Thanks for posting. Sorry you have seen issues, so let me clarify a bit what we have seen in both our testing and with other customers.
Secure Boot is enabled by default on all new hardware. This prevents booting from external volumes (making servicing machines really hard now), and booting from unsigned partitions.
Booting from external media is now off by default and can be enabled (as you said). You can, however, do maintenance from the recovery partition without changing security settings, and is the reason we released MacDeployStick. Check it out: http://twocanoes.com/macdeploystick/.
The utility to disable Secure Boot flat does not work, so you can’t turn it off.
It has work in our testing. Can you provide a bit info on how you tested?
The only way to have a partition properly signed is by using BootCamp Assistant.
The partition is not signed, but rather the iBoot firmware running on the T2 validates the signature on the boot loader firmware. For Windows, that is in EFI partition, and for the macOS, it is on the APFS partition. For macOS, the boot loader must be signed by Apple. For Windows, it must be sign by Microsoft. For Windows secure booting, a specific nvram variable must be set for the boot loader to be checked. This variable is set by Boot Camp assistant as well as by Winclone when restoring (in Winclone 7).
The result is that you can’t use Winclone to restore Windows 10 to another machine, because that machine’s GUID doesn’t match so the partition isn’t even seen as bootable. No amount of restore attempts resulted in a working partition on T2 hardware, same package works on all older hardware.
We have it working fine in our QA testing, and have customers that have been deploying T2 Macs with a single Winclone image for over a year now. So it definitely works.
We have a single Windows 10 Winclone image that restores on a variety of hardware, from 2012 MacBook Airs to 2018 MacBook Airs/2018 macMinis.
So, I’m wondering what good Winclone is at this point until Apple fixes the Secure Boot utility so that nonsense can be disabled. Have people actually had luck with that? Or is there some other way to get Winclone to produce a bootable partition despite the security?
It definitely works both internally at Twocanoes and with customers deploying large number of Macs with Boot Camp partitions. If you purchased Winclone Pro or Enterprise, please submit a support request and we will work with you to get your Boot Camp partitions deployed.