User Group Getting Started Guide

I just got back from the best systems management conference called the Midwest Management Summit. The reason this conference is so great (besides all of the awesome technical sessions and information) is because it is built for the community, by the community. In fact, the Microsoft Management Summit actually started out as a User Conference – I still remember the very first one I attended – The SMS & Windows 2000 User Conference.

Every year at the Midwest Management Summit, there is a session on user groups – how to find them, start them, or make one better. The first place to start is by searching for a user group in your area. The Minnesota System Center User group maintains a pretty comprehensive list of systems management/System Center user groups here. And if you know of any that should be added, just reach out to them and they will gladly add it.

Since I have been running the Arizona Systems Management User Group (AZSMUG for short) for over a decade, I often get questions from individuals on how to start a user group. I recently decided to put this in my OneNote for future use but thought that it would be great to share with everyone that is looking to start a user group. There isn’t an exact formula for what works and many of the user groups all run a little different. But the most important thing is to stay the course and keep the group going.

Fellow User Group Leader Daniel Ratliff also has a blog on his tips here.

Now for my tips and information on how to get a user group up and running:

Domain Name
Purchase and register a domain name. For AZSMUG, I use GoDaddy because it works well with Office 365 (the DNS settings for Skype for Business are important). I also use it to redirect www.azsmug.org to our Office 365 SharePoint page so that others can find the user group.

Technical Community
Register you user group with Technical Community. This will get you access to a free Office 365 E3 subscription that you can use to setup a few email accounts. It also gets you access to SharePoint in which you can use as a public website for your user group so that others can find it. You may need to let them know that you are a new user group just getting started and use one of the other user groups or user group leaders as verification. Note that the Office 365 subscription needs to be renewed/verified every year by proving that you are still an active user group. The following is what currently you get with the E3 subscription:

In addition, you can get funding (if you are lucky) from Technical Community for user group meetings. Although, I have given up on requesting funding after being denied several times.

Email Addresses
As soon as you get your domain name and Office 365 account setup and configured, create a few email accounts that you will use for official user group communication. I suggest setting up a shared mailbox for your user group – like usergroup@usergroup.org (where usergroup is the name of your user group). Also setup account for any members that will be helping to run the user group. Give those accounts access to the shared mailbox.

Chair Members or Board
If you are just getting started, you may just have a yourself or another person or two that helps run the user group. In this case, it is probably fine to not have anything official in terms of who runs the group and how the group is run. If after you start the user group you find that you have lots of interest from members wanting to help run the user group, you may want to adopt some formal bylaws in which elections are held yearly for various positions (like President, Vice President, Secretary, Treasurer). I know groups that use both models and each works well depending on the group.

Email lists
Email can be a primary method of communication to your user group members. There are several email distribution lists available today, plus you can create your own distribution list with your Office 365 Account. Otherwise, myITforum still maintains some distribution lists. Mail Chimp is another one that some user groups use (this has some integration into Eventbrite).

Sponsors & Sponsorship
Depending on how your group is set up will depend on how you get sponsorship. Some user groups get non-profit status so that they can have an operating budget and checking account. Other user groups get sponsors to come in and pay for food & beverage (and maybe guest speaker travel). Sponsors are given the option to present on their products at your user group. Just make sure that they keep it technically focused and do not turn it into a time share sales pitch (your user group members will thank you). Also, some vendors will want your user group member list of names/companies/email addresses. Depending on your sponsorship agreements, you may turn this over – just make sure your members know in advance and they are okay with this. Otherwise, have them raffle off an item at the meeting they present at. That way, user group members can opt-in to the raffle by providing their information. This keeps you and the user group out of any privacy issues.

Speakers
Try to speak at your own user group at least once a year. This will help you in your current position at work and be beneficial for your career to get some public speaking experience. Also try to encourage other user group members to present at your meetings. This will help them out as well. Plus, chances are that someone else is facing the same problem and needs to come up with a solution. Or use it to demonstrate your knowledge about a specific feature and how that helps in your day to day job.

Getting guest speakers can generate interest and get more people to attend the meetings. Many of the Microsoft MVPs will gladly present at your user group if they happen to be in town and are available. Otherwise, use sponsors or sponsorship money to pay for their travel to come to your meeting.

User Group Focus
Some user groups run a general focus (like all things Microsoft), whereas other user groups are more specific (like System Center or just even one product focus). Find out what fits for your audience. The last thing you want to do is put a bunch of time and effort into a meeting only to get a few people to show up because the topic is not of interest to the other user group members.

Meeting Invites
There are two good services that do not cost anything for the basic level of service for sending out invites and tracking registrations. Eventbrite and Meetup both work well and have professional looking invitations. The also provide other things as well (like promotion and the ability to email notifications and reminders – either natively or using external service like MailChimp).

Social Media
In addition to the meeting invitation service you provide (which can be used to promote events), use social media to promote your user group. Twitter, LinkedIn and Facebook are all great ways to spread the word about your user group and upcoming meetings.

Meeting frequency
This can be a tricky one. If you are just starting off, don’t bite off more than you can chew. In other words, start by planning for one meeting per quarter or four times per year (summers can be slow). Getting everything lined up for a user group meeting is a lot of work. I have run meetings every other month for several years and changed to a quarterly schedule a couple of years ago. This seems to draw more interest and attendance from user group members. If it is too frequent, members are more likely to have conflicts or decide to skip a meeting and catch the next one. But I do know groups that run every other month or even every month. Just keep in mind that it can be a lot of work keeping up with that cadence unless you have others helping out. If you can set a fixed date, say the third Thursday of the third month in the quarter, great – this will help people plan and know when the next meeting is going to be. If you cannot have a fixed date, then be sure to let your user group members know enough time in advance when you are in the pre-planning phases of the next meeting so that they can ‘pencil’ it into their calendar.

Meeting duration and times
This is another one that can be tricky and you will not be able to please everyone. The time might also depend on when you guest speakers can present. If they are busy working/consulting/teaching during the day, then you might have to run evening meetings (like from 5 – 7).

Meeting locations
If there is a local Microsoft office, then chances are you will be able to have your meetings there. Reach out to your local Microsoft contacts as you will need a Blue badge sponsor if you plan on having meetings outside of working hours (like after 5 PM). Also, they will be able to check the meeting room schedule and book the room for you. They can also help promote and generate interest in the user group with their customers in the area. Otherwise, a local library, training center or a member’s work location are all other alternatives. Pick a location with free parking or one that will validate parking.

Online Meetings/Recording Meetings
If you get to a point where you want to open up meetings online for others to attend or if you just want to record them, you can use Skype for Business that is part of the Office 365 E3 subscription.

If you have any other suggestions, please let me know in the comments below or send me a message on Twitter.

Originally posted on https://miketerrill.net/

BIOS and Secure Boot State Detection during a Task Sequence

With all of the security issues and malware lately, BIOS to UEFI for Windows 10 deployments is becoming a pretty hot topic (unless you have been living under a rock, UEFI is required for a lot of the advanced security functions in Windows 10). In addition, with the Windows 10 Creators Update, Microsoft has introduced a new utility called MBR2GPT that makes the move to UEFI a non-destructive process. If you have already started deploying Windows 10 UEFI devices, it can be tricky to determine what state these devices are in during a running Task Sequence. The Configuration Manager Team introduced a new class called SMS_Firmware and inventory property called UEFI that helps determine which computers are running in UEFI in Current Branch 1702. This can be used to build queries for targeting and reports, but it would be nice to handle this plus Secure Boot state (and CSM) during a running Task Sequence. We do have the Task Sequence variable called _SMSTSBootUEFI that we will use, but we need to determine the exact configuration in order to execute the correct steps.

There are three different BIOS modes that a system can be running:
Legacy BIOS – also known as BIOS emulation, this requires a MBR partitioned disk in order to boot. Most Windows 7 systems are running this configuration.
UEFI Hybrid – this mode is when a system is running in UEFI, but with the Compatibility Support Module (CSM) (also known as Legacy ROMs) enabled. Unlike Legacy BIOS, this mode requires a GPT partitioned disk in order to boot. Windows 7 can run in this configuration and before there was MBR2GPT, this was the recommended mode to deploy Windows 7 in so that it could be easily upgraded to Windows 10 at a later date without repartitioning the disk.
UEFI Native – this mode is when a system is running in UEFI without the CSM. It also requires a GPT partitioned disk in order to boot. Windows 7 cannot run on a system that is configured for UEFI Native.

Now let’s talk about Secure Boot. Secure Boot and CSM are incompatible – if the CSM is enabled, then you cannot enable Secure Boot. When Secure Boot is enabled, you cannot enable the CSM. Based on this information, we know that Secure Boot will be unsupported in Legacy BIOS and UEFI Hybrid modes (Note: When I say unsupported, I am not talking about if the device is capable of running Secure Boot. Secure Boot requires a device running UEFI 2.3.1 Errata C or later and an operating system capable of running Secure Boot). Configuration Manager currently does not have out of the box functionality for reporting on Secure Boot, but the feature has showed up in the Technical Preview 1703 release. In the meantime, see my blog called Inventory Secure Boot State and UEFI with ConfigMgr on how to extend hardware inventory in Current Branch 1702 or older in order to collect this information.

From this information, we can create a handy chart to help visualize the configuration options:

NOTE: For UEFI Hybrid, Secure Boot State is unsupported if the CSM is enabled, however, an operating system that supports Secure Boot will show that status as Off (Disabled) in System Information.

Now, with this information and MBR2GPT, we should be able to create a single Windows 10 Feature Update Task Sequence for clients Windows 7/8/8.1/10 and it should not matter if they are already running UEFI or Legacy BIOS. The actions that we need to perform do matter and this is where we can set some Task Sequence variables to help with the logic on the various steps. But first, let’s see what needs to be done based on the four configurations above. We already said that Legacy BIOS is the only configuration that uses a MBR partitioned disk. Therefore, this will be the only configuration that we need to run MBR2GPT. When we run MBR2GPT, we also need to configure the device’s firmware settings for UEFI and enable Secure Boot (the Microsoft solution does not do this for you, you are on your own to use the vendor methods to do this piece).

If you are one of the few that took last year’s recommendation and started deploying Windows 7 in UEFI mode, then those systems will be running UEFI Hybrid. We do not need to run MBR2GPT on these systems since they are already running a GPT partitioned disk. We simply need to turn off the CSM (or Legacy ROMs) and enable Secure Boot (once again, the Microsoft solution does not do this for you).

For systems that are running UEFI Native but Secure Boot is not enabled, we simply need to enable Secure Boot. Lastly, for systems that are already running UEFI Native with Secure Boot enabled, we do not need to do anything additional for these systems. Adding these actions to our chart, it makes it very clear what actions need to be done under each scenario:

In a follow blog post, I will go into more detail on how we can use this logic in a single Windows 10 In-Place Upgrade Task Sequence, what the steps look like and where each of them go.

Originally posted on https://miketerrill.net/

How to open CMTrace in WinPE like a boss

If you have ever done OSD, then chances are you have had to open up CMTrace a time or two to look at the smsts.log file. CMTrace displays one of the most annoying pop up boxes of all times and it is usually hiding behind the running task sequence dialog window: “Do you want to make this program the default viewer for log files?”

01 Do you want to

The answer is yes for the millionth time! Wouldn’t it be nice if it just did this automatically and never asked you again? If I had to guess, I bet you are shaking your head yes. For this post, I am going to show you how to modify your boot images so that it never asks you this annoying question again while running in WinPE.

Several years ago (back in 2009) I developed a solution on how to automatically open CMTrace (called Trace32 back in those days) for a debug task sequence. I finally got around to blogging the solution a few years ago and it is called ConfigMgr 2012 OSD: Automatically Open SMSTS log. This contains the important registry keys that we need to set in order to bake this into our boot images (and thus eliminating these three steps for the WinPE phases).

  1. The first thing we need to do is create a directory that we can use to mount our boot images (for example, MD d:\mount).
  2. Next we need to mount the boot image. This can be done using dism (be sure to run it from an elevated command prompt that has dism in the path – like the Deployment and Imaging Tools Environment short cut under Windows Kits). Select the boot image you would like to modify, I am using the default x86 boot image (in this example Configuration Manager is installed in D:\Program Files\):
    Dism /mount-wim /wimfile:”D:\Program Files\Microsoft Configuration Manager\OSD\boot\i386\boot.wim” /index:1 /mountdir:D:\mount
  3. Now we need to load the DEFAULT registry hive from the WinPE image. In my other blog post, we are creating the key in the HKEY Current User, however, since this is an offline registry, we are going to set it in the HKEY User hive which is what HKCU loads defaults from:
    Reg load HKU\winpe d:\mount\Windows\System32\config\default
  4. Now that we have the offline registry loaded, we can create the entries that we need. We will create the following registry keys that causes CMTrace to launch that annoying pop up box if they don’t already exist:
    Reg add HKU\winpe\Software\Classes\.lo_ /ve /d Log.File /f
    Reg add HKU\winpe\Software\Classes\.log /ve /d Log.File /f
    Reg add HKU\winpe\Software\Classes\Log.File\shell\open\command /ve /d “\”x:\sms\bin\x64\CMTrace.exe\” \”%1\”” /f
    NOTE: I used to put CMTrace in the Windows\System32 directory, but this is no longer needed since x:\sms\bin\i386 (use this path above for 32-bit boot images) and x:\sms\bin\x64 are now in the path now and ConfigMgr places the proper architecture of CMTrace in these locations by default. Also, be careful of smart quotes if copying and pasting.
  5. Next, unload the WinPE registry:
    Reg unload HKU\winpe
  6. Now we need to unmount the WIM file and commit the changes:
    Dism /unmount-wim /mountdir:d:\mount /commit
  7. In the Configuration Manager Console, select the boot image and update the distribution points. Generate new boot media based on the modified boot image, boot up a system (or PXE boot) and test by opening up a command prompt and typing CMTrace.

If everything worked right, CMTrace will open up without asking you “Do you want to make this program the default viewer for log files?”, as it already knows the answer. Repeat for other boot images you would like to modify. Here is a link to a text file that can be downloaded and renamed to .bat.

If you think this should automatically be in Configuration Manager, head on over to User Voice and vote for Stop CMTrace from asking us if we want to use it as the default viewer for log files in WinPE.

Originally posted on https://miketerrill.net/

How to detect, suspend, and re-enable BitLocker during a Task Sequence

In this blog post, I am going to show some simple steps that you can add to your Task Sequences to be able to detect, disable, and enable BitLocker status. This can be useful (and necessary) when performing activities like flashing the BIOS, running the new MBR2GPT utility, or upgrading to a newer version of Windows. In Configuration Manager, there are a few Task Sequence steps that are for BitLocker configuration and management:

Disable BitLocker – this step will disable BitLocker encryption on the current operating system drive or one that you specify and runs in a full operating system (does not run in WinPE). It does not decrypt the drive, but it does leave the key protectors visible in clear text on the hard drive. This step only disables BitLocker for one reboot (if you would like to see this step updated, vote for my Configuration Manager Uservoice item Add Reboot Count functionality to the Disable BitLocker TS Step). This means that BitLocker will be enabled again after the restart. If you need BitLocker to be disabled for more than one restart, then you can use manage-bde with a Run Command Line step (see below). Also, if there are data drives encrypted, then they need to be disabled before disabling the operating system drive.

Note: before running MBR2GPT, BitLocker should be disabled. Also, for just a Windows 10 In-place Upgrade with BitLocker (not doing MBR2GPT), it is not required to disable BitLocker, however, there have been reports of BitLocker not being suspended long enough during the upgrade (see the link to Jonathan Conway’s blog below) .

Enable BitLocker – this step will enable BitLocker encryption on a drive. It only runs in a full operating system (in other words, it does not run in WinPE). If selected for use, the TPM must already be enabled, activated, and allow ownership prior to running this step. This step can be used to re-enable BitLocker if the drive is already encrypted with BitLocker but in a disabled state.

Pre-provision BitLocker – this step runs under WinPE (only) and is used to enable BitLocker during the WinPE phase of the Task Sequence. It also encrypts the used drive space, which makes encryption times faster. Once in the full operating system, use the Enable BitLocker step to apply the key management options. This step is generally be used in New Computer or Wipe-and-Load Task Sequences.

Manage-bde – this is a built in command line tool that allows for the enabling, disabling, updating and reporting on BitLocker. The Microsoft TechNet documentation on Manage-bde is a bit stale and has not been updated to reflect some of the new capabilities that have been added in the newer releases. The most important one is the ability to control the reboot count when the protectors have been suspended. There is a new parameter called -RebootCount or -rc that takes a value between 0 and 15, where 0 suspends the protection indefinitely. This can be useful if you have several reboots during a Task Sequence and you need to make sure that BitLocker stays suspended (optional method listed below).

Note: Jonathan Conway has a great blog on how to use Manage-bde with the Task Sequence called SCCM Windows 10 Upgrade Task Sequence: BitLocker PIN Protector Issues on Laptops.

Now, to disable BitLocker, you could place that step in the Task Sequence and allow it to ‘Continue on error’. If you like to only use ‘Continue on error’ in certain cases and definitely want to know if BitLocker was enabled (so that you can conditionally re-enable it later on in the Task Sequence), then this can easily be done with a Set Task Sequence Variable step. Create a new Group called Disable BitLocker and on the Options tab add the following:
Task Sequence Variable _SMSTSinWinPE equals “False”

Place a Set Task Sequence Variable step in the Disable BitLocker Group and call it Set OSDBitLockerStatus for the name. Enter OSDBitLockerStatus for the Task Sequence Variable and enter Protected for the Value.
On the Options tab, add the following:
WMI Namespace: root\cimv2\Security\MicrosoftVolumeEncryption
WMI Query: select * from win32_encryptablevolume where driveletter = ‘c:’ and protectionstatus = ‘1’

This will check the BitLocker status on the C: drive (which is hopefully the OS drive). Keep in mind that if there are other data volumes that are BitLocker encrypted, these will need to be detected and decrypted first. Those systems can be filtered out in the collection targeting or it can be built into the Task Sequence using the same logic as above.

Next, add a Disable BitLocker step (with the option set Current operating system drive).
On the Options tab, add the following:
Task Sequence Variable OSDBitLockerStatus equals “Protected”

Optionally (recommended if needing multiple reboots), instead of using the built in Disable BitLocker step, add a Run Command Line step:
Name: Disable BitLocker
Command line: manage-bde -protectors -disable C: -RC 0
On the Options tab, add the following:
Task Sequence Variable OSDBitLockerStatus equals “Protected”

 

To re-enable BitLocker later on in the Task Sequence, create another group called Re-enable BitLocker.
On the Options tab, add the following:
Task Sequence Variable _SMSTSinWinPE equals “False”
Task Sequence Variable OSDBitLockerStatus equals “Protected”

Next, add an Enable BitLocker step under the Re-enable BitLocker Group (with the option set Current operating system drive). Since the drive is already encrypted, this step will just re-enable the key protectors if they are currently disabled (like if you used managed-bde and specified a reboot count).

Remember that the built in Disable BitLocker step will only disable BitLocker for one reboot (similar to what happens when you suspend BitLocker from the Control Panel applet), but if you used manage-bde with -RC 0, you will need to re-enable BitLocker.

Keep this Task Sequence template handy so that you can easily copy and paste into other Task Sequences in the future. I will be referring to this template in upcoming blog posts.

Originally posted on https://miketerrill.net/

How to Remove “Windows 10 Creators Update is on its way” link using ConfigMgr

You may have noticed a message under Update status in Settings after installing the March 2017 cumulative update that says “Good news! The Windows 10 Creators Update is on its way. Want to be one of the first to get it?” and a link below that says “Yes, show me how“.

This is great for consumer devices and non-enterprise managed, domain joined systems, but for systems that are enterprise managed (and domain joined), do you really want your end users upgrading to Windows 10 Creators Update via Windows Update? The answer is probably no. Why this message is displayed on those systems does not make much sense along with not providing a setting to turn off checking for updates from Microsoft Update on managed systems (see my other blog on how to Disable “Check online for updates from Microsoft Update” in Windows 10 on how to get rid of that link on enterprise managed systems).

Fortunately, for those of you that are running System Center Configuration Manager, you can create a Compliance Settings Configuration Item, put it in a Baseline and deploy it out to your systems to prevent that message and link from showing up.

Create a new Configuration Item and give it a name (like Remove Windows 10 Creators Update Link)

Select Windows 10 for the version of Windows (I am not sure if this link show up on the other operating systems – I heard that it may have been displayed on Server 2016 briefly but I think it has been fixed since then)

Create a New Setting
General tab
Name: HideMCTLink
Setting type: Registry value
Data type: Integer
Hive Name: HKEY_LOCAL_MACHINE
Key Name: SOFTWARE\Microsoft\WindowsUpdate\UX\Settings
Value Name: HideMCTLink
Enable: Create the registry value as a REG_DWORD data type if remediated for noncompliant rules

Compliance Rules
Name: HideMCTLink
Rule type: Value
the following values: 1
Enable: Remediate noncompliant
Enable: Report noncompliance
Noncompliance severity: Warning

Create a Configuration Baseline and deploy it to your test Windows 10 systems. Once you are happy and it works, deploy it to production and see those annoying links disappear.

Originally posted on https://miketerrill.net/

First look – Dell 64-bit Flash BIOS Utility

Dell Laptop

Update 2/14/2017: Dell has publicly posted a download link to the 64-bit BIOS Installation Utility (now called Flash64W.exe) and you can find it here: http://en.community.dell.com/techcenter/enterprise-client/w/wiki/12237.64-bit-bios-installation-utility

Now that the cat is out of the bag that Dell has a 64-bit Flash BIOS Utility, I can finally blog about it. Earlier this week, Warren Byle of Dell announced the following on Twitter:

So there you have it, the wait is over (of course, after you get off the phone with Dell support) and you can now flash the Dell BIOS in 64-bit. You are probably thinking ‘big deal, I could do that already – flash the BIOS on 64-bit Windows 10’. Yea, you are right since full 64-bit Windows has a 32-bit subsystem, but the real magic is being able to flash the BIOS under WinPE. If your system is running UEFI (or you have a UEFI conversion Task Sequence), then it needs to boot the native architecture (in this case 64-bit). By only having a 32-bit flash BIOS utility before meant that we were unable to flash under WinPE x64. The Dell 64-bit Flash BIOS Utility is a much welcome (and needed) addition to the IT toolbox (thanks Warren)!

Using the tool is pretty simple, you use it in addition to the BIOS exe that you have already downloaded. I’ll cover off how I use it in a Configuration Manager Package in another post, but for now, here is how you use it:

001-flashupdatewin64

I used the following command line under WinPE x64 to silently flash a Dell OptiPlex 7040 from version 1.4.5 to 1.5.4:

FlashUpDateWin64.exe /b=OptiPlex_7040_1.5.4.exe /s /f /l=1.5.4.txt

Which wrote the following output:

***BIOS flash started on 1/31/2017 at 18:38:32***
Command: F:\FlashUpDateWin64.exe /b=OptiPlex_7040_1.5.4.exe /s /f /l=1.5.4.txt

1.4.5 INSTALLED (Dell System OptiPlex 7040)
– Gigabit Ethernet : 0.8
– Intel Management Engine (VPro) Update : 11.0.18.1002
– System BIOS with BIOS Guard  : 1.4.5
1.5.4 UPDATE ( OptiPlex 7040)
– System BIOS with BIOS Guard  : 1.5.4
– Gigabit Ethernet : 0.8
– Intel Management Engine (VPro) Update : 11.0.18.1002
– System Map : 1.0.1
– PCR0 XML : 0.0.0.1

Exit Code = 2 (Reboot Required)
***BIOS flash finished at 1/31/2017 at 18:38:41***

I hope you are as excited as me about this new *SHINY* utility from Dell. Happy 64-bit BIOS flashing!

Originally posted on https://miketerrill.net/

Using MBR2GPT with Configuration Manager OSD

devices-windows-10-creators-update-banner

[Update 4/5/2017] This post was based on the MBR2GPT that was released with the Windows Insider build 15007. There are a few things that have changed since then – the /silent switch has been replaced with the /convert switch. Also, it is highly recommended to run MBR2GPT from WinPE 1703 (this is required for earlier versions of Windows 10 – 1507, 1511, 1610). Look out for a new post on using this tool with Configuration Manager (including how to use it with BitLocker systems).

In my previous post, Getting Started with MBR2GPT, I showed a first look at the MBR to GPT conversion utility that is going to be released with the upcoming Windows 10 Creators Update. In this post, I am going to show how it can be integrated with a Configuration Manager OSD Task Sequence. In this test, I reset my test machine back to Legacy BIOS and disabled Secure Boot. Next, I installed build 15002 of the Windows 10 Enterprise Insider Preview, joined it to my test domain and installed the Configuration Manager 1610 client.

Starting off simple, the goal was to see if I could run MBR2GPT in a simple Task Sequence and automate what I did manually in the previous post. The first thing I did was add MBR2GPT.EXE to my 1E BIOS to UEFI OEM Toolkit Package – since I need to change the BIOS settings, it made sense to just add it to this package. The next step was to create a custom, simple Task Sequence – one that I can later just copy into a Windows 10 In-place Upgrade Task Sequence. The end result looks like this:

001-using-mbr2gpt

For the Options on this Group, I put the following Conditions:

002-using-mbr2gpt

I only want to run this on a Dell, HP or Lenovo that is currently running Legacy BIOS (no need to run it if the system is already UEFI).

The next step is to run MBR2GPT. This is the same command that I ran manually, but I added the /silent switch so that it would run without prompting for input:

003-using-mbr2gpt

Next, I run my 1E BIOS to UEFI OEM step (available to 1E Nomad customers) to configure the necessary BIOS settings. In this case I want to enable Secure Boot as well. The nice thing about this step is that conditions can be added so there can be multiple configuration – for example, one with Secure Boot and maybe one without Secure Boot (for systems that might have conflicts with Secure Boot because of bad video card drivers).

004-using-mbr2gpt

The last thing to do is reboot after running both of these steps in order for the configurations to take effect.

005-using-mbr2gpt

Running this Task Sequence on my test system yielded the following in the smsts.log where we can see that MBR2GPT ran successfully:

006-using-mbr2gpt

Adding this into an in-place upgrade Task Sequence might look something like this:

007-using-mbr2gpt

Keep in mind that this is only part of the Windows Insider release right now and should not be used in production, but initial tests seem to show promising results. Also, there are still some blockers for being able to use in-place upgrade like I mentioned in the previous post. Have a plan on how you plan on handling applications that need to be uninstalled, upgraded and replaced. In other words, just because you can do in-place upgrade, do you still want that old version of Office on your shiny new Windows 10 OS? In addition, Windows 10 content is going to have a massive impact to your network. Not just the Feature Updates, but the Quality Updates (i.e. security patches) are likely to have the biggest impact (especially if you have to patch multiple versions of Windows 10). Look into using a peer to peer solution (like 1E Nomad) sooner rather than later. Lastly, chances are, you are going to have to support multiple deployment methods in your environment – make sure the tools (and vendor) you choose is capable of handling all of them seamlessly (don’t settle for cheap knock offs – you get what you pay for and can open up your network to unwanted security vulnerabilities). Baremetal for new computers and break/fix, hardware refresh/replacement, wipe-and-load, and in-place upgrade.

Originally posted on https://miketerrill.net/