SCCM with iPXE UEFI boot without WDS server

By | April 5, 2017

This is a long post….hope you have energy to read. 😀

Dell has a really nice post about How to configure PXE booting over UEFI without using Server 2012 and Windows Deployment Services, you can read this here.
In that post, sample is MDT.

I am going to do a SCCM scenario. You can watch this video see how my scenario of iPXE works. Just remember, secure boot is not supported, unless you sign your efi file.
Video is on YouTube. Part 1  and Part 2

Before you start build up your iPXE, I want you to think why you need iPXE, where are you going to put your iPXE server?
Usually in a big organization, you have lots of ip ranges, different subnets, so are you going to put a iPXE server in each subnet? What do you do after machines are boot up from iPXE? I guess you are using MDT or SCCM deploy OS, so where are you going to put those contents?

You can test iPXE any way your want, it is very flexible with embedded scripts. When you plan to use iPXE in production, first you need to have good knowledge about the infrastructure of your environments, how to you want iPXE to work and how to get benefits out of it. That is most difficult part.

In this post. I will present a scenario:

  1. You have multiple subnet ip range
  2. Using SCCM deploy Full OS.
  3. You might have local subnet DP in some of those ip ranges, but not all subnet has its own DP
  4. you don’t want to use usb boot media or offline installation media.
  5. Use http download boot.wim from iPXE server, it is faster than TFTP

Remember, everything you need will be attached end of this post, just not the SCCM boot file, and I won’t post you a windows 10 machine. 🙂

Prepare the boot.wim

(you can read also from http://ipxe.org/howto/sccm)

  1. Create a x64 boot media iso file from your SCCM Admin console.
  2. Mount the SCCM boot media iso file or unzip it.
  3. Copy sources\boot.wim to C:\wim\boot.wim
  4. You need to have ADK installed. Run “Deployment and Imaging Tools Environment” as Administrator.
  5. Use images mount C:\wim\boot.wim to c:\mount folder
  6. Mount the SCCM boot iso file or unzip it. Copy sms\data folder to c:\mount\sms folder, so it should look like this

  7. Create bootstrap.vbs file
  8. Create winpeshl.ini file.
  9. copy winpeshl.ini to c:\mount\windows\system32
  1. copy c:\mount\sms\bin\x64\cmtrace.exe to c:\mount\windows\system32
  2. commit and unmount

 

Prepare Tiny PXE Server (example Windows 10)

  1. Download Tiny PXE server. http://reboot.pro/files/file/303-tiny-pxe-server/   (the link is quite slow, maynot work sometimes)
  2. Create C:\TFTPD folder, copy unziped tiny pxe server files to C:\TFTPD
  3. Create C:\TFTPD\iPXE folder
  4. Mount the SCCM boot media iso file or unzip it, copy everything to C:\TFTPD\iPXE
  5. copy modified boot.wim from “Prepare the boot.wim” to C:\TFTPD\iPXE\sources folder, overwrite the original boot.wim
  6. Download http://git.ipxe.org/releases/wimboot/wimboot-latest.zip, unzip it, copy only wimboot file to C:\TFTP\iPXE folder
  7. Create install.ipxe file in C:\TFTPD\iPXE folder

 

Prepare DHCP

Because we are doing ipxe boot cross different ip subnet, so you will have to manual put the boot server and boot file in DHCP
(Maybe can use iphelper with ipxe, I am not sure, but sorry I didn’t test iphelper. )

You can configure this with at least two options, they both works. Choose what is best for you or you can read more from ipxe.org and figure your own way.

Option 1 (I don’t write too much details for this one):

  1. Download http://erwan.labalec.fr/other/ipxe-snponly-x86-64.efi , or http://boot.ipxe.org/ipxe.efi, save the efi file to C:\TFTP\iPXE folder
  2. Break the infinite loop using DHCP (not script, because you are using the efi file from step 1). Read this http://ipxe.org/howto/chainloading and http://ipxe.org/howto/msdhcp#pxe_chainloading
    if you don’t do these settings in DHCP, you will have an infinite loop like this:

 

Option 2 : (Use embedded script, I use this one, everything you need will be attached end of this post)

  1.  Generate your own boot file form this website https://rom-o-matic.eu  (this moment when I am writing this, that server is down)
    Advanced settings can read from https://wiki.fogproject.org/wiki/index.php?title=IPXE#rom-o-matic.eu
  2.  Embedded script (Noted, netboot chain tftp filename is install.ipxe, same name as we created earlier. Just make sure the name is same)
  3. I want to prepare my efi file to support https, I created my ipxe_x64.efi file using advanced settings.
  4. Copy ipxe_x64.efi file to C:\TFTP\iPXE folder
  5. Configure your DHCP like this:
    066 Boot Server Host Name, put your ipxe server name here, or it’s ip.
    067 Bootfile Name, ipxe_x64.efi

    With these settings, if there is PXE enabled Distrubution Point on same subnet, machine will use the normal PXE boot from your PXE DP.
    But if there is no PXE enabled Distribution Point on same subnet, machine will boot from the iPXE server and use http download boot.wim.

 

Tiny PXE Server

  1. Modify config.ini

  2. Fire up pxesrv.exe, it should look like as this picture shows. Click “Online”
  3. And…. you might see httpd error, Socket Error # 10013, Access denied. WHAT????  Trust me, you won’t find much answers from google or bing. 🙂

  4. In my case, it was cause by BranchCache.
    Super much thanks for Phil Wilcock , he pointed out that I don’t need to disable BranchCache, just need to change the port, BranchCache use default port 80.
    Here is more information privided by Phil. Really good to read them!
    https://2pintsoftware.com/faq/
    http://code.avalon-zone.be/distributed-branchcache-change-default-tcp-port/

  5. Then put Tiny PXE server online again. Boot up your client machine without secure boot.

 

So, that’s all. Here are some screenshots

 

You can download the package from my OneDrive. Click here.

Please don’t ask me about embedded scripts, I didn’t write that script, found it from github, too bad didn’t mark down the link.

Have fun test iPXE, you will like it!

PS. You can make it work with Legacy and UEFI boot. You just need to configure DHCP policy. Read this https://2pintsoftware.com/whitepaper-using-dhcp-uefi-bios-pxe-booting/

10 thoughts on “SCCM with iPXE UEFI boot without WDS server

  1. Brooks Peppin

    Hello,

    Nice post. As I tweeted at you earlier, are you able to successfully select the Task Sequence and have it progress without downloading the new boot image? Since you have to modify the boot image after you update DPs, it detects a different version and thus tries to download a matching one.

    Modifying SMS\data\TSMbootstrap.ini to have Unattended=True works around this for me.

    Reply
    1. Zeng Yinghua (Sandy) Post author

      I didn’t need to re-download the boot image as you can see in the video. If you first distribute boot wim content to DP, create a boot media, modify the boot.wim what is from the boot media, no need to import boot wim or update content again. It won’t re-download the boot wim again during TS. Would you try my steps? I will test the Unattended trick tomorrow. Thanks for the information!

      Reply
      1. Brooks Peppin

        Interesting. I tried exactly that “distribute boot wim content to DP, create a boot media, modify the boot.wim what is from the boot media” and it would still see it as a different boot image. I’m also using wimboot in conjunction with iPXE…I wonder if that makes a difference.
        http://ipxe.org/wimboot

        Reply
        1. Zeng Yinghua (Sandy) Post author

          Hi Brooks. Do you want we take a look of your setup together? Can try organize a Skype session after 4.30pm UTC+3. DM me in Twitter. 🙂

          Reply
  2. Michael

    Do you have any Information about signing the EFI File for Secure Boot?

    Reply
    1. Zeng Yinghua (Sandy) Post author

      I am not an expert of certificate, the EV code signing cost about 500 dollars for three year, I didn’t buy it. 🙂 But here are some information from ipxe.org http://ipxe.org/appnote/etoken
      I think there are some discussion about that in ipxe.org forums.

      Also can try use https. Here is the link http://ipxe.org/crypto

      During my test with Lenovo T450s, I added some steps in TS to set Lenovo BIOS settings, and I use that to set secure boot back to enabled.

      Reply
  3. Vinod

    Can we use this on HP devices where when secure boot is enabled and legacy is disabled, the PXE boot is not working. On all our HP Elitedesk G2/3 models, we have secure boot enabled by default. So when we do a PXE boot on a bare metal, the device does not get the boot image. So can we use the IPXE here ?

    Reply
    1. Zeng Yinghua (Sandy) Post author

      Without code signed, iPXE does not work with UEFI secure boot. So this free iPXE solution only work with UEFI without secure boot.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *