Latest update

6/recent/ticker-posts

Create Windows 11 ISO with No TPM Check

The last few days have been spent with a lot of Windows 11 time. Many have had issues with the TPM check since the release of Windows 11 GA. The Preview Builds did not check for a proper TPM. However, Microsoft has now flagged this check on with the GA release of Windows 11. 

Both of these posts detail workarounds to get past the TPM errors with the Windows 11 GA ISO. However, what if we could modify the ISO itself to get around the TPM check and set the “flag” to “off” for the TPM check with the GA release? This would mimic the behavior we have seen with the Preview builds? Is this possible? Yes. Let’s take a look at how to create a Windows 11 ISO with no TPM check and see how to do this.

Create Windows 11 ISO with No TPM Check

First of all, why do I want to do this? This is obviously not supported by Microsoft. However, I wanted to use the GA release of Windows 11 in my home lab and with automation tooling. Several of my lab hosts do not have TPM chips. So, I wanted to create a customized ISO that bypasses this check so I don’t have to do this manually each time I install Windows 11 from an ISO as well as with Packer builds.

There are only a few things we need to do to bypass the TPM check in the Windows 11 ISO. However, there are some prerequisites we need to have installed:

Once we have those installed, the process looks like the following:

  1. Mount the Windows 11 ISO and copy the files to a folder
  2. Mount the boot.wim file from the folder
  3. Load the SYSTEM registry from the folder and add the BypassTPMCheck DWORD value
  4. Commit the changes to the boot.wim file
  5. Create a new ISO using the OSCDIMG.exe tool

Install the Windows 11 ADK and WinPE add-on

After downloading the Windows 11 ADK, install the Deployment tools option. This is the only component needed.

Install the Windows 11 ADK with deployment tools
Install the Windows 11 ADK with deployment tools

You may not 100% need this component as it mainly relates to creating the PE builds, however, I installed it for good measure.

Install the WinPE addon
Install the WinPE addon

Now, on to the process.

1. Mount the Windows 11 ISO and copy the files to a folder

Below, I have created a Win11_OS folder on the root of my D drive. I just literally selected all from the Windows 11 GA ISO I had mounted in Windows and pasted into this folder.

Create a folder and copy the contents of the Windows 11 GA ISO to this folder
Create a folder and copy the contents of the Windows 11 GA ISO to this folder

2. Mount the boot.wim file from the folder

Next, we need to mount the boot.wim file to alter the registry for this image. However, we need to know what index value to mount. To get the information about the boot.wim file, use the following command:

Dism /Get-WimInfo /WimFile:D:\Win11_OS\Sources\boot.wim

As you can see below, Index 2 is the Microsoft Windows Setup image. This is the one we want.

Get info about the boot.wim to determine the correct index
Get info about the boot.wim to determine the correct index

Below, we are mounting the boot.wim image to a mount folder, located at d:\mount\mount. There is no significance to the mount\mount directory. It requires the folder to be blank and I had some files in the parent folder. So, I simply created a new child folder underneath.

dism /mount-wim /wimfile:"D:\Win11_OS\sources\boot.wim" /index:2 /mountdir:d:\mount\mount
Mount the boot.wim file to an empty mount folder
Mount the boot.wim file to an empty mount folder

3. Load the SYSTEM registry from the folder and add the BypassTPMCheck DWORD value

Once you have the boot.wim file mounted to a mount folder, you can then load the SYSTEM registry from the mounted boot.wim image and edit the registry.

reg load HKLM\test d:\mount\mount
Load the SYSTEM registry from the mounted image
Load the SYSTEM registry from the mounted image

Note, when you load the registry HIVE, you access this from your host workstation’s registry editor. Create the new LabConfig key under the Setup key. Then create the BypassTPMCheck DWORD value with a data entry of 1.

Create the BypassTPMCheck DWORD entry 1
Create the BypassTPMCheck DWORD entry 1

Now, we need to unload the registry hive before we commit the changes to the boot.wim file.

Unload the registry
Unload the registry

4. Commit the changes to the boot.wim file

At this point, we can commit the changes to the boot.wim file. What we are actually doing is committing the registry changes that we made, including the BypassTPMCheck DWORD into the registry and saving that to the boot.wim file. Since we mounted the file directly from the Win11_OS folder, it will be saved back to where it needs to go.

dism /unmount-wim /moutdir:d:\mount\mount /commit
Commit the changes to the boot.wim file
Commit the changes to the boot.wim file

5. Create a new ISO using the OSCDIMG.exe tool

Now, all that is left is to create a new ISO file from the working directory, Win11_OS, that contains our registry hack. To do that, we need to use a utility that is part of the WADK, oscdimg.exe. The syntax to create a new ISO file that is EFI enabled is the following. Be sure to replace your respective directories with what they are in your case. As you can see, I am creating the new ISO called Windows11GA_noTPM.iso.

oscdimg -m -o -u2 -bootdata:2#p0,e,bD:\Win11_OS\boot\etfsboot.com#pEF,e,bD:\Win11_OS\efi\microsoft\boot\efisys.bin D:\Win11_OS D:\Windows11GA_noTPM.iso
Create the custom Windows 11 ISO using the OSCDIMG command
Create the custom Windows 11 ISO using the OSCDIMG command

After mounting the new Windows11GA_noTPM.iso to a virtual machine, voila! No “Your PC can’t run Windows 11” error, and I didn’t have to manually update the registry.

Concluding

Hopefully, this hack on how to Create Windows 11 ISO with No TPM Check will help anyone that needs to have a TPM-less installation of Windows 11 for automation and other purposes. It is going to be interesting to see how Microsoft handles updates of Windows 11 that have been bypassed with no TPM installed. It has been mentioned they won’t support these with updates.

Post a Comment

0 Comments