Automating Dell BIOS-UEFI Standards for Windows 10
If you are starting to deploy Windows 10 (or are currently deploying Windows 8/8.1), then now is the time to make the switch to UEFI. A system needs to be configured for UEFI (without Compatibility Support Module being enabled) in order to take advantage of Secure Boot (and other Windows 10 security features like Device Guard). Secure Boot prevents loading of drivers and OS loaders that are not signed with a certified digital signature, thus preventing malware and root kits that alter the boot process.
The first version of Windows that support Secure Boot was Windows 8 and Windows Server 2012. If you were one of the many companies that either skipped Windows 8/8.1 or only deployed it in limited quantities, then chances are you deployed your systems for legacy BIOS mode. This means that your Windows 7 systems have MBR partitioned disks and in order to make the switch to UEFI, these systems need to be re-partitioned. This is one of the limitations of using the Windows 10 In-place upgrade method, as it does not support changing the disk partitioning structure. The quickest approach to getting to Windows 10 is the In-place upgrade path and it might make sense to do this on the systems that qualify. For the ones that don’t (including brand new systems), then you definitely want to start configuring them for UEFI and Secure Boot now!
In my previous post, How to create a Dell Command-Configure Package in ConfigMgr, I showed how you could set up the Dell Command-Configure Package in order to use it in OSD Task Sequences. Now, I am going to show you an example on how it can be used in WinPE via PXE boot (of course, I use 1E PXE Everywhere 3.0 which is part of Nomad 6.0) to enforce these standards. This will not only increase standardization in your environment, but also prevent costly mistakes made by manual processes.
The first thing we need to do is create a custom Task Sequence. For this example, I am going to give it the name of BIOS-UEFI Configuration for Windows 10.
NOTE: This Task Sequence example will only work on systems that already have a formatted disk. We will cover handling bare disks at another time.
Once created, edit the Task Sequence. For those of you using Nomad, create the Set Nomad as Download Program (new in Nomad 6.0) and Install and Configure Nomad in Windows PE as the first two steps. Otherwise, add an Apply Operating System Image step called Dummy Step to trick CM and put a Task Sequence variable condition on the step so that the TS variable NEVERTRUE equals TRUE.
This is very important for two reasons – 1. it will make CM set this as an OSD TS so that we can boot into WinPE and run it, 2. the condition will always evaluate to false and allow the step to be skipped (cause we really do not want to apply an OS image yet).
Next, add a Group called Dell BIOS-UEFI Configuration and put a WMI condition on the group with the following query:
1
| Select * From Win32_ComputerSystem WHERE Manufacturer LIKE "%DELL%" |
This way it will only apply to Dell systems if you use other OEMs in your environment and it will make it easier to copy and paste into other Task Sequences.
Each of the following steps in this group will be Run Command Line steps that reference the Package Dell Command-Configure-WinPE 3.1.0.250. I have split out each of the steps in order to make the solution modular. In other words, not all settings may apply to all Dell models and conditions can be set on the individual steps accordingly. So, be sure to test against all models that you support. Another reason for splitting out the steps is that you will get output from each of the commands. I have included steps that will attempt to get the current setting prior to the step that actually sets the value. Some of the output can be read from the status messages that are sent back to ConfigMgr, while others will only be reflected in the smsts.log. For the steps that get the current values, I have made those ‘continue on error’ in order to prevent the Task Sequence from failing from non-zero return values. Getting the Secure Boot value is one that returns a non-zero exit code (along with the text “The option ‘secureboot’ is not enabled”, if it is not enabled) and will cause the Task Sequence to fail at that point. In other words, we do not care if it fails reading a value, but we do care if it fails setting a value.
Also, these settings are ones that I would set, so please research each one using the Dell Command-Configure documentation and set the values that work for your environment.
Here is a list of the settings:
NOTE: each of the commands use a double dash, which is hard to see from the screen shots.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
| Name: Install Dell HAPI Drivers Command line: HAPIInstall.cmd Name: Current Active Boot List Command line: cctk.cmd bootorder --activebootlist Name: Enable UEFI Command line: cctk.cmd bootorder --activebootlist=uefi Name: Current Legacy ROM Setting Command line: cctk.cmd --legacyorom Name: Disable Legacy ROMs Command line: cctk.cmd --legacyorom=disable Name: Current Secure Boot Setting Command line: cctk.cmd --secureboot Name: Enable Secure Boot Command line: cctk.cmd --secureboot=enable Name: Current Wake On Lan Setting Command line: cctk.cmd --wakeonlan Name: Enable Wake On Lan Command line: cctk.cmd --wakeonlan=enable Name: Current UEFI PXE Setting Command line: cctk.cmd --uefinwstack Name: Enable UEFI Network Stack Command line: cctk.cmd --uefinwstack=enable Name: Current SATA-RAID Setting Command line: cctk.cmd --embsataraid Name: Set SATA Operation - AHCI Command line: cctk.cmd --embsataraid=ahci Name: Set PXE Boot on next boot Command line: cctk.cmd --forcepxeonnextboot=enable |
Outside of the Dell BIOS-UEFI Configuration Group, I put a Run Command Line step called Pause with the condition that the Task Sequence variable PAUSE equals TRUE. This is useful for testing and/or troubleshooting as it will launch a command line and prevent the Task Sequence from finishing. Simply put the PAUSE variable on either the collection targeted or a device that is being tested.
The last step is a Set Task Sequence Variable step called Restart WinPE. This sets the Task Sequence variable SMSTSPostAction to the value wpeutil reboot. This allows the Task Sequence to finish cleanly.
Hopefully you have found this information useful and it gets you well on your way for standardizing your environment’s BIOS-UEFI settings. By making the change to UEFI, it will allow you to take full advantage of the security features in Windows 10. Now when you boot into WinPE and run the OSD Task Sequence wizard, it will detect that the system is running UEFI (_SMSTSBootUEFI = TRUE) and the disk will be partitioned and formatted accordingly.
You can also download an export of the Task Sequence (updated for CM 1511) here: Dell BIOS-UEFI Configuration for Windows 10 x64.zip
Originally posted on https://miketerrill.net/
No comments:
Post a Comment