UEFI Installation of Windows 7 64 with Secure Boot On

Windows 7 SP1 is still a very popular operating system. Despite of the option to free upgrade to Windows 10 many did not opt for such an offer and decided to stick with Windows 7. This OS shall be supported by Microsoft until 14-Jan-2020, unless Microsoft decides to further extend the support phase.

Windows 7 64 Bit OS does support UEFI Boot but it natively does not support Secure Boot . If you need to install Windows 7 64 Bit OS on a UEFI Firmware based PC that supports Secure Boot, you are required to disable Secure Boot in order to install Windows 7. However there’s a way to enable Windows 7 Installation with secure boot on a UEFI based PC. For those who love to DIY and explore and experiment with computer hardware and software, with a few hacks you can make it work with Secure Boot. This is applicable to only 64 Bit version of Windows 7 SP1.

I successfully conducted a few experiments using QEMU & OVMF. QEMU is a virtualization software and OVMF is Open Virtual Machine Firmware developed by Intel. 

Later when VMWare enabled Secure Boot in their Virtualization Software VMWare Workstation Player, I tested it with VMWare Player 14.1 too and it worked again very well as expected. Below is a detailed procedure as to how to make Windows 7 install in UEFI Secure Boot enabled mode.

This article assumes that you have basic understanding of computers, Windows installation, UEFI Setup and secure boot keys. The experiments are done with 64 Bit Install of Windows 7 SP1 on VMWare Player 14.1 on a Windows 7 Desktop PC.

Required tools and applications
1. Windows 7 SP1 64 ISO (I am using Ultimate Version) X17-24395 ISO originally downloaded from Microsoft Digital River archive, or you can use Windows 7 SP1 64 Bit retail DVD if you have one.

2. A Working Windows 7 or above Desktop or a laptop. I am using Windows 7 Ultimate 64 bit Desktop

3. VMWare Workstation Player 14.1.1 64 Bit  for Windows (Free for personal use)
 
4. 7 Zip (free) 

5. PowerISO (Trial version should be good enough as the BIN file being edited is less than 300MB)

6. Internet connection and a browser (if you wish to download Windows ADK)

7. Windows 7 WAIK tools (OCSDIMG). This is part of Windows ADK , however it’s very big in size, there are  third party WAIK Tool Downloaders available that download only the intended tools for you rather than the whole package.

8. A FAT32 formatted pen drive

Detailed Steps, in this case we will create a Windows 7 ISO that’s bootable on Secure Boot Mode On.

1. Create a folder structure something like following.
 
                C:\Win7\boot
                C:\Win7\mount
                C:\Win7\new-iso
                C:\Win7\src
 
2. Using 7 zip extract the entire Windows 7 ISO file at C:\Win7\src or if you have an install DVD just copy its contents to folder C:\Win7\src

3. Go to C:\Win7\src\sources and look for file named boot.wim.
4. Using 7 zip extract the contents of boot.wim at C:\Win7\mount
5. Go to C:\Win7\mount\1\Windows\Boot\EFI  and look for a file named bootmgfw.efi
6. Copy this file to say folder C:\Win7\boot
7. Now in C:\Win7\boot rename  this file to BOOTX64.EFI
8. Right click this BOOTX64.EFI and go to ‘Properties’
9. Access ‘Digital Signature’ Tab
10. Click on Signature within ‘Signature List’ and click ‘Details’ button
11. Click ‘View Certificate’ and access ‘Details’ Tab  therein
12. Now you see a button named ‘Copy to File’
13. Click on that and hit ‘Next’
14. Let the default option be DER Encoded X.509. Hit ‘Next’
15. Connect a FAT32 formatted Pen Drive to your PC
16. Now save this file as say BootCert.CER onto the pen drive and  get  export successful confirmation message box
17. We have extracted the public key from BOOTX64.EFI and same will be used to be inserted into the key  Database DB.
18. Now comes the interesting part. Pushing the BOOTX64.EFI that we obtained by renaming bootmgfw.efi into efisys.bin
19. Access C:\Win7\src\efi\microsoft\boot and look or a file named efisys.bin
20. Open this efisys.bin in PowerISO application.
21. This file contains EFISector. Within opened efisys.bin go to folder EFI then folder Boot and delete BOOTX64.EFI file from therein.
22. Now add the BOOTX64.EFI from C:\Win7\boot into the same location. This is a signed bootloader
23. Save the efisys.bin file.
24. Now you have modified Windows 7 64 SP1 source at C:\Win7\src. Mainly the efisys.bin now holds the signed bootloader.
25. Using OSCDIMG command create a MBR + UEFI bootable ISO from this source. OSCDIMG is part of WAIK tools for Windows which in turn is a part of Windows ADK. You can use third party downloaders to just get the intended WAIK tools rather than the whole ADK package that is over 1 GB in size. Save the WAIK tools in a suitable folder and include the folder full path in PATH variable. You may need to restart Windows to get updated PATH in effect. Updating PATH may still be required even if you download and install entire ADK as the installer may not do this for you. Alternatively you will have to include full path to OSCDIMG in the command.
26. Below command is in line with the above folder structure. Run this in an elevated command prompt

​Oscdimg -m -o -u2 -udfver102 -bootdata:2#p0,e,bC:\Win7\src\boot\etfsboot.com#pEF,e,bC:\Win7\src\efi\microsoft\boot\efisys.bin C:\Win7\src C:\Win7\new-iso\win7sb.iso

27. Upon successful completion the new bootable ISO would be created at C:\Win7\new-iso folder and file named win7sb.iso
28. Create a VMWare Player 14 based  new Windows 7 64 virtual machine.
29. Insert the following 4 lines in its VMX file. You can open VMX file in a default windows notepad application

               bios.bootdelay = "3000"
               firmware = "efi"
               uefi.secureBoot.enabled = "TRUE"
               uefi.allowAuthBypass = "TRUE"

30. The first line adds a delay of 3 seconds at the boot time. This allows you to comfortably and conveniently press the DEL key at boot up to be able to enter the UEFI Setup.
The second line emulates UEFI firmware and boot rather than traditional BIOS
The third line enables Secure Boot in UEFI
The fourth line allows user to access and add/delete the secure boot keys in UEFI Setup.
31. With secure boot enabled, just assign the newly created ISO win7sb.iso as CD media in Virtual Machine and see if it boots. It will fail as secure boot is turned on and as the key to verify bootloader is not yet inserted into the DB database.
32. Now connect the Pen Drive to the VM
33. Once Pen Drive is connected restart VM from within the virtual machine by pressing ALT+CTRL+INSERT keys (Make sure you are in VM by clicking inside of it once, just in case you had earlier pressed CTRL+ALT to access VM Menu)and this time press DEL key subsequently to enter the UEFI Firmware settings
​

34. Go to Enter Setup --> Secure Boot Configuration

35. Go to DB Options

36. Go to Enroll DB

37. Hit Enroll DB using File and access the Pen drive
38. Select bootcert.cer that we copied to pen drive earlier. The screenshot has many more. Those were test keys created by me for other testing purposes!!

39. Hit Enter on bootcert.cer and come back to the Enroll DB screen. Here now commit changes and exit.

40. Reset the system or exit and reboot the virtual machine. This time you will notice that Windows 7 boots with secure boot on and you can simply go ahead and install Windows 7 on the VM.

41. Note that in this BOOTX64.EFI the option to ‘Press any key to boot from DVD’ is not available. It directly starts with Windows 7 setup. So make sure that Hard disk is set as first boot priority in the setup. So that upon first boot it will start with DVD (because there’s nothing on HDD) and when Windows is copied and boot loader entry created, it will start with Windows on hard disk upon subsequent boot.

42. If you later install Windows 7 convenient roll up updates on top of Windows 7 SP1 then it’s highly likely that the BOOTX64.EFI would get replaced with latest and then secure boot shall fail. So after Windows 7 installation is thru, maintain a back of that BOOTX64.EFI file on EFI partition. So that in future you can just replace it with original and continue to enjoy secure boot always with Windows 7. Alternatively you can as well temporarily disable secure boot. Boot to Windows, access EFI partition, extract latest public key from new BOOTX64.EFI and insert it into DB database.

43. How to take backup of BOOTX64.EFI on EFI partition?

          a.Run command prompt as an administrator
          b.Run DISKPART
          c.Run LIST DISK
          d.Run SELECT DISK 0
​               (I assume 0 is the main disk on which EFI partition exists and Windows is loaded)
          e.Run LIST PARTITION
          f. Run SELECT PARTITION 1 (I assume 1 is the EFI partition of about 100 MB in size)
          g.Run ASSIGN LETTER X: (Where X is a free drive letter not yet assigned to any drive)
          h.Run EXIT to exit Diskpart utility
          i.Still in the command prompt run the following
              taskkill /im explorer.exe /f 
              explorer.exe 
          j.Now when Explorer runs in GUI it will show and mount X: drive as EFI partition
         k.Go to X:\EFI\Boot and copy BOOTX64.EFI in the same folder as BOOTX64 – Copy.efi and rename it to               BOOTX64.BAK

44. Note that in step 14 we selected DER Encoded X.509 CER format. In case this format is not acceptable in your UEFI, try other formats as well. In case UEFI does not support a format it will result into an error during adding the key in DB.

How to enable Secure Boot on Windows 7 UEFI installation when Windows 7 SP1 is already installed on your system. It’s very very simple!!
 
1. On the installed Windows, just access the EFI partition and BOOTX64.EFI
    (It’s located at X:\EFI\Boot  assuming X is the EFI drive letter)
2. Extract the public key from it (The BOOTX64.EFI is already signed)
3. Save the public key on EFI partition as filename.CER
4. Shut down the system
5. Restart and boot to Firmware Settings, enable secure boot and insert the public key into the DB database.
     From within UEFI Settings the EFI partition is accessible.
6. Save changes, exit and restart your system
7. Now the already installed Windows 7 shall successfully boot with Secure Boot mode on