I never thought that I would write a blog post about deploying Windows 7 x64 in UEFI mode and TPM 2.0 in 2016.
However, I understand that bigger enterprises aren’t 100% ready to deploy Windows 10 but you should definitely have a plan for that.
In this blog post I will point out some of the key things regarding Windows 7 SP1 x64, UEFI and TPM 2.0 and maybe this will be helpful for others as well.
My experience is with HP models, like the EliteBook 820 G3 / 840 G3 and HP Probook 640 G3 / 650 G3.
Windows 7 and UEFI
Most likely you have seen Keith's blogpost regarding Windows 7 and UEFI.
- Install Windows 7 in UEFI - https://keithga.wordpress.com/2016/05/17/install-windows-7-in-uefi/
In that blogpost he states that on HP models there is a UEFI Hybrid (with CSM) mode in BIOS. You can read more about CSM from here.
Yes, this statement may be correct for HP older models in G1 or G2. This picture is taken on HP Probook G1 model and in that BIOS you see the UEFI Hybrid (With CSM) mode.
If you take the newer HP models like the EliteBook 820 G3 / 840 G3 and HP Probook 640 G3 / 650 G3, then there is no such thing in BIOS like UEFI Hybrid (with CSM) mode. Even if you update the BIOS to latest version you still don’t see such options there.
So the question is: “How do I get CSM mode on these models?” To get the CSM mode for the EliteBook 820 G3 / 840 G3 and HP Probook 640 G3 / 650 G3 models, you need to configure the BIOS like this:
1. Legacy Support Enabled
2. Secure Boot Disabled
3. Fast Boot Disabled
This BIOS configuration gives you the CSM mode needed to run Windows 7 x64. For me it seems little bit weird but that’s the case with these models. If this configuration is correct, then you can deploy Windows 7 with UEFI.
Just remember to boot from UEFI USB or UEFI Network. Otherwise you will end up with MBR partitions.
Windows 7 June/July Rollups and Intel Bluetooth Drivers
Johan Arwidmark has a nice blogpost regarding building a Windows 7 SP1 reference image:
From my experience there are two things missing: First one is related to the Intel Bluetooth driver and the second one is regarding TPM 2.0. But first let’s talk about Windows 7 SP1 June/July rollup issue.
1. If you include the Windows 7 June or July update, then it will break the Intel Bluetooth driver installation:
a. June 2016 update rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1
b. July 2016 update rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1
Currently this issue is listed under the Known Issues section.
If the June or July rollup is included in your reference image, then you will end up with the following error message:
Windows 7 and TPM 2.0
A few months ago Microsoft announced that all new Windows 10 certified hardware must have TPM 2.0. If you are ordering new hardware today, then most likely you may receive hardware with TPM 2.0. By default, Windows 7 SP1 does not support that.
Luckily we can download a hotfix for TPM 2.0 support:
- Update to add support for TPM 2.0 in Windows 7 and Windows Server 2008 R2 - https://support.microsoft.com/en-us/kb/2920188
If you open that KB article you will see this note:
This note states that only 64-bit OS is supported and UEFI with CSM mode must be enabled for that. If you just ordered a lot of machines from HP with TPM 2.0, then you have the following two options:
1. You can downgrade the TPM 2.0 to TPM 1.2.
a. You can do that a total of 64 times per machine. HP released a separate utility for that.
b. Downgrading all machines to TPM 1.2 seems a bad idea because it requires a lot of work.
c. If you continue in legacy mode, then BitLocker is no longer an option!
This screenshot is taken from a machine which is with TPM 2.0 and in Legacy Mode. BitLocker stays in suspended mode.
2. You need to change your OS deployment that it supports UEFI hybrid with CSM mode.
a. I recommend this approach.
b. Make sure that you have Task Sequence Pre-execution solution that detects the BIOS configuration is set to UEFI Hybrid Mode.
Windows 7 and Bitlocker
If you are deploying Windows 7 machines with Bitlocker and you are using ADK 1511 or newer, then you need to inject these three registry keys before the Pre-provision Bitlocker task.
If you don’t do that, then you can boot up the machine. You can read more about there. https://blogs.technet.microsoft.com/dubaisec/2016/03/04/bitlocker-aes-xts-new-encryption-type/
If you are still deploying Windows 7 today, then try to deploy them with UEFI hybrid mode and watch out the TPM 2.0 requirements for Windows 7.