How to UEFI boot with Secure Boot on the SDA with USB

Here again your favorite Random Dude,

I am creating this post because I mentioned this here , but I think there are no other articles about it (may be wrong :) ). So as you all know KACE/Quest is struggling to get their certificate for PXE Secure Boot due to some bureaucracy from Microsoft (source), but we all know how frustrating it is to keep going to the BIOS to disable and then enable secure boot so encryption can actually work. 

Well after testing and talking with some other friends from the industry we confirmed that if you create a USB KBE (follow this guide) machines will boot with Secure Boot On, just fine. Now you don't need to keep going to the Bios, you only need keep some USB sticks around. The good thing is that as soon as you get to the KBE menu you can disconnect the stick and go to the next machine, or just after you start the deployment.

Sorry for the super short post but I just wanted to keep it separated from the other one about Bitlocker being enabled on its own.

I hope this helps someone. If you have any questions or comments put them down there.

See you in my next post!


  • This lack of Secure Boot could end up being the death of the SDA. We've now got new hardening requirements that needs all the VBS (Virtualisation-Based Security) powered features. No modern Windows deployment should be without them.

    We have around 20,000 PC's to manage on 150 remote sites and a USB, physical presence, solution isn't going to work.

    Thankfully a big chunk of our estate are modern HP and I am looking at enabling Secure Boot as a post OS deployment task thanks to HP Client Management Script Library (HPCMSL); which is a godsend. We could do with Media Manager having the ability to add this to a KBE for us.

    Additionally, we can use HPCMSL to disable Secure Boot remotely on multiple HP's at once, just prior to using the SDA. I'm also looking at Intel AMT to help remotely deal with any systems still needing physical intervention at the preboot point.

    I just wish Quest would sort this out. There must be something wrong with what they are submitting to the process. I don't believe this is anti-competitive behaviour from them. - mcnaugha 1 year ago
    • yeah... this is pretty bad now true to be told.... I don't believe they would be doing something wrong or bad over and over.. that would be like shooting your own foot.. and especially with Windows 11 out now but.. let's see what happens - RandomITdude24 1 year ago
This post is locked
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ