Knowledge Document: Support for Secure Boot and Microsoft Secure Core PCs

 
0 Likes

Environment

ZENworks 23.4
 

Situation

ZENworks PXE Services and FDE Bootloaders may not operate on Microsoft Secure-Cored PCs with default UEFI settings.


Cause


ZENworks "Full Disk Encryption" and "PXE Preboot Services" have their own UEFI Shim bootloader.

Microsoft has signed these shims after following the process below, which includes review by the "RHBOOT" (Redhat) Shim Review Board.

https://techcommunity.microsoft.com/t5/hardware-dev-center/updated-uefi-signing-requirements/ba-p/1062916

Only SHIMS/Bootloaders signed by Microsoft will have built-in Trust.  This includes Bootloaders from all Linux Distributions, All PXE/iPXE Vendors, All Full-Disk Encryption Vendors, and any other product that may need a customer Shim/Bootloader.

Microsoft uses one of two different CAs to sign SHIMs/Bootloaders.

Microsoft has one it uses for all Microsoft Code.
Microsoft has another it uses to sign all Non-Microsoft Code that has followed the process and reviews above.

All ZENworks shims have been signed by the second CA. (As have all other Non-Microsoft products.)

Microsoft has started a Program with most PC Vendors for some of their PCs to be categorized as "Microsoft Windows Secured-Core PCs".

https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-highly-secure-11

There are many features these products must have, one of which is a UEFI Setting that controls if the PC will or will not trust any UEFI Bootloader/Shim that is not written and compiled by Microsoft.  By Default on Secure-Cored PCs, only Microsoft compiled Shims/Bootloaders will be trusted.  To allow for ZENworks or any 3rd Party Shim/Bootloader, the UEFI settings must be updated to trust the CA used by Microsoft to sign 3rd Party (Non-Microsoft) bootloaders and shims.


Resolution

Configure the UEFI to allow UEFI Bootloaders/Shims Signed by Microsoft but not compiled by Microsoft to load.

The exact wording used may vary from Hardware Vendor to Hardware Vendor, but the function is the same.  To allow SHIMs/Bootloaders signed with the Microsoft CA used for all non-Microsoft UEFI software.







Additional Information

ZENworks PXE files shipped with 20.3 and prior may need updating to support PCs with a fully updated UEFI Security Database.

Most hardware vendors have OEM-specific scriptable tools to edit UEFI settings such as those above, though questions about such tools would be for the OEM not OpenText.  In most cases, ZCM could consume those tools to centrally manage UEFI settings.

Access article on support portal

Labels:

Configuration Management
Full Disk Encryption
Knowledge Docs
Comment List
Related
Recommended