There were some issues reported recently regarding the installation of new Windows ADK on Windows 10 and Windows Server 2016 by users running Secure Boot. While the main cause of the problem remained unidentified, it was found that the primary reason for its appearance of it was an improperly signed WIMMOUNT driver included in the ADK. This was perceived via two noticeable symptoms,
- A popup from the Program Compatibility Assistant during the ADK installation.
- A failure to mount any WIMs after ADK 1703 is installed. That manifests itself in MDT like this:
So, when you attempt to install this version of the Windows ADK on a system with SecureBoot enabled, the Windows Program Compatibility Assistant displays the following warning:
Windows ADK for Windows 10 issues & workarounds
Fortunately, Microsoft has come up with a solution. It has published an updated driver that is signed. If you are not aware, several files included with the Deployment Tools feature of the Windows Assessment and Deployment Kit, including wimount.sys, are digitally signed with an older certificate. As such, these files are considered as good as “unsigned” by the latest operating systems, and therefore blocked or stopped completely when SecureBoot is enabled. For this reason, Microsoft advises running ‘Secure Boot’ and not turning it off.
Second, the wimount.sys driver is used by DISM for mount operations which is used on the Configuration Manager site server for creating and servicing boot images, in addition, to performing offline servicing operations on OS Image and OS Upgrade Packages.
A post on the Microsoft Technet blog suggests, that customers using Configuration Manager current branch version 1702 and deploying Windows 10, version 1703, should try the following workarounds.
Microsoft’s primary recommendation to unblock customers interested in deploying Windows 10, version 1703, via traditional OS deployment methods is to use the prior version of the Windows ADK, version 1607, for working with Windows 10, version 1703 boot and OS images. This forward compatibility is supported for basic imaging operations (capture/apply).
It is particularly noteworthy that Windows 10 in-place upgrade and Windows 10 servicing do not use any Windows ADK components. As a result, these scenarios remain unaffected by the issue.
As an alternative to the above, Windows users can choose to disable SecureBoot. While technically an option, Microsoft urges not to use it in production environments as it enhances the potential risk to the server.
Microsoft has also released a fix for this issue. For more information on this topic, visit the TechNet blog.
What is Windows ADK used for?
As part of the Windows Assessment and Deployment Kit (ADK), the Windows Assessment Toolkit and the Windows Performance Toolkit are used. In combination, they offer a comprehensive solution for evaluating overall computer performance and automating the deployment of the Windows operating system to new computers.
What are the three components of the Windows ADK?
Windows ADK provides various tools but currently includes Windows System Image Manager, System Preparation, Windows Preinstallation Environment (WinPE), and Deployment Image Servicing and Management (DISM).