Converting from BIOS to UEFI with Powershell (During OSD using ConfigMgr)

Following my previous post, this is an quick example on how to use my Powershell script to convert from BIOS to UEFI in a bare metal scenario. (Again, only Lenovo laptops is working with this script)

Most of the magic lies within the Task Sequence itself, so I will break it down in pieces.

  • Create a group in your Task Sequence called “Prepare Computer (BIOS)” with the condition _SMSTSBootUEFI not equals true (This will make sure the content of the group only runs if UEFI is not enabled already)

  • Next step, format the disk with following settings (Step: Format and Partition Disk (BIOS))
    • Disk type: Standard (MBR)
    • Partition type: Primary
    • 100% remaining disk
    • File system: NTFS

  • Next step, create a new group called Config Lenovo BIOS with following condition: SELECT * FROM Win32_BIOS WHERE Manufacturer = “Lenovo” (This will make sure the step only runs on a Lenovo computer)

  • Next step, run my Powershell script directly from a package like shown below. The parameter -EnableSecureBoot will also enforce UEFI to be enabled.

  • Next step, format the disk with following settings (Step: Format and Partition Disk (BIOS to UEFI))
    • Disk type: GPT
    • Partition type: Primary
    • Size: 600Mb
    • File System: FAT32
    • Variable: TSUEFIDrive
  • Add another partition:
    • Partition type: Primary
    • Size: 100% of remaining space
    • File system: NTFS
    • Variable: None

  • Next step, one final reboot to the boot image currently assigned to this task sequence. When the task sequence returns from the reboot, the Lenovo BIOS will be set to SecureBoot AND UEFI and Windows will continue installing.

Ultimately, you can have 2 steps to take care of when the computer is coming with either BIOS setting or UEFI, and act accordingly. Se below snippet for inspiration.

Enjoy! 🙂

 

Powershell: Enable virtualization and Credential Guard in an instant (Lenovo laptops)

Windows 10 Credential Guard is currently another hot topic considering cyber security. Credential Guard is a new feature in Windows 10 (Enterprise and Education edition) that helps to protect your credentials on a machine from threats such as pass the hash.

To be able to enable Credential Guard in Windows, you need to have virtualization enabled on the CPU in the BIOS. Virtualization is rarely enabled by default, and as such you will need to enable it manually (F1, enter BIOS, modify the setting) or better yet, find a solution to do so remotely and automatically.

I have created following script in Powershell, that initially enables virtualization in the BIOS (Note: We only use Lenovo laptops, hence this is made for Lenovo laptops only) and then apply the registry-keys to enable Credential Guard. All steps are logged into c:\Windows\EnableCredentialGuard.log

The script can be targeted to the proper Windows 10 versions through SCCM collections (I this example I only target W10 1607 and 1703, as these Windows 10 versions no longer require the Isolated User Mode feature when enabling Credential Guard, as it’s now embedded into the Hypervisor)

When deploying powershell script from SCCM, remember to create the program with a command line like this: powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -WindowStyle Hidden -File .\CredentialGuard\Enable-VirtualizationCredentialGuard.ps1

Snip of the logfile when everything succeeds:

How to flash BIOS during OSD (Lenovo ThinkPad laptop)

In this blog post I will go into details about how I flash the BIOS of our Lenovo ThinkPad series during OSD using ConfigMgr.

First off you obviously need to download the latest BIOS from the Lenovo support site: http://support.lenovo.com/dk/en/. In this example I’m flashing the BIOS of a ThinkPad T450s.

Go ahead and locate and download the BIOS Update Utility for Windows. The most recent version as of now for T450s is 1.21:

T450BIOS

When downloaded, extract the content to your source file library. In this case I have a folder structure equal to this: D:\Pkgsource\Applications\Lenovo\BIOS\T450S\1.21

The content of the 1.21 folder should be looking like this:

T450BIOS2

Next, mind the highlighted file: FlashBIOS.cmd. Create this file manually with following content (I exit the script with exitcode 0, as the BIOS update itself might return exitcodes seen as failures. Some might dislike this approach, but you can also translate the actual exitcode into zero using whatever method you prefer):

“%~dp0WINUPTP.exe” -s
exit 0

T450BIOS3

With this in place, go ahead and create a package in ConfigMgr with above content and distribute the package to your distribution points (I’m not going into details on this one, as this is pretty standard).

My packages in ConfigMgr looks like this (I have highlighted the package used in this example):

T450BIOS4

Next we will be using the package in our task sequence in a step of Run Command line. This is done somewhere after the step of Setup Windows and Configuration Manager like this (I put BIOS updates in the end of my task sequence as they require reboots):

T450BIOS5

As updating the BIOS to this specific version is a onetime operation, you would want to add following conditions to the Options tab:

T450BIOS6

This will make sure that the step is only run when a Lenovo Thinkpad T450 is being deployed AND when the BIOS is not already the most recent version (no need to run the step again, if the same laptop should be reinstalled in a near future)

You can run following powershell commands to display the computermodel and what BIOS version that currently is installed:

Get-WmiObject Win32_Computersystem

Get-WmiObject Win32_BIOS

T450BIOS7

Enjoy 🙂

ConfigMgr 1511 – Notes from the field

I just updated my ConfigMgr environment to 1511 (CurrentBranch) and while the installation itself went safe and sound, following is to be noted:

  • The new Software Center never got installed properly with a shortcut in the start menu (%ProgramData%\Microsoft\Windows\Start Menu\Programs\Microsoft System Center\Configuration Manager)
    I had to re-enable the setting in my Client Settings (Disable the feature, OK, Enable the feature, OK and do another policy refresh)

ClientSettings

  • None of the new Windows 10 1511 software updates was synced into SCCM. I checked WSUS manually, and the classification Upgrades was not selected regardless of the Upgrades being indeed selected in SCCM. To solve this, I had to de-select all classifications in SCCM and select them again on the Software Update point. When I checked the chosen classifications in WSUS again, the proper selections was inherited from SCCM as expected and the next sync downloaded the Windows 10 Upgrades.

Classifications

Activate Windows 10 clients with KMS

Looking to activate your shiny new Windows 10 clients with your KMS? This is what you need to do.

1) Install following update on your KMS host: https://support.microsoft.com/en-us/kb/3058168 (Select the OS of your KMS. Reboot is required.)

2) While we are waiting for  Windows Server 2016, MS has created an unique KMS key for the use of activating Windows 10 clients with a Server 2012 R2 key. Browsing your licensing site, you will find a key named like this: Windows Srv 2012R2 DataCtr/Std KMS for Windows 10

3) Install the new key with the usual command: slmgr.vbs /ipk NEWKEYGOESHERE

4) Activate the key using: slmgr.vbs /ato

5) Lean back and watch your W10 clients being activated by your KMS.

 

New PXE deployments: “Skipping Task Sequence because it is not active yet”

I just updated to Windows 10 ADK and was eager to start building my new Windows 10 image.

So I created brand new WinPE10 boot images (x64/x86), deployed them to my DP’s and PXE points. Imported the new OS into SCCM and created my build and capture TS and deployed it to my BuildCapture collection. I booted my VM and noticed my new task sequence wasn’t on the list. I did another reboot just to make sure the new policy was downloaded, but no. Still no W10 build and capture task sequence.

Having a look at the SMSTS.log revealed following: “Skipping Task Sequence because it is not active yet”

Seems like the time is a bit off when deploying with a default available schedule of now. I had to edit the deployment and set the date/time a few days back for the TS to show up. (This is CM 2012 R2 SP1)

 

Debug and view Windows .dmp files.

Quick and short post.

Nowadays if a BSOD happens in Windows, the OS automatically restarts the system. The users in an enterprise never notice that an BSOD just occured, but will find their computer automatically rebooting and as a result hereof, the users calls the helpdesk.

If a BSOD just happened, windows will log the errors in .dmp files. Typical location is %SystemRoot%\MEMORY.DMP

To view the .dmp files, you will need  the Windows Software Development Kit (SDK). This one is for Windows 8.1: https://msdn.microsoft.com/da-DK/windows/desktop/bg162891

Following the SDK, comes windbg.exe. This is the tool that allows you to view the content of the .dmp files.

Before opening any .dmp files, you will need to specify a symbol search path. You do so by launching WinDbg and click File -> Symbol File Path.

Insert following path: SRV*C:\Symbols*http://msdl.microsoft.com/download/symbols

(Replace the text in bold with your preffered location for the symbols)

More on the symbols: http://support2.microsoft.com/kb/311503