Upgrading the BIOS Part 1

Operating systems and software are not the only thing that needs to be upgraded these days. It is really important that the BIOS firmware gets updated as well. Lately, I have been talking to a lot of IT Pros at conferences and user group meetings and I have discovered that not too many people upgrade or ‘flash’ the BIOS on systems after they have already been deployed (or even ever – sometimes they are sent out with the version they came with from the vendor). It is really important to change this going forward. I recommend developing standard versions that you support so that all systems are running your minimum standard version or newer. Periodically, a review of BIOS releases should be done to see if a later version should become the new minimum standard.

So why even upgrade the BIOS in the first place? There are a few reasons that I can think of that answer this question. The first reason is Windows 10 support. Believe it or not, the hardware vendors test the latest operating systems on the models that they currently support. Take the Lenovo ThinkPad T450, looking in the BIOS release history, you can see that Windows 10 support was added for version 1.17:

<1.17> 2015/09/07
– (New) Added win10 support.
– (New) Enabled N25Q128 SPI ROM support.
– (New) Added security fix addresses LEN-2015-002 SMM “Incursion” Attack.
– (New) Included security fixies.
– (New) Added new incompatibility bit for Back Flash Prevention.

Now this does not mean that Windows 10 will not work on versions lower than version 1.17. It means that this is probably the version that they validated and tested Windows 10 against. If you happen to run into an issue running Windows 10 on a version lower than 1.17 and you call in for support, chances are they will have you upgrade the BIOS to the latest version to see if that addresses your issue.

The second reason to upgrade the BIOS is to get fixes. It makes sense to start off on one of the latest releases than it does to start off with a version that is a year or more behind in fixes. By not upgrading to a recent version as part of the deployment process, you are potentially wasting everyone’s time – the end user, help desk, desk side (and your time if the problem comes back to you). Save the hassle and be proactive. Looking at a newer BIOS release version for the same Lenovo ThinkPad T450, we see that there is even a ‘SCCM’ fix listed in version 1.19:

<1.19>
– (New) Updated verbtable for noise.
– (New) Changed Haswell + N16s Tolud.
– (New) Updated Winuptp & Winuptp64.
– (Fix) Fixed an issue that srsetupwin fails to install pop/hdp with clearing SVP.
– (Fix) Fixed an issue related to SCCM 80070490 error when HDP is set.
– (Fix) Fixed an issue related to silent install auto restart issue.

The third reason to upgrade the BIOS is to get security related fixes. Yes, they find and fix security fixes in the BIOS firmware just like they do in operating systems and software. Do your security team (and yourself) a favor and deploy versions that contain these security fixes. Looking at the BIOS release history for the HP EliteBook Folio 9470m, we can see some of these security fixes listed in this version:

Version:F.60 A (20 Jan 2015)
Fixes
– Fixes an intermittent issue where enabling the LAN/WLAN switching feature in the F10 BIOS settings causes the system to stop functioning properly (hang) at POST after a warm boot.

Enhancements
– Provides improved security of UEFI code and variables. HP strongly recommends transitioning promptly to this updated BIOS version which supersedes all previous releases.

NOTE: Due to security changes, after this BIOS update is installed, previous versions cannot be reinstalled.

Pay close attention to the note at the end of the release text – it states that previous versions cannot be reinstalled. What this means is that you can no longer ‘flash’ back to an earlier BIOS version. This is important when it comes to deploying BIOS and how we detect what systems need to be updated, but more on that later.

The fourth reason that comes to mind is has to do with manipulating the BIOS settings programmatically. I have written blogs and talked on the topic of using the vendor utilities to programmatically change the BIOS settings (like BIOS to UEFI) using a Configuration Manager task sequence. Just as it is important to standardize on the BIOS versions, you should also develop standards on how each BIOS setting should be configured in order to maintain consistency and ensure devices are configured accordingly. By running on the latest BIOS version, you will ensure that these utilities will work correctly and configure the settings correctly.

I am sure I can think of many more reasons why you should start baselining and upgrading the BIOS versions for the supported systems in your environment, but hopefully I have identified the top four reasons and have convinced you that this needs to be done on a regular basis. In the next blog, Upgrading the BIOS Part 2, I will discuss the approach to flashing the BIOS along with some lessor understood caveats as it relates to BitLocker, BIOS passwords and UEFI 64-bit systems.

Originally posted on https://miketerrill.net/

BIOS and Secure Boot State Detection during a Task Sequence Part 2

In BIOS and Secure Boot State Detection Part 1, I talked about the various states a system can be in for the BIOS Mode and Secure Boot state. Having these states defined as OSD variables can be useful in determining what actions need to be performed in order to switch a system to UEFI Native with Secure Boot enabled. Depending on how you perform the vendor firmware changes, you may or may not need to define the difference between UEFI Hybrid and UEFI Native. UEFI Hybrid is when the system is running UEFI and the Compatibility Support Module (CSM) is enabled (this is how you can run Windows 7 in UEFI mode – yes, really). In order to enable Secure Boot, the CSM needs to be disabled first. Also, for Secure Boot state, you may or may not need to define all of the possible options. If the goal is to get to Secure Boot enabled, that may be good enough to just test for that. However, Secure Boot disabled may be a nice to have in the case you have systems that do not play well with Secure Boot being enabled.

I start off by creating a group called Set BIOS and Secure Boot Variables. For a Windows 10 In-place Upgrade Task Sequence, I place this group after the Install Updates step in the Post-Processing group (but more on that in another post). This way, the system is already running Windows 10, which is a Secure Boot capable operating system (unlike Windows 7, which is not capable of running Secure Boot). The first Task Sequence variable I like to define is called BIOSMode, I set this to LegacyBIOS on the condition that _SMSTSBootUEFI equals FALSE.

imageimage

We could just use the _SMSTSBootUEFI variable, however it is not as intuitive to other administrators if they need to read or edit the Task Sequence or read Status Messages and/or log files.

Next, add another Task Sequence variable called SecureBootState with the value Enabled. The condition on this is going to be based on the registry value:  HKLM\SYSTEM\CurrentControlSet\Control\SecureBoot\State\UEFISecureBootEnabled = 1.

image

image

Now add another Set Task Sequence variable step with the same name, SecureBootState, but this time set the value to Disabled. The condition on this is going to be based on the registry value:  HKLM\SYSTEM\CurrentControlSet\Control\SecureBoot\State\UEFISecureBootEnabled = 0.

image

image

There is also the Secure Boot state of unknown or NA, but for the time being I do not use this one in any of my Task Sequences. I also do not use the condition where SecureBootState = Disabled currently, but I figured it would be handy to have it in the future if needed. I have also created an item on uservoice so that maybe one day we will see a variable like this as part of the product: Create an OSD variable for Secure Boot – _SMSTSSecureBootState.

Feel free to download my exported Set BIOS and Secure Boot Variables Task Sequence here (created on Configuration Manager Current Branch 1702). Stay tuned on how to use these variables in a BIOS to UEFI Task Sequence…

Originally posted on https://miketerrill.net/

How to detect, suspend, and re-enable BitLocker during a Task Sequence

In this blog post, I am going to show some simple steps that you can add to your Task Sequences to be able to detect, disable, and enable BitLocker status. This can be useful (and necessary) when performing activities like flashing the BIOS, running the new MBR2GPT utility, or upgrading to a newer version of Windows. In Configuration Manager, there are a few Task Sequence steps that are for BitLocker configuration and management:

Disable BitLocker – this step will disable BitLocker encryption on the current operating system drive or one that you specify and runs in a full operating system (does not run in WinPE). It does not decrypt the drive, but it does leave the key protectors visible in clear text on the hard drive. This step only disables BitLocker for one reboot (if you would like to see this step updated, vote for my Configuration Manager Uservoice item Add Reboot Count functionality to the Disable BitLocker TS Step). This means that BitLocker will be enabled again after the restart. If you need BitLocker to be disabled for more than one restart, then you can use manage-bde with a Run Command Line step (see below). Also, if there are data drives encrypted, then they need to be disabled before disabling the operating system drive.

Note: before running MBR2GPT, BitLocker should be disabled. Also, for just a Windows 10 In-place Upgrade with BitLocker (not doing MBR2GPT), it is not required to disable BitLocker, however, there have been reports of BitLocker not being suspended long enough during the upgrade (see the link to Jonathan Conway’s blog below) .

Enable BitLocker – this step will enable BitLocker encryption on a drive. It only runs in a full operating system (in other words, it does not run in WinPE). If selected for use, the TPM must already be enabled, activated, and allow ownership prior to running this step. This step can be used to re-enable BitLocker if the drive is already encrypted with BitLocker but in a disabled state.

Pre-provision BitLocker – this step runs under WinPE (only) and is used to enable BitLocker during the WinPE phase of the Task Sequence. It also encrypts the used drive space, which makes encryption times faster. Once in the full operating system, use the Enable BitLocker step to apply the key management options. This step is generally be used in New Computer or Wipe-and-Load Task Sequences.

Manage-bde – this is a built in command line tool that allows for the enabling, disabling, updating and reporting on BitLocker. The Microsoft TechNet documentation on Manage-bde is a bit stale and has not been updated to reflect some of the new capabilities that have been added in the newer releases. The most important one is the ability to control the reboot count when the protectors have been suspended. There is a new parameter called -RebootCount or -rc that takes a value between 0 and 15, where 0 suspends the protection indefinitely. This can be useful if you have several reboots during a Task Sequence and you need to make sure that BitLocker stays suspended (optional method listed below).

Note: Jonathan Conway has a great blog on how to use Manage-bde with the Task Sequence called SCCM Windows 10 Upgrade Task Sequence: BitLocker PIN Protector Issues on Laptops.

Now, to disable BitLocker, you could place that step in the Task Sequence and allow it to ‘Continue on error’. If you like to only use ‘Continue on error’ in certain cases and definitely want to know if BitLocker was enabled (so that you can conditionally re-enable it later on in the Task Sequence), then this can easily be done with a Set Task Sequence Variable step. Create a new Group called Disable BitLocker and on the Options tab add the following:
Task Sequence Variable _SMSTSinWinPE equals “False”

Place a Set Task Sequence Variable step in the Disable BitLocker Group and call it Set OSDBitLockerStatus for the name. Enter OSDBitLockerStatus for the Task Sequence Variable and enter Protected for the Value.
On the Options tab, add the following:
WMI Namespace: root\cimv2\Security\MicrosoftVolumeEncryption
WMI Query: select * from win32_encryptablevolume where driveletter = ‘c:’ and protectionstatus = ‘1’

This will check the BitLocker status on the C: drive (which is hopefully the OS drive). Keep in mind that if there are other data volumes that are BitLocker encrypted, these will need to be detected and decrypted first. Those systems can be filtered out in the collection targeting or it can be built into the Task Sequence using the same logic as above.

Next, add a Disable BitLocker step (with the option set Current operating system drive).
On the Options tab, add the following:
Task Sequence Variable OSDBitLockerStatus equals “Protected”

Optionally (recommended if needing multiple reboots), instead of using the built in Disable BitLocker step, add a Run Command Line step:
Name: Disable BitLocker
Command line: manage-bde -protectors -disable C: -RC 0
On the Options tab, add the following:
Task Sequence Variable OSDBitLockerStatus equals “Protected”

 

To re-enable BitLocker later on in the Task Sequence, create another group called Re-enable BitLocker.
On the Options tab, add the following:
Task Sequence Variable _SMSTSinWinPE equals “False”
Task Sequence Variable OSDBitLockerStatus equals “Protected”

Next, add an Enable BitLocker step under the Re-enable BitLocker Group (with the option set Current operating system drive). Since the drive is already encrypted, this step will just re-enable the key protectors if they are currently disabled (like if you used managed-bde and specified a reboot count).

Remember that the built in Disable BitLocker step will only disable BitLocker for one reboot (similar to what happens when you suspend BitLocker from the Control Panel applet), but if you used manage-bde with -RC 0, you will need to re-enable BitLocker.

Keep this Task Sequence template handy so that you can easily copy and paste into other Task Sequences in the future. I will be referring to this template in upcoming blog posts.

Originally posted on https://miketerrill.net/

Using MBR2GPT with Configuration Manager OSD

devices-windows-10-creators-update-banner

[Update 4/5/2017] This post was based on the MBR2GPT that was released with the Windows Insider build 15007. There are a few things that have changed since then – the /silent switch has been replaced with the /convert switch. Also, it is highly recommended to run MBR2GPT from WinPE 1703 (this is required for earlier versions of Windows 10 – 1507, 1511, 1610). Look out for a new post on using this tool with Configuration Manager (including how to use it with BitLocker systems).

In my previous post, Getting Started with MBR2GPT, I showed a first look at the MBR to GPT conversion utility that is going to be released with the upcoming Windows 10 Creators Update. In this post, I am going to show how it can be integrated with a Configuration Manager OSD Task Sequence. In this test, I reset my test machine back to Legacy BIOS and disabled Secure Boot. Next, I installed build 15002 of the Windows 10 Enterprise Insider Preview, joined it to my test domain and installed the Configuration Manager 1610 client.

Starting off simple, the goal was to see if I could run MBR2GPT in a simple Task Sequence and automate what I did manually in the previous post. The first thing I did was add MBR2GPT.EXE to my 1E BIOS to UEFI OEM Toolkit Package – since I need to change the BIOS settings, it made sense to just add it to this package. The next step was to create a custom, simple Task Sequence – one that I can later just copy into a Windows 10 In-place Upgrade Task Sequence. The end result looks like this:

001-using-mbr2gpt

For the Options on this Group, I put the following Conditions:

002-using-mbr2gpt

I only want to run this on a Dell, HP or Lenovo that is currently running Legacy BIOS (no need to run it if the system is already UEFI).

The next step is to run MBR2GPT. This is the same command that I ran manually, but I added the /silent switch so that it would run without prompting for input:

003-using-mbr2gpt

Next, I run my 1E BIOS to UEFI OEM step (available to 1E Nomad customers) to configure the necessary BIOS settings. In this case I want to enable Secure Boot as well. The nice thing about this step is that conditions can be added so there can be multiple configuration – for example, one with Secure Boot and maybe one without Secure Boot (for systems that might have conflicts with Secure Boot because of bad video card drivers).

004-using-mbr2gpt

The last thing to do is reboot after running both of these steps in order for the configurations to take effect.

005-using-mbr2gpt

Running this Task Sequence on my test system yielded the following in the smsts.log where we can see that MBR2GPT ran successfully:

006-using-mbr2gpt

Adding this into an in-place upgrade Task Sequence might look something like this:

007-using-mbr2gpt

Keep in mind that this is only part of the Windows Insider release right now and should not be used in production, but initial tests seem to show promising results. Also, there are still some blockers for being able to use in-place upgrade like I mentioned in the previous post. Have a plan on how you plan on handling applications that need to be uninstalled, upgraded and replaced. In other words, just because you can do in-place upgrade, do you still want that old version of Office on your shiny new Windows 10 OS? In addition, Windows 10 content is going to have a massive impact to your network. Not just the Feature Updates, but the Quality Updates (i.e. security patches) are likely to have the biggest impact (especially if you have to patch multiple versions of Windows 10). Look into using a peer to peer solution (like 1E Nomad) sooner rather than later. Lastly, chances are, you are going to have to support multiple deployment methods in your environment – make sure the tools (and vendor) you choose is capable of handling all of them seamlessly (don’t settle for cheap knock offs – you get what you pay for and can open up your network to unwanted security vulnerabilities). Baremetal for new computers and break/fix, hardware refresh/replacement, wipe-and-load, and in-place upgrade.

Originally posted on https://miketerrill.net/

Getting Started with MBR2GPT

devices-windows-10-creators-update-banner

In my previous post, BIOS to UEFI made easier with Windows 10 Creators Update, I uncovered a hidden gem in the 15007 build of the Windows 10 Enterprise Insider Preview called MBR2GPT. The benefits of this MBR to GPT conversion utility is that it makes it easier to convert systems from BIOS to UEFI and be able to take advantage of all the security features that comes in Windows 10 like Secure Boot, Device Guard and Credential Guard (to name a few). Currently, in order to stay supported by Microsoft, the hard disk needs to be completely repartitioned and formatted when switching from MBR to GPT. This is a destructive process and requires the user data to be backed up off of the hard drive, applications to be re-installed and then the user data restored once the new OS is up and running. Without the proper tools (shameless plug – see the 1e Windows 10 Now Solution), this can be a cumbersome task.

You still want to put some thought into applications as it relates to an in-place upgrade. There will be some applications that will be upgrade blockers (mainly 3rd party antivirus that is not compatible with the Windows 10 in-place upgrade process or 3rd party disk encryption) and need to be uninstalled prior to the in-place upgrade. There will also be applications that you will want upgraded – do you really want to run Office 2003 which may have been your standard on Windows 7 on Windows 10 or would you like to uplift it to Office 365 as part of the process? You might also want to replace an application with a less costly application (like swapping an expensive FTP client with a less expensive one). And lastly, you might want to uninstall applications that are not used in order to reduce your security foot print and eliminate unnecessary patching. These are things to consider when venturing down the in-place upgrade deployment method.

Applications aside for now, let’s get back to MBR2GPT…

You are probably wondering what are the options for using this utility – well, I can tell you if you have already deployed Windows 10 to BIOS systems you are fortunately in luck. Also, if you have not even started your Windows 10 upgrade, you are also in luck. The basic upgrade process will look like the following:

Windows* running on BIOS > In-place upgrade to Windows 10 (probably Creators Update) – still running BIOS at this point > MBR2GPT > Vendor BIOS Settings > Reboot > Windows 10 running UEFI.

Where Windows* is any version that supports upgrading to a Windows 10 version that supports MBR2GPT (like Windows 7 SP1 x64, Windows 8/8.1 x64 and previous versions of Windows 10-1507/1511/1607).

Now that we have that covered, let’s see how this tool actually runs. Below, I have an Insiders build of Windows 10 Creators Update (note that this is build 15002 and that MBR2GPT is in 15007). As you can see, BIOS Mode is Legacy and there is a single hard disk with Master Boot Record(MBR) volume:

001-getting-started-mbr2gpt

I have copied the MBR2GPT utility from a 15007 build on to the C: drive of this system. Running MBR2GPT.exe /? displays the following help output:

001-mbr2gpt

First thing I want to do here is test it using the /validate switch to see if it is actually going to work and what kind of output is going to be displayed by running:

MBR2GPT.EXE /disk:0 /validate /allowFullOS

This results in the following on-screen output:

002-getting-started-mbr2gpt

And the following output is logged in %windir% in the setupact.log:

003-getting-started-mbr2gpt

Now, I am going to run the command without the /validate switch. Notice the additional output on the command line and refreshing the disk volume properties shows it to be GUID Partition Table (GPT):

004-getting-started-mbr2gpt

Next, this is where we would run the vendor tool to change the correct BIOS settings (we will do that later in a Task Sequence when we automate the process), but for now I am going to reboot and hit the proper key to get into the BIOS settings.

After making the necessary changes (and I even enabled Secure Boot), notice that System Information displays the BIOS Mode as UEFI with Secure Boot State set to On:

005-getting-started-mbr2gpt

This first look at the MBR2GPT conversion utility looks very promising. Hopefully in the coming months as we get closer to the release of Windows 10 Creators Update we will start to get more information on it as well as what versions of Windows 10 will support it.

In my next blog, Using MBR2GPT with Configuration Manager OSD, I am going to show how we can integrate MBR2GPT into an OSD Task Sequence.

Originally posted on https://miketerrill.net/

BIOS to UEFI made easier with Windows 10 Creators Update

devices-windows-10-creators-update-banner

Back in December, Microsoft published a blog (Windows 10 Creators Update advances security and best-in-class modern IT tools) where they mentioned a conversion tool for making the conversion to UEFI:

“In-place UEFI conversion

We’ve heard from our customers that they want to take advantage of new Windows 10 security investments like Device Guard on their existing modern hardware, but many of these new features require UEFI-enabled devices. For those customers who have already provisioned modern Windows PCs that support UEFI but installed Windows 7 using legacy BIOS, converting a device to UEFI required an IT manager to repartition the disc and reconfigure the firmware. This meant they would need to physically touch each device in their enterprise. With the Creators Update, we will introduce a simple conversion tool that automates this previously manual work. This conversion tool can be integrated with management tools such as System Center Configuration Manager (ConfigMgr)* as part of the Windows 7 to Windows 10 in-place upgrade process.”

I disagree with their statement that you need to physically touch each device in the enterprise in order to make the conversion to UEFI, as I have engineered the process that we have been using at 1E in our Windows 10 Now solution since last year. However, in order to do the conversion and to be supported (which the 1E Windows 10 Now Solution is 100% supported) you need to completely format and partition the in order to change it from MBR to GPT. This presents other challenges, such as backing up and restoring user data and re-installing applications. There are other unsupported solutions out there (like GPTGen) that I know other vendors use that enable you to switch the disk layout from MBR to GPT without formatting and partitioning the disk, but I would steer clear of these solutions (and vendors) in order to continue to be supported by Microsoft.

In the Microsoft blog, they only made a mention of the ‘simple conversion tool’ and did not provide any details about it (like when to expect it, how to use it, etc.). Well, there was a nice little surprise that showed up in build 15007 of the Windows 10 Enterprise Insider Preview called MBR2GPT.EXE

001-mbr2gpt

This looks like the conversion utility that the blog post mentioned. Other than the MBR2GPT help, there is not much information about the utility and what versions of Windows 10 that will be supported. With this tool, more machines will qualify for an in-place upgrade (like machines that are currently running BIOS). There are still some in-place upgrade limitations out there, like 3rd party disk encryption (unless the vendor now supports in-place upgrade) or changing between architectures or base OS languages, that will still require a wipe-and-load approach (see Johan’s post Windows 10 Upgrade Limitations for a few others).

The other thing that needs to be done when using MBR2GPT is to set the correct vendor specific BIOS settings changes so that the system will boot UEFI after converting the disk layout. The order of the settings does matter and settings can vary among models from the same vendor. I have previously blogged about (Automating Dell BIOS-UEFI Standards for Windows 10) how to do this for Dell (they have the most consistent BIOS settings out of everyone). We also have a BIOS to UEFI tool that only comes with Nomad that abstracts all of the vendor settings that I have blogged about (Getting Started with 1E BIOS to UEFI) that has a slick UI in the form of a Task Sequence step.

003-1e-bios-to-uefi

(Yea, I know, I have heard from many of you that 1E should offer this as a stand alone tool – feel free to let them know at info@1e.com.)

In my next post, Getting Started with MBR2GPT, we will talk a look at this tool in action and keep in mind that this is pre-release software for now so do not use it in production yet!

Originally posted on https://miketerrill.net/

Disable “Check online for updates from Microsoft Update” in Windows 10

windows10bannerIf you are already managing your Windows 10 systems (currently 1607 and below) with System Center Configuration Manager, then chances are you might want to prevent certain users from also being able to “Check online for updates from Microsoft Update.” before you have had a chance to fully test the latest cumulative update or feature update. Unfortunately, when users go into Settings > Update & security they will see a Check for updates button and below that, a Check online for updates from Microsoft Update link.

001-check-online-for-updates-from-microsoft-update

By clicking that link, it will bypass System Center Configuration Manager and go directly to Microsoft Update to see what the latest updates are available and start installing them once they download. One way that you can prevent this from happing is to enable the Group Policy setting: Do not connect to any Windows Update Internet locations:

002-do-not-connect-to-any-windows-update-internet-locations

If you enable this setting, you will not only disable the ability to check online for updates from Microsoft Update, but you will also disable the ability to install software from the Windows Store. Now if you have not started using the Windows Store yet, then this might not be a problem. Also, this policy is only effective if the Specify intranet Microsoft update service location policy is set (which it should be if you are using System Center Configuration Manager for Software Updates):

003-do-not-connect-to-any-windows-update-internet-locations

 

Once enabled, the Check online for updates from Microsoft Update link will disappear:

004-check-online-for-updates-from-microsoft-update

Hopefully we will see an option in the future that will allow for the ability to disable this link without disabling the ability to install apps from the Windows Store.

Originally posted on https://miketerrill.net/