Author: Aaron Czechowski, Senior Program Manager, System Center Configuration Manager (@AaronCzechowski)
*** This post serves as a notification of this issue while we continue to investigate root cause and determine the proper fix. We will update this post when we have more information. ***
We are investigating an issue with the recently released Windows Assessment and Deployment Kit (ADK) for Windows 10, version 1703. When installing this version of the Windows ADK on a system with SecureBoot enabled, the Windows Program Compatibility Assistant will display the following warning:
Several files included with the Deployment Tools feature of the Windows ADK, including wimount.sys, are digitally signed with an older certificate which is considered “unsigned” by newer operating systems, and thus blocked when SecureBoot is enabled. The wimount.sys driver is used by DISM for mount operations which is used on the Configuration Manager site server to create and service boot images, as well as perform offline servicing operations on OS Image and OS Upgrade Packages.
For customers using Configuration Manager current branch version 1702 and deploying Windows 10, version 1703, the following workarounds are currently available:
- Use the prior version of the Windows ADK, version 1607, for working with Windows 10, version 1703 boot and OS images. This forward compatibility is supported for basic imaging operations (capture/apply). This is our primary recommendation to unblock customers that need to deploy Windows 10, version 1703, via traditional OS deployment methods (imaging). (NOTE: Windows 10 in-place upgrade and Windows 10 servicing do not use any Windows ADK components, thus those scenarios are unaffected by this issue.)
- Disable SecureBoot. While technically an option, it is not recommended in production environments as this increases the potential risk to the server.
We will update this post as more information is available.