Automating Dell BIOS-UEFI Standards for Windows 10

Uefi_logo

If you are starting to deploy Windows 10 (or are currently deploying Windows 8/8.1), then now is the time to make the switch to UEFI.  A system needs to be configured for UEFI (without Compatibility Support Module being enabled) in order to take advantage of Secure Boot (and other Windows 10 security features like Device Guard).  Secure Boot prevents loading of drivers and OS loaders that are not signed with a certified digital signature, thus preventing malware and root kits that alter the boot process.

The first version of Windows that support Secure Boot was Windows 8 and Windows Server 2012.  If you were one of the many companies that either skipped Windows 8/8.1 or only deployed it in limited quantities, then chances are you deployed your systems for legacy BIOS mode.  This means that your Windows 7 systems have MBR partitioned disks and in order to make the switch to UEFI, these systems need to be re-partitioned.  This is one of the limitations of using the Windows 10 In-place upgrade method, as it does not support changing the disk partitioning structure.  The quickest approach to getting to Windows 10 is the In-place upgrade path and it might make sense to do this on the systems that qualify.  For the ones that don’t (including brand new systems), then you definitely want to start configuring them for UEFI and Secure Boot now!

In my previous post, How to create a Dell Command-Configure Package in ConfigMgr, I showed how you could set up the Dell Command-Configure Package in order to use it in OSD Task Sequences.  Now, I am going to show you an example on how it can be used in WinPE via PXE boot (of course, I use 1E PXE Everywhere 3.0 which is part of Nomad 6.0) to enforce these standards.  This will not only increase standardization in your environment, but also prevent costly mistakes made by manual processes.

The first thing we need to do is create a custom Task Sequence.  For this example, I am going to give it the name of BIOS-UEFI Configuration for Windows 10.

001 Create TS

NOTE: This Task Sequence example will only work on systems that already have a formatted disk.  We will cover handling bare disks at another time.

Once created, edit the Task Sequence.  For those of you using Nomad, create the Set Nomad as Download Program (new in Nomad 6.0) and Install and Configure Nomad in Windows PE as the first two steps.  Otherwise, add an Apply Operating System Image step called Dummy Step to trick CM and put a Task Sequence variable condition on the step so that the TS variable NEVERTRUE equals TRUE.

002 NeverTrue equals True

This is very important for two reasons – 1. it will make CM set this as an OSD TS so that we can boot into WinPE and run it, 2. the condition will always evaluate to false and allow the step to be skipped (cause we really do not want to apply an OS image yet).

Next, add a Group called Dell BIOS-UEFI Configuration and put a WMI condition on the group with the following query:


Select * From Win32_ComputerSystem WHERE Manufacturer LIKE "%DELL%"

003 Dell Group conditions

This way it will only apply to Dell systems if you use other OEMs in your environment and it will make it easier to copy and paste into other Task Sequences.

Each of the following steps in this group will be Run Command Line steps that reference the Package Dell Command-Configure-WinPE 3.1.0.250.  I have split out each of the steps in order to make the solution modular.  In other words, not all settings may apply to all Dell models and conditions can be set on the individual steps accordingly.  So, be sure to test against all models that you support.  Another reason for splitting out the steps is that you will get output from each of the commands.  I have included steps that will attempt to get the current setting prior to the step that actually sets the value.  Some of the output can be read from the status messages that are sent back to ConfigMgr, while others will only be reflected in the smsts.log.  For the steps that get the current values, I have made those ‘continue on error’ in order to prevent the Task Sequence from failing from non-zero return values.  Getting the Secure Boot value is one that returns a non-zero exit code (along with the text “The option ‘secureboot’ is not enabled”, if it is not enabled) and will cause the Task Sequence to fail at that point.  In other words, we do not care if it fails reading a value, but we do care if it fails setting a value.

Also, these settings are ones that I would set, so please research each one using the Dell Command-Configure documentation and set the values that work for your environment.

Here is a list of the settings:
NOTE: each of the commands use a double dash, which is hard to see from the screen shots.


Name: Install Dell HAPI Drivers
Command line: HAPIInstall.cmd

Name: Current Active Boot List
Command line: cctk.cmd bootorder --activebootlist

Name: Enable UEFI
Command line: cctk.cmd bootorder --activebootlist=uefi

Name: Current Legacy ROM Setting
Command line: cctk.cmd --legacyorom

Name: Disable Legacy ROMs
Command line: cctk.cmd --legacyorom=disable

Name: Current Secure Boot Setting
Command line: cctk.cmd --secureboot

Name: Enable Secure Boot
Command line: cctk.cmd --secureboot=enable

Name: Current Wake On Lan Setting
Command line: cctk.cmd --wakeonlan

Name: Enable Wake On Lan
Command line: cctk.cmd --wakeonlan=enable

Name: Current UEFI PXE Setting
Command line: cctk.cmd --uefinwstack

Name: Enable UEFI Network Stack
Command line: cctk.cmd --uefinwstack=enable

Name: Current SATA-RAID Setting
Command line: cctk.cmd --embsataraid

Name: Set SATA Operation - AHCI
Command line: cctk.cmd --embsataraid=ahci

Name: Set PXE Boot on next boot
Command line: cctk.cmd --forcepxeonnextboot=enable

004 Enable UEFI

Outside of the Dell BIOS-UEFI Configuration Group, I put a Run Command Line step called Pause with the condition that the Task Sequence variable PAUSE equals TRUE.  This is useful for testing and/or troubleshooting as it will launch a command line and prevent the Task Sequence from finishing.  Simply put the PAUSE variable on either the collection targeted or a device that is being tested.

The last step is a Set Task Sequence Variable step called Restart WinPE.  This sets the Task Sequence variable SMSTSPostAction to the value wpeutil reboot.  This allows the Task Sequence to finish cleanly.

Hopefully you have found this information useful and it gets you well on your way for standardizing your environment’s BIOS-UEFI settings. By making the change to UEFI, it will allow you to take full advantage of the security features in Windows 10.  Now when you boot into WinPE and run the OSD Task Sequence wizard, it will detect that the system is running UEFI (_SMSTSBootUEFI = TRUE) and the disk will be partitioned and formatted accordingly.

You can also download an export of the Task Sequence (updated for CM 1511) here: Dell BIOS-UEFI Configuration for Windows 10 x64.zip

Originally posted on https://miketerrill.net/

How to create a Dell Command-Configure Package in ConfigMgr

000 Logo

Dell recently released the Dell Command | Configure utility (previously known as the Dell Client Configuration Toolkit – CCTK) that allows IT Pros to configure and manage Dell Enterprise client systems.  The latest release (version 3.1 at the time of this blog) includes support for Windows 10 and WinPE 10.  The Command | Configure utility can be used to enable and standardize BIOS settings automatically across the enterprise, yielding a consistent, standard environment.  Now that Windows 10 is here, organizations are going to want to configure UEFI as the default so that they can leverage features like Secure Boot and Device Guard.

Like the CCTK, there is a GUI component and a command line component that can be installed.  For this post, I am going to show you how to create a basic Package that can be used as part of an OSD Task Sequence under WinPE.

The first thing you need to do is download from here (or search on Dell Command Configure) and install it on a Dell system that is already running Windows 7/8/8.1/10.

Next create a directory on your ConfigMgr Package repository share where you store the source files for your ConfigMgr Packages (for example \\ContentSource\Packages\Dell\Command-Configure-WinPE\3.1.0.250).

Locate the install directory and copy the X86 and X86_64 sub folders to the Package share.  On an x64 system, the default location is C:\Program Files (x86)\Dell\Command Configure.

001 Install Directory

Create a file in the root of the Package directory called cctk.cmd.  Use the following for the contents of the file:


@ECHO OFF

set cmdline=%*

ECHO == Seting BIOS Settings ==

REM Determine Arch
IF "%PROCESSOR_ARCHITECTURE%" == "AMD64" GOTO :X64
GOTO X86

:X64
SET CCTKPath="x86_64"
GOTO RunCCTK

:X86
SET CCTKPath="x86"
GOTO RunCCTK

:RunCCTK
ECHO --Running command %CCTKPath%\cctk.exe %CMDLINE%
%CCTKPath%\cctk.exe %CMDLINE%

EXIT /B %errorlevel%

Next, create another file in the root of the Package directory called HAPIInstall.cmd.  Use the following for the contents of the file:


@echo off
REM Determine Arch
IF "%PROCESSOR_ARCHITECTURE%" == "AMD64" GOTO :X64
GOTO X86

:X64
x86_64\hapi\hapint.exe -i -k C-C-T-K -p "hapint.exe"
GOTO END

:X86
x86\hapi\hapint.exe -i -k C-C-T-K -p "hapint.exe"
GOTO END

:END

Both of these files handle the logic to install either x86 or x64 based on the currently detected platform.  The final Package source directory should look like the following:

002 Package Source Directory

Create a Package in ConfigMgr like you normally would and distribute to the Distribution Points.  A Program is not required, so that can be skipped.

In an upcoming post, I will show how this can be used in an OSD Task Sequence.

Originally posted on http://miketerrill.net