Menu

enable secure boot after saving image

Open Discussion
robina80
2025-05-07
2025-05-19

  • robina80

    robina80 - 2025-05-07

    made a new image with “secure boot” off (used clonezilla to savedisk) but when i came into deploying to a pc i turned back on “secure boot” then started clonezilla to restoredisk

    will this work ie capture the image on a pc with secure boot off and redploy the image with secure boot on

    reason i ask is now everytime i restore disk using clonezilla after clonezilla finishes the restore it boots into windows but when i restart i get the "advanced recovery" ie repair mode, why do you think this is happening

    these are the options it gave me to restore the image again with

    /usr/sbin/ocs-sr -g auto -e1 auto -e2 -c -r -icds -j2 -k1 -scr -p choose restoredisk robs-w11-06052025-i
    mg sda

     

    Last edit: robina80 2025-05-07

  • robina80

    robina80 - 2025-05-08

    ok this is weird, so i captured it this time with "secure boot" on and deployed it to another pc with "secure boot" on and same thing, it restarts into windows but as soon as you restart windows again it goes to automatic repair recovery mode

    are there any specific options i need to capture deploy the windows image?

    im seeing everywhere on google that as its a GPT disk you need to select to savedisk or restoredisk

    device to device and NOT
    device to image

    so cant i do device to image then?

     

    Last edit: robina80 2025-05-08

  • Steven Shiau

    Steven Shiau - 2025-05-11

    Not sure. We do not have this issue here.
    Is this issue reproducible on a different model of machine?

     

  • robina80

    robina80 - 2025-05-13

    ok so im testing this process on a vm ie "savedisk" and "restoredisk", both were sdX disks as they were on a vm

    i thought the issue was saving and restoring from sdX to nvme so once i made the vm i edited the vm options and chose a "nvme controller", when i came to restore the image the dest disk changed from sdX to a nmve and guess what it restored succesfully as well so no issues

    when im at work il check this not on a vm but on a actual physically laptop with a nvme drive and let you know Steven

    Thanks,
    Rob

     
    👍
    1

  • Francois

    Francois - 2025-05-14

    Hi Rob,

    We are a long time user of clonezilla. We had a problem with the latest Windows 11 24H2 release.

    When you do a clean install of the Windows 11 iso, the bcd (bootloader) is pointing to the UUID of the partition. But when secure boot is active an modern system meets the requirements for auto deployment of Bitlocker.

    When Bitlocker is activated or set to be deployed, the UUID of the partition changes.

    If you use an older version of windows (23H2), the bcd point to the C: partition. When you upgrade this system to 24H2, the bootloader still points to C:. But when you do a clean install, the bootloader points to the UUID of the partition.

    We have solved it by changing the bcd data using this command;
    bcdedit /set {default} device partition=C:
    bcdedit /set {default} osdevice partition=C:

    Maybe it solves the problem for you!

    Best regards,

    Francois

     
    👍
    2

  • robina80

    robina80 - 2025-05-15

    thanks Francois for pointing me in the right direction!!!

    should i add this to my pre sysprep script or to my firstlogon script ie after sysprep?

    i attach both scripts for reference

    pre sysprep script

    Disable-BitLocker -MountPoint "C:" -erroraction silentlycontinue
$bl = Get-BitLockerVolume -MountPoint "c:" | select-object -expandproperty VolumeStatus
Do {Get-BitLockerVolume -MountPoint "c:" | select-object -expandproperty VolumeStatus | out-null} Until ($bl = "FullyDecrypted")

$sizemin = Get-PartitionSupportedSize -driveletter c | select-object -expandproperty SizeMin
$result = $sizemin / 10
$final = $sizemin + $result
Resize-Partition -driveletter c -size $final

Set-NetFirewallProfile -Profile Domain, Public, Private -Enabled False

Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -name 'fDenyTSConnections' -value 0

Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-TCP' -Name 'UserAuthentication' -Value 0

new-localgroup -name "OpenVPN Administrators" | out-null

add-localgroupmember -group "OpenVPN Administrators" -member "everyone"

$acl = Get-Acl "C:\program files\OpenVPN\config"
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("everyone","Modify","ContainerInherit,ObjectInherit","none","Allow")
$acl.SetAccessRule($rule)
Set-Acl "C:\program files\OpenVPN\config" $acl

Import-Module Appx
Import-Module Dism
Get-AppxPackage -allusers | Remove-AppxPackage -erroraction silentlycontinue

powercfg /X monitor-timeout-ac 0
powercfg /X disk-timeout-ac 0
powercfg /X standby-timeout-ac 0
powercfg /X hibernate-timeout-ac 0

Set-ItemProperty -Path 'HKLM:\SOFTWARE\Wow6432Node\AdventNet\DesktopCentral\DCAgent' -name 'ImagedComputer' -value 1

Set-ItemProperty -Path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce' -name 'firstlogon' -value 'powershell -noexit -ep bypass c:\users\admin\sysprep\firstlogon.ps1'

start-process 'C:\Windows\System32\Sysprep\sysprep.exe' -argumentlist /oobe, /generalize, /shutdown, /unattend:C:\Users\admin\sysprep\unattend.xml -wait

    post sysprep script

    start-process 'C:\Users\admin\sysprep\SophosSetup.exe' -argumentlist --quiet -wait

Remove-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\AdventNet\DesktopCentral\DCAgent\" -Name "ImagedComputer" -Force

Remove-Item -Path "HKLM:\SOFTWARE\Wow6432Node\AdventNet\DesktopCentral\DCAgent\SystemDetails" -Force

Set-LocalUser -Name "user01" -PasswordNeverExpires $true
Set-LocalUser -Name "it" -PasswordNeverExpires $true

$sizemax = get-partitionsupportedsize -driveletter c | Select-Object -ExpandProperty sizemax
resize-partition -driveletter c -size $sizemax

remove-item -path C:\Users\admin\sysprep -recurse -force
     

    Last edit: robina80 2025-05-15

  • robina80

    robina80 - 2025-05-19

    ok i amended my post sysprep script to sort it out and now it works, big shout out to Francois!!!

    pre script

    Disable-BitLocker -MountPoint "C:" -erroraction silentlycontinue
$bl = Get-BitLockerVolume -MountPoint "c:" | select-object -expandproperty VolumeStatus
Do {Get-BitLockerVolume -MountPoint "c:" | select-object -expandproperty VolumeStatus | out-null} Until ($bl = "FullyDecrypted")

$sizemin = Get-PartitionSupportedSize -driveletter c | select-object -expandproperty SizeMin
$result = $sizemin / 10
$final = $sizemin + $result
Resize-Partition -driveletter c -size $final

Import-Module Appx
Import-Module Dism
Get-AppxPackage -allusers | Remove-AppxPackage -erroraction silentlycontinue

Set-ItemProperty -Path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce' -name 'firstlogon' -value 'powershell -noexit -ep bypass c:\users\admin\sysprep\firstlogon.ps1'

start-process 'C:\Windows\System32\Sysprep\sysprep.exe' -argumentlist /oobe, /generalize, /shutdown, /unattend:C:\Users\admin\sysprep\unattend.xml -wait

    post script

    $sizemax = get-partitionsupportedsize -driveletter c | Select-Object -ExpandProperty sizemax
resize-partition -driveletter c -size $sizemax

Disable-BitLocker -MountPoint "C:" -erroraction silentlycontinue
$bl = Get-BitLockerVolume -MountPoint "c:" | select-object -expandproperty VolumeStatus
Do {Get-BitLockerVolume -MountPoint "c:" | select-object -expandproperty VolumeStatus | out-null} Until ($bl = "FullyDecrypted")

bcdedit /set device partition=C:
bcdedit /set osdevice partition=C:

remove-item -path C:\Users\admin\sysprep -recurse -force
     

Log in to post a comment.

Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.