Digital signature error with WinRE recovery medie created on Windows Insider Preview


Digital signature error with WinRE recovery medie created on Windows...
Author
Message
Mustang
Mustang
Junior Member
Junior Member (77 reputation)Junior Member (77 reputation)Junior Member (77 reputation)Junior Member (77 reputation)Junior Member (77 reputation)Junior Member (77 reputation)Junior Member (77 reputation)Junior Member (77 reputation)Junior Member (77 reputation)
Group: Forum Members
Posts: 38, Visits: 264
I created a Recovery Media using the WinRE option on a Windows 10 Insider Preview (18298) system. The media will not UEFI boot due to a digital signature error. Disabling Secure Boot usually gets past digital signature issues, but not in this case. The media boots fine in legacy mode.

There is another WinRE issue that started when 7.2 was first released. I thought it might be fixed as 3954 claims to be compatible with Insider Preview builds. However, the problem still persists. I have a computer with Windows 10 1809 on one physical disk and Windows 10 Insider Preview (18298) on another physical disk. Building WinRE media on the 1809 system results in WinRE from the 18298 system being used to build the media. This will not UEFI boot due to the digital signature error. I have to actually remove the 18298 disk from the computer to get the 1809 system to build with the 1809 WinRE. 


Nick
Nick
Macrium Representative
Macrium Representative (3.1K reputation)Macrium Representative (3.1K reputation)Macrium Representative (3.1K reputation)Macrium Representative (3.1K reputation)Macrium Representative (3.1K reputation)Macrium Representative (3.1K reputation)Macrium Representative (3.1K reputation)Macrium Representative (3.1K reputation)Macrium Representative (3.1K reputation)
Group: Administrators
Posts: 1.8K, Visits: 10K
Mustang - 17 December 2018 4:36 PM
I created a Recovery Media using the WinRE option on a Windows 10 Insider Preview (18298) system. The media will not UEFI boot due to a digital signature error. Disabling Secure Boot usually gets past digital signature issues, but not in this case. The media boots fine in legacy mode.

There is another WinRE issue that started when 7.2 was first released. I thought it might be fixed as 3954 claims to be compatible with Insider Preview builds. However, the problem still persists. I have a computer with Windows 10 1809 on one physical disk and Windows 10 Insider Preview (18298) on another physical disk. Building WinRE media on the 1809 system results in WinRE from the 18298 system being used to build the media. This will not UEFI boot due to the digital signature error. I have to actually remove the 18298 disk from the computer to get the 1809 system to build with the 1809 WinRE. 


Thanks for posting.

Are you booting your rescue media using Flash drive or the boot menu? The Digital Signature problem is caused by the "Flight Signed" digital certificate used for Insider Preview builds of Windows. Can you try enabling test signing for the BCD? 

Bcdedit.exe -set TESTSIGNING ON

Kind Regards

Nick - Macrium Support

Next Webinar


Edited 17 December 2018 5:01 PM by Nick
Mustang
Mustang
Junior Member
Junior Member (77 reputation)Junior Member (77 reputation)Junior Member (77 reputation)Junior Member (77 reputation)Junior Member (77 reputation)Junior Member (77 reputation)Junior Member (77 reputation)Junior Member (77 reputation)Junior Member (77 reputation)
Group: Forum Members
Posts: 38, Visits: 264
I am using a USB flash drive. Test signing doesn't work. I was able to set test signing to yes in both BCD's on the flash drive. Test mode shows on the screen when booted in legacy mode. UEFI mode ignores test signing whether Secure Boot is enabled or disabled and the result is the same digital signature error.
BTW, the commands are:
bcdedit /store F:\Boot\BCD /set {default} TESTSIGNING ON
bcdedit /store F:\EFI\Microsoft\Boot\BCD /set {default} TESTSIGNIG ON

where F is the drive letter of the flash drive.
Mustang
Mustang
Junior Member
Junior Member (77 reputation)Junior Member (77 reputation)Junior Member (77 reputation)Junior Member (77 reputation)Junior Member (77 reputation)Junior Member (77 reputation)Junior Member (77 reputation)Junior Member (77 reputation)Junior Member (77 reputation)
Group: Forum Members
Posts: 38, Visits: 264
Here's more information. I made a USB Recovery disk from Control Panel in the 18298 system. It was able to boot in UEFI mode with Secure Boot enabled. I then used the boot.wim from that disk and ran it through my custom WinPE builder and added Macrium Reflect to the build. It was still able to UEFI boot with Secure Boot enabled. Sure would be nice to know what Microsoft did to the winre image to make it work.


Mustang
Mustang
Junior Member
Junior Member (77 reputation)Junior Member (77 reputation)Junior Member (77 reputation)Junior Member (77 reputation)Junior Member (77 reputation)Junior Member (77 reputation)Junior Member (77 reputation)Junior Member (77 reputation)Junior Member (77 reputation)
Group: Forum Members
Posts: 38, Visits: 264
Nick,
I got it figured out. After much experimenting, it boiled down to two changes. I took your recovery media exactly as you created it and swapped \EFI\Boot\bootx64.efi with bootx64.efi from the Windows Recovery drive. And, I edited the EFI BCD to add flightsigning yes to the {bootmgr} section.
bcdedit /store F:\EFI\Microsoft\Boot\BCD /set {bootmgr} flightsigning yes
Where F was the drive letter of the USB drive with the media.
GO

Merge Selected

Merge into selected topic...



Merge into merge target...



Merge into a specific topic ID...




Reading This Topic

Login

Explore
Messages
Mentions
Search