Known Issue with the Windows ADK for Windows 10, version 1703

Author: Aaron Czechowski, Senior Program Manager, System Center Configuration Manager (@AaronCzechowski)

*** May 30 Update: A fix for this issue is now available. Download this file, extract the contents, and follow the instructions in the readme file. NOTE: this driver update for the Windows ADK for Windows 10 version 1703, only addresses the specific issue described below. There is also a known issue with 802.1x (dot3svc) which is not included in this update.***

We are investigating an issue with the recently released Windows Assessment and Deployment Kit (ADK) for Windows 10, version 1703. When installing this version of the Windows ADK on a system with SecureBoot enabled, the Windows Program Compatibility Assistant will display the following warning:

a digitally signed driver is required

Several files included with the Deployment Tools feature of the Windows ADK, including wimount.sys, are digitally signed with an older certificate which is considered “unsigned” by newer operating systems, and thus blocked when SecureBoot is enabled. The wimount.sys driver is used by DISM for mount operations which is used on the Configuration Manager site server to create and service boot images, as well as perform offline servicing operations on OS Image and OS Upgrade Packages.

For customers using Configuration Manager current branch version 1702 and deploying Windows 10, version 1703, the following workarounds are currently available:

  1. Use the prior version of the Windows ADK, version 1607, for working with Windows 10, version 1703 boot and OS images. This forward compatibility is supported for basic imaging operations (capture/apply). This is our primary recommendation to unblock customers that need to deploy Windows 10, version 1703, via traditional OS deployment methods (imaging). (NOTE: Windows 10 in-place upgrade and Windows 10 servicing do not use any Windows ADK components, thus those scenarios are unaffected by this issue.)
  2. Disable SecureBoot. While technically an option, it is not recommended in production environments as this increases the potential risk to the server.

This post was updated 5/30/2017.  The above workarounds are not necessary if you have updated the Windows ADK for Windows 10 version 1703, with this fix.