Converting from BIOS to UEFI with Powershell (During OSD using ConfigMgr)

Following my previous post, this is an quick example on how to use my Powershell script to convert from BIOS to UEFI in a bare metal scenario. (Again, only Lenovo laptops is working with this script)

Most of the magic lies within the Task Sequence itself, so I will break it down in pieces.

  • Create a group in your Task Sequence called “Prepare Computer (BIOS)” with the condition _SMSTSBootUEFI not equals true (This will make sure the content of the group only runs if UEFI is not enabled already)

  • Next step, format the disk with following settings (Step: Format and Partition Disk (BIOS))
    • Disk type: Standard (MBR)
    • Partition type: Primary
    • 100% remaining disk
    • File system: NTFS

  • Next step, create a new group called Config Lenovo BIOS with following condition: SELECT * FROM Win32_BIOS WHERE Manufacturer = “Lenovo” (This will make sure the step only runs on a Lenovo computer)

  • Next step, run my Powershell script directly from a package like shown below. The parameter -EnableSecureBoot will also enforce UEFI to be enabled.

  • Next step, format the disk with following settings (Step: Format and Partition Disk (BIOS to UEFI))
    • Disk type: GPT
    • Partition type: Primary
    • Size: 600Mb
    • File System: FAT32
    • Variable: TSUEFIDrive
  • Add another partition:
    • Partition type: Primary
    • Size: 100% of remaining space
    • File system: NTFS
    • Variable: None

  • Next step, one final reboot to the boot image currently assigned to this task sequence. When the task sequence returns from the reboot, the Lenovo BIOS will be set to SecureBoot AND UEFI and Windows will continue installing.

Ultimately, you can have 2 steps to take care of when the computer is coming with either BIOS setting or UEFI, and act accordingly. Se below snippet for inspiration.

Enjoy! 🙂

 

Manage Lenovo BIOS with Powershell (During OSD with ConfigMgr)

I have no idea if this is something that has already been created out there, but I figured I’d do it anyway. Mostly because Powershell, I need the practice and I needed the ability to easily modify the BIOS in our Lenovo environment.

The script is inspired by the original VB script from Lenovo, which roughly does the same as my Powershell script. Lenovos script and documentation can be reached from this link (https://support.lenovo.com/dk/en/solutions/ht100612). However, it’s VB and it gives me shivers, so Powershell to the rescue.

The script is still work in progress, as it doesn’t hold all the abilities as the original Lenovo script, but I prioritized the ability to turn on/off following: Virtualization, SecureBoot, PrebootUSB-C/Thunderbolt and TPM.

You basically just run the script with parameters. Example: LenovoBIOSManagement.ps1 -EnableTPM -EnableSecureBoot -DisableVirtualization -Restart

An example from the use in my recent W10 Task Sequence. The step is run prior to formatting the disk in WinPE. I have a condition on the step, to only run if a Lenovo laptop.

Enable Preboot Thunderbolt is separated as a single step, as it’s currently only the most recent Lenovo laptops which has this ability: T470s, X1 Yoga 2nd generation etc., and therefore has a condition to only run if such model is being deployed.

I’d appreciate any feedback. I’m by no means any Powershell champ, but I’m still learning – and willing to learn 🙂

Thanks!

 

 

 

Powershell: Users and passwords about to expire

So, it’s that time of year; people heading back and forth on vacation and meanwhile their Active Directory password expires. People tend to miss the default notification popping up in Windows and have done so since forever.

So how about getting an annoying email every day, 7 days prior to the actual expiration? The main goal here is to avoid having users ending up with expired password, and thus causing troubles for the user and generating calls to helpdesk.

Here’s how I do using Powershell: (Some of the body text is in danish because lazy, and my syntax highlighter is on vacation too. Just copy/paste the code directly into your PS ISE, save the script and schedule it to run through Task Scheduler and you’re set. 🙂

Preview of the email being sent. Also in danish because lazy.

Powershell: Monitor LAPS

LAPS is Microsoft’s “Local Administrator Password Solution” and is a hot topic when talking about cyber security and what measures to take, when fighting the cyber criminals. Read more about LAPS here.

This is just something short and sweet, and a very simple powershell script to monitor and read all computer objects in specified OUs in Active Directory, read the relevant attributes of the object, and if LAPS attributes are empty (hence no LAPS active), then list the objects in a list and send it as an email.

You can run the script on a schedule using Task Scheduler, and this way monitor which computers in your Active Directory that’s missing LAPS.

Preview of the email being sent:

Bulk assigning O365 licenses, and then some… using Powershell

Managing our O365 licenses got me an idea to write one of my first Powershell scripts.

The script is tailored to our environment, but can be altered to fit any needs without much hassle. The script looks for users in specified OUs and compare them to what users in O365 that are assigned a license. All users in the specified OU are being assigned the specified license. If a license is assigned to a user, who does not exist in the specified OUs, the license is automatically removed. This way I’m always on top of who is using our licenses.

The script does the following for you in details:

  • (#2) Connects to O365 through Powershell (pre-req for that can be seen here: https://technet.microsoft.com/en-us/library/dn975125.aspx)
  • (#3) Reads what license you want to assign your users in the process. Change this to fit your needs and replace tenantname with your O365 tenant.
  • (#4) Reads what conditions you have for filtering what O365 users that needs a license. I’m excluding my Office 365 Admin and a few others, as I don’t wanna mess with the license for those users.
  • (#5) Reads the OUs containing user who needs a O365 license. You can specify several OUs if needed.
  • (#6) Assign the location and license for each user found in OUs. You can filter additionally in this step if needed.
  • (#7) Remove the O365 license, if user is not found in specified OUs. Change this to fit your needs and replace tenantname with your O365 tenant.