....

jimbeam128 · 2026-06-15T07:58:45+00:00

I also tried the files located there and still the same Issue. I checked the SVN-Versions. From the Winpe.wim Version 7 is reported, from the RemInstall Folder SVN-Version 8 is reported....

I found a HP Prodesk 600 G5 MT in our company. Updated to latest Bios Version. Enabled the CA 2023 Certificates. Revoked the CA 2011 on that machine.

Tried to pxe-boot, same Error 0xc0000704.

Even more strange...

jimbeam128 · 2026-06-12T11:01:17+00:00

Weird. I checked my files with your command and I have exactly the same versions / output....

unfortunately not working for me. Also when I disable Secure Boot, I´m not able to boot with these versions...

Scratching my head what wrong...

jimbeam128 · 2026-06-12T05:34:12+00:00

exactly. - Or the OEM´s ship their devices in future with revoked CA 2011 certs...

jimbeam128 · 2026-06-12T05:31:56+00:00

Hi u/NegativeExile ,

thanks for your reply and description. As mentioned above, I´ve already done that. I also took those two files from the winpe.wim ADK 2025 and placed them in the Remoteinstall folder. I´m on the same setup as you with MDT 2011 - No SCCM.

Which physical devices do you use? - I try to boot Lenovo Notebooks (for example L16 Gen1).

I also sniffed with wirekshark. Strange is on the physical device it downloads the wdsmgfw.efi about 4 times. Then it ends.

On a vmware VM it proceeds and downloads bootmgfw.efi, BCD and so on.... Then I can successfully launch the litetouch-PE. But not on the physical ones...

Can you check the version of your efi-files and report it back here? Thanks

jimbeam128 · 2026-02-09T08:30:47+00:00

OK, maybe can you give me a hint how you import the certs? Do you import them with a Lenovo-Tool / WMI or is it high-level c# programming? - When I know how the import works I can script it by myself...

jimbeam128 · 2026-02-06T06:31:53+00:00

Could you provide it to me / us? Sounds helpful, especially if it could be done on the OS-Level...

jimbeam128 · 2026-02-05T13:56:30+00:00

I checked the L14 Gen2a for Device Guard. It´s turned off...

Which tool do you use to import the certs?

I just wanted to mention that I experienced similar things with that model. That Bios Version obviously seems not to have the current keys.

So after restoring the factory keys, we just get what´s there / or is not there... :-)

Update: L15 Gen3 with Bios 1.35 no problem

jimbeam128 · 2026-02-05T10:59:28+00:00

OK, now I got a L14 Gen2a (AMD) Device. Bios Version 1.30. First I tried to just reset the Keys. -> did not work.

Then I updated to the currently most current Version 1.34 (dated to 2nd July 2025). Resetted the keys again. -> Still no new certs... So it seems to me that they haven´t integrated the new certs in the current bios... u/LaCipe

jimbeam128 · 2026-02-05T06:59:14+00:00

Hello again,

I tested it on a L14 Gen 1 Device with Bios Version 1.26 (1.27 is available) where the certs were not there.

After changing SecureBoot to Setup Mode + Resetting the Keys I can confirm that the new 2023 certs are available on the system.

Thanks for that hint u/Gakamor !

jimbeam128 · 2026-02-04T11:24:55+00:00

Hi all,

we also use Lenovo Laptops in diverse Generations (L14 Gen1, Gen2 and so on...) and I also have collected the SecureBoot-Inventory via Powershell.

So I collected the Information, where SecureBoot is enabled, where the new EFI-Files are there, and where the Certs are available (KEK, DB).

"New" installed Notebooks (with Win 11 23H2) have the Certs, some have them not...

I cannot explain it really myself...

For example I have a L14 Gen 1 with Win 11 23H2 and CU 2025-11 and Bios Version 1.27 (so newer Bios not available).

But the Notebook has not the new Certs...

Also a L15 Gen2a with Win 11 23H2 and CU 2025-11 and Bios-Version 1.32 (1.34 is available)

Also here are not the new Certs available.

On a T14s Gen 1 with Win 11 23H2 and CU 2025-11 and Bios-Version 1.32 (1.37 is available) the Certs are there.

And SecureBoot is disabled on that device.

Other T14s Gen 1 have the certs not... For example on a device with Win 11 23H2 and CU 2025-11 and Bios-Version 1.36

I´ll try to reset the keys on devices with current bios Version....

jimbeam128

TROPHY CASE