There were some issues reported recently regarding the installation of new Windows ADK on Windows 10 and Windows Server 2016 by users running Secure Boot. While the main cause of the problem remained unidentified, it was found that the primary reason for the appearance of it was an improperly signed WIMMOUNT driver included in the ADK. This was perceived via two noticeable symptoms,
- A popup from the Program Compatibility Assistant during the ADK installation.
- A failure to mount any WIMs after ADK 1703 is installed. That manifests itself in MDT like this:
So, when you attempt to install this version of the Windows ADK on a system with SecureBoot enabled, the Windows Program Compatibility Assistant displays the following warning:
Windows ADK for Windows 10 issues & workarounds
Fortunately, Microsoft has come up with a solution. It has published an updated driver that is signed. If you are not aware, several files included with the Deployment Tools feature of the Windows Assessment and Deployment Kit, including wimount.sys, are digitally signed with an older certificate. As such, these files are considered as good as “unsigned” by latest operating systems, and therefore blocked or stopped completely when SecureBoot is enabled. It is for this reason, Microsoft advises to run ‘Secure Boot’ and not turn it off.
Second, the wimount.sys driver is used by DISM for mount operations which is used on the Configuration Manager site server for creating and servicing boot images, in addition, to perform offline servicing operations on OS Image and OS Upgrade Packages.
A post on Microsoft Technet blog suggests, customers using Configuration Manager current branch version 1702 and deploying Windows 10, version 1703 should try the following workarounds.
The primary recommendation from Microsoft to unblock customers who are interested in deploying Windows 10, version 1703, via traditional OS deployment methods is to use the prior version of the Windows ADK, version 1607, for working with Windows 10, version 1703 boot and OS images. This forward compatibility is supported for basic imaging operations (capture/apply).
It is particularly noteworthy to mention here that Windows 10 in-place upgrade and Windows 10 servicing do not use any Windows ADK components. As a result, these scenarios remain unaffected by the issue.
As an alternative to the above, Windows users can choose to disable SecureBoot. While technically an option, Microsoft urges not to use it in production environments as it enhances the potential risk to the server.