Windows cloning on T2 hardware impossible?


#1

While I’ve read a lot of material here seeming to imply otherwise, Winclone just doesn’t work on the new hardware with the T2 chips. To be clear, I mean cloning to other machines, not backup and restore on the same system. From what I can tell this is due to a few issues Apple has caused with this silly security.

  1. Secure Boot is enabled by default on all new hardware. This prevents booting from external volumes (making servicing machines really hard now), and booting from unsigned partitions.
  2. The utility to disable Secure Boot flat does not work, so you can’t turn it off.
  3. The only way to have a partition properly signed is by using BootCamp Assistant.

The result is that you can’t use Winclone to restore Windows 10 to another machine, because that machine’s GUID doesn’t match so the partition isn’t even seen as bootable. No amount of restore attempts resulted in a working partition on T2 hardware, same package works on all older hardware.

So, I’m wondering what good Winclone is at this point until Apple fixes the Secure Boot utility so that nonsense can be disabled. Have people actually had luck with that? Or is there some other way to get Winclone to produce a bootable partition despite the security?


#2

Thanks for posting. Sorry you have seen issues, so let me clarify a bit what we have seen in both our testing and with other customers.

Secure Boot is enabled by default on all new hardware. This prevents booting from external volumes (making servicing machines really hard now), and booting from unsigned partitions.

Booting from external media is now off by default and can be enabled (as you said). You can, however, do maintenance from the recovery partition without changing security settings, and is the reason we released MacDeployStick. Check it out: http://twocanoes.com/macdeploystick/.

The utility to disable Secure Boot flat does not work, so you can’t turn it off.
It has work in our testing. Can you provide a bit info on how you tested?
The only way to have a partition properly signed is by using BootCamp Assistant.

The partition is not signed, but rather the iBoot firmware running on the T2 validates the signature on the boot loader firmware. For Windows, that is in EFI partition, and for the macOS, it is on the APFS partition. For macOS, the boot loader must be signed by Apple. For Windows, it must be sign by Microsoft. For Windows secure booting, a specific nvram variable must be set for the boot loader to be checked. This variable is set by Boot Camp assistant as well as by Winclone when restoring (in Winclone 7).

The result is that you can’t use Winclone to restore Windows 10 to another machine, because that machine’s GUID doesn’t match so the partition isn’t even seen as bootable. No amount of restore attempts resulted in a working partition on T2 hardware, same package works on all older hardware.

We have it working fine in our QA testing, and have customers that have been deploying T2 Macs with a single Winclone image for over a year now. So it definitely works.

We have a single Windows 10 Winclone image that restores on a variety of hardware, from 2012 MacBook Airs to 2018 MacBook Airs/2018 macMinis.

So, I’m wondering what good Winclone is at this point until Apple fixes the Secure Boot utility so that nonsense can be disabled. Have people actually had luck with that? Or is there some other way to get Winclone to produce a bootable partition despite the security?

It definitely works both internally at Twocanoes and with customers deploying large number of Macs with Boot Camp partitions. If you purchased Winclone Pro or Enterprise, please submit a support request and we will work with you to get your Boot Camp partitions deployed.


#3

Ok, I’ve put in a ticket.
You said secure boot CAN be disabled, but as I said it CAN’T be disabled due to a bug in their software (lot of Apple threads about this). I’m wondering if somehow your experience is different on this or if that was a typo.
Look forward to getting this figured out. As I said, in all testing thus far the restored partition is simply not bootable on a T2 system, and from what we can tell this is purposeful from Apple. The only way we’ve been able to make a bootable Windows system is to use BCA to install fresh from Windows ISO.


#4

Did you try it with Winclone 7? That sets the NVRAM variable that allows Windows secure booting.

As for disabling secure boot, can you let me know how you determined that it wasn’t working? Windows can have a lot of reasons to that it doesn’t boot.

tim


#5

er… it’s not a question of Windows when it comes to secure boot per se. As I said, you can’t boot from an external, like a MacOS boot stick, because secure boot doesn’t allow booting from an external. If you try to use the utility in Recovery, it says you can’t because there is no admin account on any partition, which of course there is, so you’re not allowed to make changes so you can’t turn off secure boot. Nothing shows the Windows partition created by Winclone 7 as bootable (option boot or startup disk). I used rEFInd to force it to boot to the Windows partition, but that just makes it immediately re-boot to Recovery with some message about attempting to boot to an OS with an invalid certificate. Based on the messages and research the indication was that because the Windows partition wasn’t made with BCA, there was no cert in place, so it wasn’t bootable. And it was my understanding the only way to make it not do the cert check was turn off secure boot, which again you can’t.

I last tried this under 7.1 and I see you’re now on 7.3 so I’ll give that a try and see if it changes anything. And if you know a way to turn off secure boot we’d love to hear it, not being able to do restores from a thumb drive is really annoying.


#6

You can always erase the drive if it you can’t authenticate as a user to unlock it.

As a point of reference, I just restored the same Windows 10 Winclone package using MDS of Windows 10 to a 2018 MacBook Air, 2018 Macmini, and a 2014 MacMini. Video here:

tim


#7

When you start the computer, you have to press Cmd+R to enter Recovery Mode, then from the menu at the top of the screen select Utilities | Startup Security Utility. In the window that pops up, select Allow Booting from External Media. Then close the window, and select Restart from the Apple menu in the upper-left corner. Hold down the Option key before the Apple logo appears, select your external media, and it will boot from it – assuming it’s something signed by Apple or Microsoft.

If you need to boot from media that is not signed by anyone/anything that Apple recognizes, you can disable that also, in that same Startup Security Utility. Just select Medium Security or No Security, as needed, from the top half of that Startup Security Utility that you saw in Recovery Mode.

Best of luck…


#8

Yes that’s supposed to be the procedure. The problem is Startup Security Utility can never fully be opened. Before the screen where you would allow external boot, you are required to enter admin credentials. This always fails because it says there are no admin accounts, so you can’t actually enable external booting. This is a known bug that Apple has thus far failed to fix.


#9

I entered the password for my one and only account… It’s an Administrator account… It let me get into the Startup Security Utility screen with no issues at all… I can boot to a USB Windows 10 stick. Of course, then I get stuck because, apparently, Windows 10 won’t recognize the keyboard and trackpad on my MacBook Pro 2018…

Do you not have an Administrator account on your computer? What happens if you create a new Administrator account and use the password for that one? Do you perhaps have an account that doesn’t have a password? What if you added a password to that account? I’m unfamiliar with this bug, unfortunately…


#10

Have you tried the solution posted here: https://discussions.apple.com/thread/8468053


#11

We have confirmed this problem on numerous systems. Yes there are admin accounts, it just can’t find them. Filevault is not being used. Never the less, the hack of trying to mount the volume first is interesting and worth a shot. If that works, it would seem to validate my theory that Apple failed to account for their own on the fly T2 encryption when accessing their own volumes with their own utility. Why you’re not seeing the problem is another mystery given it’s on 100% of T2 systems since we started receiving them 5 months ago.


#12

Very interesting…

Mine is a MacBook Pro 2018 that I received from the Refurbished & Clearance section of the Apple website last Friday, Feb. 1, 2019. So it’s not only very new, it’s also gone through the refurbishment process - perhaps fixing the bug in the process?

Much like Apple has fixed the issues with the butterfly keyboard, but didn’t actually call it a fix of the butterfly keyboard, perhaps they’ve discovered the fix but they aren’t calling it a fix for this problem - they’re just quietly fixing the issue on newer machines?

Oh, and I am running FileVault, too… Curiouser and curiouser…