Windows 7 SP1 is still a very popular operating system. Despite of the option to free upgrade to Windows 10 many did not opt for such an offer and decided to stick with Windows 7. This OS shall be supported by Microsoft until 14-Jan-2020, unless Microsoft decides to further extend the support phase. Windows 7 64 Bit OS does support UEFI Boot but it natively does not support Secure Boot . If you need to install Windows 7 64 Bit OS on a UEFI Firmware based PC that supports Secure Boot, you are required to disable Secure Boot in order to install Windows 7. However there’s a way to enable Windows 7 Installation with secure boot on a UEFI based PC. For those who love to DIY and explore and experiment with computer hardware and software, with a few hacks you can make it work with Secure Boot. This is applicable to only 64 Bit version of Windows 7 SP1. I successfully conducted a few experiments using QEMU & OVMF. QEMU is a virtualization software and OVMF is Open Virtual Machine Firmware developed by Intel. Later when VMWare enabled Secure Boot in their Virtualization Software VMWare Workstation Player, I tested it with VMWare Player 14.1 too and it worked again very well as expected. Below is a detailed procedure as to how to make Windows 7 install in UEFI Secure Boot enabled mode. This article assumes that you have basic understanding of computers, Windows installation, UEFI Setup and secure boot keys. The experiments are done with 64 Bit Install of Windows 7 SP1 on VMWare Player 14.1 on a Windows 7 Desktop PC. Required tools and applications 1. Windows 7 SP1 64 ISO (I am using Ultimate Version) X17-24395 ISO originally downloaded from Microsoft Digital River archive, or you can use Windows 7 SP1 64 Bit retail DVD if you have one. 2. A Working Windows 7 or above Desktop or a laptop. I am using Windows 7 Ultimate 64 bit Desktop 3. VMWare Workstation Player 14.1.1 64 Bit for Windows (Free for personal use) 4. 7 Zip (free) 5. PowerISO (Trial version should be good enough as the BIN file being edited is less than 300MB) 6. Internet connection and a browser (if you wish to download Windows ADK) 7. Windows 7 WAIK tools (OCSDIMG). This is part of Windows ADK , however it’s very big in size, there are third party WAIK Tool Downloaders available that download only the intended tools for you rather than the whole package. 8. A FAT32 formatted pen drive Detailed Steps, in this case we will create a Windows 7 ISO that’s bootable on Secure Boot Mode On. 1. Create a folder structure something like following. C:\Win7\boot C:\Win7\mount C:\Win7\new-iso C:\Win7\src 2. Using 7 zip extract the entire Windows 7 ISO file at C:\Win7\src or if you have an install DVD just copy its contents to folder C:\Win7\src 3. Go to C:\Win7\src\sources and look for file named boot.wim. 4. Using 7 zip extract the contents of boot.wim at C:\Win7\mount 5. Go to C:\Win7\mount\1\Windows\Boot\EFI and look for a file named bootmgfw.efi 6. Copy this file to say folder C:\Win7\boot 7. Now in C:\Win7\boot rename this file to BOOTX64.EFI 8. Right click this BOOTX64.EFI and go to ‘Properties’ 9. Access ‘Digital Signature’ Tab 10. Click on Signature within ‘Signature List’ and click ‘Details’ button 11. Click ‘View Certificate’ and access ‘Details’ Tab therein 12. Now you see a button named ‘Copy to File’ 13. Click on that and hit ‘Next’ 14. Let the default option be DER Encoded X.509. Hit ‘Next’ 15. Connect a FAT32 formatted Pen Drive to your PC 16. Now save this file as say BootCert.CER onto the pen drive and get export successful confirmation message box 17. We have extracted the public key from BOOTX64.EFI and same will be used to be inserted into the key Database DB. 18. Now comes the interesting part. Pushing the BOOTX64.EFI that we obtained by renaming bootmgfw.efi into efisys.bin 19. Access C:\Win7\src\efi\microsoft\boot and look or a file named efisys.bin 20. Open this efisys.bin in PowerISO application. 21. This file contains EFISector. Within opened efisys.bin go to folder EFI then folder Boot and delete BOOTX64.EFI file from therein. 22. Now add the BOOTX64.EFI from C:\Win7\boot into the same location. This is a signed bootloader 23. Save the efisys.bin file. 24. Now you have modified Windows 7 64 SP1 source at C:\Win7\src. Mainly the efisys.bin now holds the signed bootloader. 25. Using OSCDIMG command create a MBR + UEFI bootable ISO from this source. OSCDIMG is part of WAIK tools for Windows which in turn is a part of Windows ADK. You can use third party downloaders to just get the intended WAIK tools rather than the whole ADK package that is over 1 GB in size. Save the WAIK tools in a suitable folder and include the folder full path in PATH variable. You may need to restart Windows to get updated PATH in effect. Updating PATH may still be required even if you download and install entire ADK as the installer may not do this for you. Alternatively you will have to include full path to OSCDIMG in the command. 26. Below command is in line with the above folder structure. Run this in an elevated command prompt Oscdimg -m -o -u2 -udfver102 -bootdata:2#p0,e,bC:\Win7\src\boot\etfsboot.com#pEF,e,bC:\Win7\src\efi\microsoft\boot\efisys.bin C:\Win7\src C:\Win7\new-iso\win7sb.iso 27. Upon successful completion the new bootable ISO would be created at C:\Win7\new-iso folder and file named win7sb.iso 28. Create a VMWare Player 14 based new Windows 7 64 virtual machine. 29. Insert the following 4 lines in its VMX file. You can open VMX file in a default windows notepad application bios.bootdelay = "3000" firmware = "efi" uefi.secureBoot.enabled = "TRUE" uefi.allowAuthBypass = "TRUE" 30. The first line adds a delay of 3 seconds at the boot time. This allows you to comfortably and conveniently press the DEL key at boot up to be able to enter the UEFI Setup. The second line emulates UEFI firmware and boot rather than traditional BIOS The third line enables Secure Boot in UEFI The fourth line allows user to access and add/delete the secure boot keys in UEFI Setup. 31. With secure boot enabled, just assign the newly created ISO win7sb.iso as CD media in Virtual Machine and see if it boots. It will fail as secure boot is turned on and as the key to verify bootloader is not yet inserted into the DB database. 32. Now connect the Pen Drive to the VM 33. Once Pen Drive is connected restart VM from within the virtual machine by pressing ALT+CTRL+INSERT keys (Make sure you are in VM by clicking inside of it once, just in case you had earlier pressed CTRL+ALT to access VM Menu)and this time press DEL key subsequently to enter the UEFI Firmware settings 34. Go to Enter Setup --> Secure Boot Configuration 35. Go to DB Options 36. Go to Enroll DB 37. Hit Enroll DB using File and access the Pen drive 38. Select bootcert.cer that we copied to pen drive earlier. The screenshot has many more. Those were test keys created by me for other testing purposes!! 39. Hit Enter on bootcert.cer and come back to the Enroll DB screen. Here now commit changes and exit. 40. Reset the system or exit and reboot the virtual machine. This time you will notice that Windows 7 boots with secure boot on and you can simply go ahead and install Windows 7 on the VM. 41. Note that in this BOOTX64.EFI the option to ‘Press any key to boot from DVD’ is not available. It directly starts with Windows 7 setup. So make sure that Hard disk is set as first boot priority in the setup. So that upon first boot it will start with DVD (because there’s nothing on HDD) and when Windows is copied and boot loader entry created, it will start with Windows on hard disk upon subsequent boot. 42. If you later install Windows 7 convenient roll up updates on top of Windows 7 SP1 then it’s highly likely that the BOOTX64.EFI would get replaced with latest and then secure boot shall fail. So after Windows 7 installation is thru, maintain a back of that BOOTX64.EFI file on EFI partition. So that in future you can just replace it with original and continue to enjoy secure boot always with Windows 7. Alternatively you can as well temporarily disable secure boot. Boot to Windows, access EFI partition, extract latest public key from new BOOTX64.EFI and insert it into DB database. 43. How to take backup of BOOTX64.EFI on EFI partition? a.Run command prompt as an administrator b.Run DISKPART c.Run LIST DISK d.Run SELECT DISK 0 (I assume 0 is the main disk on which EFI partition exists and Windows is loaded) e.Run LIST PARTITION f. Run SELECT PARTITION 1 (I assume 1 is the EFI partition of about 100 MB in size) g.Run ASSIGN LETTER X: (Where X is a free drive letter not yet assigned to any drive) h.Run EXIT to exit Diskpart utility i.Still in the command prompt run the following taskkill /im explorer.exe /f explorer.exe j.Now when Explorer runs in GUI it will show and mount X: drive as EFI partition k.Go to X:\EFI\Boot and copy BOOTX64.EFI in the same folder as BOOTX64 – Copy.efi and rename it to BOOTX64.BAK 44. Note that in step 14 we selected DER Encoded X.509 CER format. In case this format is not acceptable in your UEFI, try other formats as well. In case UEFI does not support a format it will result into an error during adding the key in DB.
How to enable Secure Boot on Windows 7 UEFI installation when Windows 7 SP1 is already installed on your system. It’s very very simple!! 1. On the installed Windows, just access the EFI partition and BOOTX64.EFI (It’s located at X:\EFI\Boot assuming X is the EFI drive letter) 2. Extract the public key from it (The BOOTX64.EFI is already signed) 3. Save the public key on EFI partition as filename.CER 4. Shut down the system 5. Restart and boot to Firmware Settings, enable secure boot and insert the public key into the DB database. From within UEFI Settings the EFI partition is accessible. 6. Save changes, exit and restart your system 7. Now the already installed Windows 7 shall successfully boot with Secure Boot mode on
4 Comments
John IL
6/5/2019 02:26:53 am
Good information! I decided to regress back to Windows 7 on my older Latitude notebook. Came to the conclusion the best OS is the one that was certified for the notebook. Windows 10 can be flaky on older hardware as I started to find out as new feature updates were released. Thought about Linux desktop, and may still entertain that in Jan 2020 or I may decide to live dangerously and use Win 7 for a few months past EOS.
Reply
squidder
5/22/2020 03:36:18 pm
The whole thing takes about 20-30 minutes, maybe less, so it's easier than expected. However, when I get to #39, it always says that it wasn't accepted or something because it only accepts DER 509 certification.
Reply
Squidder
5/22/2020 03:40:18 pm
Although I skipped #31, I selected "boot normally" or something on the blue screen and the VM really didn't boot. It showed some cmd-looking lines and just stayed with a blinking cursor for typing, presumably. Also I used x64 and used fat32 for formatting. I'm sure I followed the others steps exactly.
Reply
Squidder
5/22/2020 03:57:55 pm
Oh and the second iso I used was home premium SP1, not just home premium.
Reply
Leave a Reply. |