none
Install Windows 8.1 Enterprise on a Surface Pro 3/4 using a UEFI USB Flash Drive RRS feed

  • Question

  • Greetings,

    I need to start deploying MS Surfaces Pro 3/4.  I just got them in and of course management thinks I can just wipe up an image pretty quick.

    Since this is my first Surface, it won't be quick as I have to learn the in/outs of its UEFI etc differences from a starndard laptop.

    I've search and read and it seems pretty simple (but something is not working though).


    Here is my plan, I'm using a Offline USB drive, which I know they work as I have to used them to deploy to laptps at remote locations (PXE is not allowed).

    I build a USB flash drive using the URL below.  Also, below are the drivers I imported. 


    Out Of Box Drivers
    SurfacePro3_Win8x_151026_1.zip (all of them drivers and Firmware)

    Drivers for WinPE
    Surface Ethernet Adapter
    Surface Gigabit Ethernet Adapter


    UEFI USB Setup
    http://deploymentresearch.com/Research/Post/471/UEFI-and-NTFS-Friends-to-MDT-2013-at-last

    Drivers
    https://www.microsoft.com/en-us/download/details.aspx?id=38826

    Surface Settings
    Trusted Platform Module (TPM) = Enabled
    Secure Bootl Control = Enabled
    Configure Alternative System Boot Order = USB -> SSD

    BitLocker was never enabled.


    Questions / Issue.

    When booting from UEFI USB flash drive on teh Surface Pro 3, I get an error "Invalid Signature detected.  Check Secure Boot Policy in Setup"?  Does this mean I need to disable Secure Boot or something?

    Will the UEFI USB with the Offline media be enough to boot the MS Surface Pro 3/4?

    Our AD (for now) does not have the BitLocker schema added, so I was thinking of enabling BitLocking with a startup PIN.  Will this be possible or do I need to tweak my Task Sequence?

    Any suggestions?

    Thank you for your time.

    Monday, November 30, 2015 11:20 PM

Answers

  • 1. I do not recommend turning off secure boot , the error in secure boot is caused because Rufus does not have signed binaries, if you split your large WIMs, and install that way, you should be fine.

    2. Surface Pro 4 does not support Windows 8.1, only Windows 10.


    Keith Garner - Principal Consultant [owner] - http://DeploymentLive.com

    Thursday, December 10, 2015 10:57 PM
    Moderator

All replies

  • The schema has to do with the ability to save recovery keys and such.  Adding a startup PIN doesn't resolve that.

    Haven't imaged a Surface but this is what I found.


    Logs are very important. https://keithga.wordpress.com/2014/10/24/video-mdt-2013-log-files-basics-bdd-log-and-smsts-log/ Mention any customizations you have made.

    Monday, November 30, 2015 11:27 PM
    Moderator
  • Turn off secure boot, image, turn secure back on once done ;)

    I also needed mine in the dock so it could have network connection as our task sequence to deploy windows required AD registration.



    • Edited by TheI.T.Crowd Thursday, November 3, 2016 10:48 PM clarification
    Monday, November 30, 2015 11:50 PM
  • Sorry for the great delay in responding.  I was side tracked on a less important project.

    Anyways, I turned off Secure Boot so now I can apply an image, however, I have some questions.

    1. Being that this will be strictly for a remote location, I have moved the recover to domain to the end of the last task sequence, so that I could join the domain and still keep the USB plugged in.  Our GPO blocked the use of USB.  My same Step works fine for a Windows 7 laptops but for a Surface it fails. 

    It joins the domain, and I even deleted the default "remove from domain" step (yes I updated the deployment).  I even placed a pause prior do the joining the domain.  It seems to join the domain at the default location.

    What can I do to truly delay the joining the domain (GPO changes are not currently allowed).

    2. Which the OS is being I applied, can I re-enable the secure boot and still continue with the imaging process?

    3. Without making changes to our AD schema, can I enable bit locker, and use a PIN as well via some a task? I see the bit locker sequence step but there is nothing about the use of a PIN.  Maybe pre-population all that is needed to have the HD encrypted.  I guess I would not be able to boot into the USB.

    Thank you

    Tuesday, December 8, 2015 2:51 AM
  • 1. I do not recommend turning off secure boot , the error in secure boot is caused because Rufus does not have signed binaries, if you split your large WIMs, and install that way, you should be fine.

    2. Surface Pro 4 does not support Windows 8.1, only Windows 10.


    Keith Garner - Principal Consultant [owner] - http://DeploymentLive.com

    Thursday, December 10, 2015 10:57 PM
    Moderator