4/5/2020

Not only can Configuring Wake-On-LAN (WoL) improve your company’s software distribution success rates, it can also help out in the time of a crisis. With the recent COVID-19 outbreak, more and more companies are encouraging those employees that are able to do so to work from home. This presents challenges for IT as there are issues to deal with, like extra VPN traffic (see my previous post on Forcing Configuration Manager VPN Clients to get patches from Microsoft Update). There might also be a high number of desktop machines that are in use and the company would rather these stay at work locations.

Configuring WoL can help out in the case that employees need to access their desktop at work using a secure corporate connection from either a work laptop or even home computer. However, one can only remote desktop to their system at work if it is powered on. By providing a portal that employees can access, they can see what device(s) they currently use (instead of having to remember computer names) and RDP to that device. In addition, if the device is off, attempt to wake it up and then connect to it. My colleague Ryan Ephgrave has recently completed the web portal and put it on his github for anyone to use (called Remote Connection Center).

The WoL part of this solution will only work if the desktops have been correctly configured for WoL. There are a few things that need to be configured in order for this to work:

• Disable Windows 10 Fast Start-up (prevents WoL and BIOS power on schedules, among other things)
• CM Client Settings & NIC adapter settings
• Specific settings in the BIOS/UEFI (varies by manufacturer)

Disable Windows 10 Fast Start-up
As mentioned above, Fast Start-up has some strange side effects that it creates. Not only does it prevent WoL from working, it also prevents BIOS power on schedules from working. In addition, it can cause issues with hibernation and shutdown (KB3211190), as well as Windows updates (KB4011287). Luckily, Terence Beggs over at MSEndpointMgr (formerly SCConfigMgr) has already blogged about how to Manage Windows 10 Fast Startup with SCCM Compliance Baseline. I will be using this registry setting (HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power\HiberBootEnabled=0) and CI in my subsequent WoL blog posts.

CM Client Settings & NIC adapter settings
The Microsoft MEMCM Team has finally gotten WoL right. This last iteration works amazingly well and has eliminated the need for any 3rd party wake-on-lan solutions (thankfully!). New in Current Branch 2002 is the ability to wake up machines from the CAS (if you are unfortunate to have a CAS, which you can now remove in 2002). Be sure to enable both Wake on LAN starting in version 1810 and Wake on LAN for version 1806 and earlier for best results (see How to configure Wake on LAN in Configuration Manager). In my test lab, I have the following options configured:

This setting will automatically configure one of the NIC card settings that need to be enabled (that we previously had to script). On the Power Management tab of the network adapter card properties, you will now see all three check boxes enabled for clients that have this policy applied:

In addition to these NIC card settings, there are a few other settings that need to be enabled. If you are using the manufacturer’s NIC card driver, then most of the time the Wake on Magic Packet setting will be Enabled by default.

Out of the box Windows drivers may or may not have this setting at all and therefore, I do not recommend using the out of the box Windows drivers for the network card. There could be other settings that might conflict with WoL success but in testing with the latest set of drivers I did not experience any issues (even though Energy Efficient Ethernet and Ultra Low Power Mode were set to Enabled).

Lastly, there are some other considerations to account for that may impact the ability to perform a successful WoL. If you have an out dated pre-boot authentication mechanism in place (legacy 3rd party disk encryption products use ‘cached’ credentials as a method of ‘unlocking’ the disk so that it can boot into Windows), then this will likely prevent a successful WoL, as the system will never boot up to Windows. Something else that may or may not block WoL (again – depending on how it is configured), is 802.1x. Test first to see if it works and if it does not, then you might need to work with your 802.1x team. If you run into any other blockers, feel free to list them in the comments below.

In Part 2, I get into the details on the BIOS/UEFI specific settings for current model HP desktops and in Part 3, I cover the BIOS/UEFI specific settings for current model Dell desktops. These are the only two manufacturers I will be covering as these are the only desktops that I have available for testing.

Originally posted on https://miketerrill.net/