PXE Booting in the Real World

At the Midwest Management Summit today in the 7 AM OSD Birds of a Feather session, there was a lot of discussion around troubleshooting PXE booting issues. A reference was made to a session that Troy Martin and I gave at the 2014 Midwest Management Summit called PXE Booting in the Real World. Troy put together some nice SQL queries that help with the troubleshooting process:

 

/* Get list of devices and their Last PXE boot for (a) required deployments */
SELECT * FROM [CM_PS1].[dbo].[LastPXEAdvertisement] order by MAC_Addresses
 
/* Get item key for unknown records */
select * [CM_PS1].[dbo].[UnknownSystem_DISC]
 
/* Is device known and a valid client on the site */
Use CM_PS1
exec NBS_LookupPXEDevice N'45A74041-2F02-4A5E-B413-CD35DDE47123',N'1E:1E:1E:1E:1E:B1'
exec NBS_LookupPXEDevice N'2DCFD0F8-9134-44A3-84BB-0BFC114ADD87',N'1E:1E:1E:1E:1E:B2'
 
/* Get list of deployments for device */
Use CM_PS1
exec NBS_GetPXEBootAction N'16777278',N'2046820352',N'45A74041-2F02-4A5E-B413-CD35DDE47123',N'1E:1E:1E:1E:1E:B1',N'CM12PS1.contoso.com'
exec NBS_GetPXEBootAction N'16777279',N'2046820353',N'2DCFD0F8-9134-44A3-84BB-0BFC114ADD87',N'1E:1E:1E:1E:1E:B2',N'CM12PS1.contoso.com'

Here is a link to the slide deck that contains more information and a bunch of useful references.

Originally posted on https://miketerrill.net/

How to create a HP BiosConfiguration Utility Package in ConfigMgr

01 HP Logo

HP has a utility that is similar to the Dell’s Command | Configure utility (see How to create a Dell Command-Configure Package in ConfigMgr) called the HP BIOS Configuration Utility that allows for reading and setting BIOS/UEFI values on HP systems. The latest release (version 4.0.13.1 at the time of this blog post) can be found on the HP Client Management Solutions page in the Download Library. The HP BIOS Configuration Utility can be used to enable and standardize BIOS/UEFI settings automatically across the enterprise, yielding a consistent, standard environment. Now that Windows 10 is here, organizations are going to want to configure UEFI as the default so that they can leverage features like Secure Boot, Device Guard and Credential Guard.

The HP BIOS Configuration Utility is only command line (in other words, there is not a GUI component like Dell’s Command | Configure utility). However, the HP BIOS Configuration Utility can output an answer file that can then be used to apply to other systems. For this post, I am going to show you how to create a basic ConfigMgr Package that can be used as part of an OSD Task Sequence

The first thing you need to do is download it from the HP Client Management Solutions page (or search on HP BIOS Configuration Utility) and install it on a HP system.

Next, create a directory on your ConfigMgr Package repository share where you store the source files for your ConfigMgr Packages (for example \\ContentSource\Packages\HP\BIOS Configuration Utility-WinPE\4.0.13.1).

Locate the install directory and copy the contents of the installation directory (minus the link to the User’s Guide) to the Package share. On a x64 system, the default install location is C:\Program Files (x86)\Hewlett-Packard\BIOS Configuration Utility.

01 Default Install Directory

Create a file in the root of the Package directory called BCU.cmd. Use the following for the contents of the file:

@ECHO OFF

set cmdline=%*

ECHO == Seting BIOS Settings ==
 
REM Determine Arch
IF "%PROCESSOR_ARCHITECTURE%" == "AMD64" GOTO :X64
GOTO X86
 
:X64
SET BCU="BiosConfigUtility64.exe"
GOTO RunBCU
 
:X86
SET BCU="BiosConfigUtility.exe"
GOTO RunBCU
 
:RunBCU
ECHO --Running command %BCU% %CMDLINE%
%BCU% %CMDLINE%
 
EXIT /B %errorlevel%

This file handles the logic to run the correct exe based on the currently detected platform. The final Package source directory should look like the following:

02 HP BIOS Config Package Source Directory

Create a Package in ConfigMgr like you normally would and distribute it to the Distribution Points. A Program is not required, so that can be skipped.

In a future post, I will show how this can be used in an OSD Task Sequence.

Originally posted on http://miketerrill.net

Automating Dell BIOS-UEFI Standards for Windows 10

Uefi_logo

If you are starting to deploy Windows 10 (or are currently deploying Windows 8/8.1), then now is the time to make the switch to UEFI.  A system needs to be configured for UEFI (without Compatibility Support Module being enabled) in order to take advantage of Secure Boot (and other Windows 10 security features like Device Guard).  Secure Boot prevents loading of drivers and OS loaders that are not signed with a certified digital signature, thus preventing malware and root kits that alter the boot process.

The first version of Windows that support Secure Boot was Windows 8 and Windows Server 2012.  If you were one of the many companies that either skipped Windows 8/8.1 or only deployed it in limited quantities, then chances are you deployed your systems for legacy BIOS mode.  This means that your Windows 7 systems have MBR partitioned disks and in order to make the switch to UEFI, these systems need to be re-partitioned.  This is one of the limitations of using the Windows 10 In-place upgrade method, as it does not support changing the disk partitioning structure.  The quickest approach to getting to Windows 10 is the In-place upgrade path and it might make sense to do this on the systems that qualify.  For the ones that don’t (including brand new systems), then you definitely want to start configuring them for UEFI and Secure Boot now!

In my previous post, How to create a Dell Command-Configure Package in ConfigMgr, I showed how you could set up the Dell Command-Configure Package in order to use it in OSD Task Sequences.  Now, I am going to show you an example on how it can be used in WinPE via PXE boot (of course, I use 1E PXE Everywhere 3.0 which is part of Nomad 6.0) to enforce these standards.  This will not only increase standardization in your environment, but also prevent costly mistakes made by manual processes.

The first thing we need to do is create a custom Task Sequence.  For this example, I am going to give it the name of BIOS-UEFI Configuration for Windows 10.

001 Create TS

NOTE: This Task Sequence example will only work on systems that already have a formatted disk.  We will cover handling bare disks at another time.

Once created, edit the Task Sequence.  For those of you using Nomad, create the Set Nomad as Download Program (new in Nomad 6.0) and Install and Configure Nomad in Windows PE as the first two steps.  Otherwise, add an Apply Operating System Image step called Dummy Step to trick CM and put a Task Sequence variable condition on the step so that the TS variable NEVERTRUE equals TRUE.

002 NeverTrue equals True

This is very important for two reasons – 1. it will make CM set this as an OSD TS so that we can boot into WinPE and run it, 2. the condition will always evaluate to false and allow the step to be skipped (cause we really do not want to apply an OS image yet).

Next, add a Group called Dell BIOS-UEFI Configuration and put a WMI condition on the group with the following query:


Select * From Win32_ComputerSystem WHERE Manufacturer LIKE "%DELL%"

003 Dell Group conditions

This way it will only apply to Dell systems if you use other OEMs in your environment and it will make it easier to copy and paste into other Task Sequences.

Each of the following steps in this group will be Run Command Line steps that reference the Package Dell Command-Configure-WinPE 3.1.0.250.  I have split out each of the steps in order to make the solution modular.  In other words, not all settings may apply to all Dell models and conditions can be set on the individual steps accordingly.  So, be sure to test against all models that you support.  Another reason for splitting out the steps is that you will get output from each of the commands.  I have included steps that will attempt to get the current setting prior to the step that actually sets the value.  Some of the output can be read from the status messages that are sent back to ConfigMgr, while others will only be reflected in the smsts.log.  For the steps that get the current values, I have made those ‘continue on error’ in order to prevent the Task Sequence from failing from non-zero return values.  Getting the Secure Boot value is one that returns a non-zero exit code (along with the text “The option ‘secureboot’ is not enabled”, if it is not enabled) and will cause the Task Sequence to fail at that point.  In other words, we do not care if it fails reading a value, but we do care if it fails setting a value.

Also, these settings are ones that I would set, so please research each one using the Dell Command-Configure documentation and set the values that work for your environment.

Here is a list of the settings:
NOTE: each of the commands use a double dash, which is hard to see from the screen shots.


Name: Install Dell HAPI Drivers
Command line: HAPIInstall.cmd

Name: Current Active Boot List
Command line: cctk.cmd bootorder --activebootlist

Name: Enable UEFI
Command line: cctk.cmd bootorder --activebootlist=uefi

Name: Current Legacy ROM Setting
Command line: cctk.cmd --legacyorom

Name: Disable Legacy ROMs
Command line: cctk.cmd --legacyorom=disable

Name: Current Secure Boot Setting
Command line: cctk.cmd --secureboot

Name: Enable Secure Boot
Command line: cctk.cmd --secureboot=enable

Name: Current Wake On Lan Setting
Command line: cctk.cmd --wakeonlan

Name: Enable Wake On Lan
Command line: cctk.cmd --wakeonlan=enable

Name: Current UEFI PXE Setting
Command line: cctk.cmd --uefinwstack

Name: Enable UEFI Network Stack
Command line: cctk.cmd --uefinwstack=enable

Name: Current SATA-RAID Setting
Command line: cctk.cmd --embsataraid

Name: Set SATA Operation - AHCI
Command line: cctk.cmd --embsataraid=ahci

Name: Set PXE Boot on next boot
Command line: cctk.cmd --forcepxeonnextboot=enable

004 Enable UEFI

Outside of the Dell BIOS-UEFI Configuration Group, I put a Run Command Line step called Pause with the condition that the Task Sequence variable PAUSE equals TRUE.  This is useful for testing and/or troubleshooting as it will launch a command line and prevent the Task Sequence from finishing.  Simply put the PAUSE variable on either the collection targeted or a device that is being tested.

The last step is a Set Task Sequence Variable step called Restart WinPE.  This sets the Task Sequence variable SMSTSPostAction to the value wpeutil reboot.  This allows the Task Sequence to finish cleanly.

Hopefully you have found this information useful and it gets you well on your way for standardizing your environment’s BIOS-UEFI settings. By making the change to UEFI, it will allow you to take full advantage of the security features in Windows 10.  Now when you boot into WinPE and run the OSD Task Sequence wizard, it will detect that the system is running UEFI (_SMSTSBootUEFI = TRUE) and the disk will be partitioned and formatted accordingly.

You can also download an export of the Task Sequence (updated for CM 1511) here: Dell BIOS-UEFI Configuration for Windows 10 x64.zip

Originally posted on https://miketerrill.net/

How to create a Dell Command-Configure Package in ConfigMgr

000 Logo

Dell recently released the Dell Command | Configure utility (previously known as the Dell Client Configuration Toolkit – CCTK) that allows IT Pros to configure and manage Dell Enterprise client systems.  The latest release (version 3.1 at the time of this blog) includes support for Windows 10 and WinPE 10.  The Command | Configure utility can be used to enable and standardize BIOS settings automatically across the enterprise, yielding a consistent, standard environment.  Now that Windows 10 is here, organizations are going to want to configure UEFI as the default so that they can leverage features like Secure Boot and Device Guard.

Like the CCTK, there is a GUI component and a command line component that can be installed.  For this post, I am going to show you how to create a basic Package that can be used as part of an OSD Task Sequence under WinPE.

The first thing you need to do is download from here (or search on Dell Command Configure) and install it on a Dell system that is already running Windows 7/8/8.1/10.

Next create a directory on your ConfigMgr Package repository share where you store the source files for your ConfigMgr Packages (for example \\ContentSource\Packages\Dell\Command-Configure-WinPE\3.1.0.250).

Locate the install directory and copy the X86 and X86_64 sub folders to the Package share.  On an x64 system, the default location is C:\Program Files (x86)\Dell\Command Configure.

001 Install Directory

Create a file in the root of the Package directory called cctk.cmd.  Use the following for the contents of the file:


@ECHO OFF

set cmdline=%*

ECHO == Seting BIOS Settings ==

REM Determine Arch
IF "%PROCESSOR_ARCHITECTURE%" == "AMD64" GOTO :X64
GOTO X86

:X64
SET CCTKPath="x86_64"
GOTO RunCCTK

:X86
SET CCTKPath="x86"
GOTO RunCCTK

:RunCCTK
ECHO --Running command %CCTKPath%\cctk.exe %CMDLINE%
%CCTKPath%\cctk.exe %CMDLINE%

EXIT /B %errorlevel%

Next, create another file in the root of the Package directory called HAPIInstall.cmd.  Use the following for the contents of the file:


@echo off
REM Determine Arch
IF "%PROCESSOR_ARCHITECTURE%" == "AMD64" GOTO :X64
GOTO X86

:X64
x86_64\hapi\hapint.exe -i -k C-C-T-K -p "hapint.exe"
GOTO END

:X86
x86\hapi\hapint.exe -i -k C-C-T-K -p "hapint.exe"
GOTO END

:END

Both of these files handle the logic to install either x86 or x64 based on the currently detected platform.  The final Package source directory should look like the following:

002 Package Source Directory

Create a Package in ConfigMgr like you normally would and distribute to the Distribution Points.  A Program is not required, so that can be skipped.

In an upcoming post, I will show how this can be used in an OSD Task Sequence.

Originally posted on http://miketerrill.net

Testing Required PXE Booting without the OS Deployment

Network-Windows-Client-icon

If you have ever had the need to test the PXE booting capabilities using System Center 2012 Configuration Manager using a Required Deployment, but did not want the OS Deployment part, then this blog is for you.  With Available Deployments, the user has to press an additional key to get the system to PXE boot.  Once the system boots into WinPE, the wizard is displayed with the list of available Task Sequences.  This makes it nice and easy to test PXE booting functionality and network connectivity of your boot image without starting an actual Task Sequence.  However, with a Required Deployment, no additional key press is required and when you are in WinPE, it is off to the races.  Not a big deal if you are testing on virtual machines, but what if you want to test on a new physical device that you need to roll out and you do not want to go through the whole OSD process?

You could simply put a pause in the beginning of a full Task Sequence, but why bother since there is likely more policies that need to be download.  Also, why take the risk?  Here is a simple three step Task Sequence that you can use to do all of the Required (and Available) PXE boot testing without the OS Deployment.

Start by creating a new custom task sequence and add the boot image you want to test with under the Advanced tab of the Task Sequence Properties:

01 Required PXE

Next, edit the Task Sequence and add a Apply Operating System Image step, selecting an existing image package.  This step is required to make CM think that it is an OSD Task Sequence.

02 Required PXE

Click on the Options tab in order to create a condition so that the step will always evaluate to false.  This can be done by testing for a Task Sequence variable name NEVERTRUE equals TRUE (or if you want to mess with your coworker you can use their NAME equals AWESOME – but just in case they really are awesome you might not want to do this Smile):

03 Required PXE

Create a second step using the Run Command Line step so the TS will pause.  Having this pause is useful when multi-tasking and you look away and miss it.  It also gives you the option to do other cool stuff like dump the Task Sequence variables.  Enter the following for the command line: cmd.exe /c “start /wait cmd.exe”
(Be careful of “smart” quotes if copy and pasting.)

04 Required PXE

Set continue on error on the Options tab.

05 Required PXE

Create a third step using the Run Command Line step so the TS will reboot WinPE.  Enter the following for the command line: wpeutil reboot
Set continue on error on the Options tab on this step as well.

06 Required PXE

Save your changes and then then test it by creating a Required Deployment to a test collection to enjoy non destructive Required PXE Booting!

Originally posted on https://miketerrill.net/

My Sessions at the Midwest Management Summit

MMS180x150

I am really honored to have been a speaker at the first ever Midwest Management Summit (aka the new MMS), that took place November 10th – 12th in Minnesota.  This event was the who’s who of systems management and did not disappoint.  There were over 100 sessions delivered in three days by 50+ experts (which included 32 Microsoft MVPs).  This is one conference and training event that you will not want to miss next year.

I also got the opportunity to present again with my co-worker and good friend Troy Martin.  Troy and I presented the following two sessions:

Hacking the Task Sequence

We will go behind the scenes of the CM OSD Task Sequence engine to look at all of the Task Sequence variables.  Mike and Troy will show you:

  • Tips and tricks on how to pause, interact and resume a Task Sequence when developing your own custom steps.
  • How to overcome certain limitations like read only variables.
  • How to tweak your Boot Images so that they always contain the tools and utilities that are needed for ultimate success.
  • How the task sequence works “under the hood” and some cool tips for manipulating it.

MMS – Hacking the Task Sequence.pptx

PXE Booting in the Real World

This session will focus on how PXE works and what it takes to get it working in the real world using System Center 2012 R2 Configuration Manager.  In addition to the native PXE boot capabilities in CM, this session will also cover the benefits and capabilities of PXE Everywhere from 1E.

Having difficulty performing zero touch because of 3rd party disk encryption?  Come learn the possibilities that open up when using PXE in your environment. Learn about PXE and what it takes to get up and running.

MMS – PXE Booting in the Real World.pptx

I also got to present for the first time with my co-worker Shawn Cardamon.  For those of you that have not met him, he is full of energy and constantly cracking jokes.  It was a fun presentation and we announced our upcoming 1E Solution Accelerator called 1E Enforcement that we will be releasing for free in the near future.

Advanced Application Management

System Center 2012 Configuration Manager application policies are evaluated prior to content being transferred, so that it can be determined if it the software is actually needed in the first place. Applications make use of the re-evaluation cycle which is enabled by default for all required deployments. This can cause potential issues if a rigid software distribution process is not followed. Come join us in this session as we take a deep look inside Applications and demonstrate some of the pros and cons. Also learn how to do selective Application enforcement and only those Applications that always need to be installed. Learn about Applications and application enforcement.

MMS – Advanced Application Management.pptx

Since 1E was a MMS Platinum Sponsor, we also gave a session on all the cool things that we do at 1E and how we help our customers save money.  For that session, I was joined by Troy, Shawn and also Liam Morrison.

World Class Solutions for Real World Problems

At 1E, our sole mission is to reduce the costs of running IT for our customers and provide avenues to true business value.

Many demands are being placed on IT today to deliver products and services which keep up with the consumerization of IT, provide stronger automation, and at the same time lower overall cost to the business. This session will cover what we see as the true circle of influence systems management has on an organization and how these things may be achieved. For example:

  • Are you currently facing a software audit or need to reduce costs on software licenses?  AppClarity can help by identifying software installation and usage. It can even remove unused installations to prevent further license purchases or audit exposures.
  • Are your users asking about BYOD? Are you constantly providing laptops for contractors and consultants?  With MyWorkNow you can provide a secure virtual corporate Windows desktop at a fraction of the price to any Mac or PC.
  • Are your users looking for an easy way to request and install software?  Has it been challenging to manage and assure the right applications are being installed for your users during an OS deployment? Shopping is the App Store for the Enterprise that puts users and IT in control, each being able to focus on more strategic efforts.
  • Stuck managing a large SCCM infrastructure? Do you have multiple locations to manage with SCCM?  Regardless of size, with Nomad you can eliminate the need for 95%+ of servers from SCCM architectures and still be able to perform all of the functions of SCCM like SWD, OSD and SUM.

Come and learn about 1E’s world class solutions and how they address real world problems.

MMS – World Class Solutions for Real World Problems.pptx

This conference was a great way to end the year and I am already looking forward to the next one!

Originally posted on https://miketerrill.net/

Using PowerShell to Create a BCD File

Recently, I was curious to see if I could get 1E PXE Everywhere (included with 1E Nomad) to boot a MDT Lite Touch boot image.  Since PXE Everywhere integrates with System Center Configuration Manager, it automatically creates the necessary BCD files based on the ConfigMgr boot images.  So that left me with using the command line utility bcdedit to generate the BCD file that I needed for the MDT Boot Image.  Not that there is anything wrong with bcdedit, it just requires a bit of typing out long commands.  It returns a GUID when the OSLOADER is create that then needs to be used in some of the follow up commands.  This is where I thought it would be nice to have a simple PowerShell cmdlet to do it for me – the only problem is one does not currently exist.  So after a bit of playing around with the syntax, I came up with the following function below.  It still calls bcdedit, but because of the way PowerShell uses certain characters, it is necessary to use various escape techniques.

This is a quick script to get the job done, so there is not any type of error handling or logging.  Also, I follow the PXE Everywhere naming convention of boot.xxxxx.bcd, so feel free to modify the script to your needs or preferences.

#Create-BCD
#Author: Mike Terrill
#Version 1.0

#Disclaimer:
#Your use of these example scripts or cmdlets is at your sole risk. This information is provided “as-is”, without any warranty, whether express or implied, of accuracy,
#completeness, fitness for a particular purpose, title or non-infringement. I shall not be liable for any damages you may sustain by using these examples, whether direct,
#indirect, special, incidental or consequential.

#Usages:
#Create-BCD Name Platform TFTPBlockSize
#Example:
#Create-BCD LiteTouchPE x64 8192
#Will create a BCD file called boot.LiteTouchPE_x64.bcd with a TFTPBlockSize of 8192

function Create-BCD {
    [CmdletBinding()]
    param (
    [Parameter(Mandatory=$true,ValueFromPipeline=$true)][string]$Name,
    [Parameter(Mandatory=$true,ValueFromPipeline=$true)][string]$Platform,
    [Parameter(Mandatory=$true,ValueFromPipeline=$true)][int]$TFTPBlockSize
    )

    $ImageName = $Name + "_" + $Platform
    $BCDFileName = "boot.$ImageName.bcd"
    bcdedit /createstore $BCDFileName
    bcdedit /store $BCDFileName /create "{bootmgr}"
    bcdedit /store $BCDFileName /set --%{bootmgr} description "Boot Manager"
    bcdedit /store $BCDFileName /set --%{bootmgr} fontpath \Boot\Fonts
    bcdedit /store $BCDFileName /create --%{ramdiskoptions} /d "Windows PE"
    bcdedit /store $BCDFileName /set --%{ramdiskoptions} ramdisksdidevice boot
    bcdedit /store $BCDFileName /set --%{ramdiskoptions} ramdisksdipath \boot.sdi
    #Grab the output that contains the GUID
    $x = bcdedit /store $BCDFileName /create /d "$ImageName" /application OSLOADER
    $GUID = $x|%{$_.split(' ')[2]}
    bcdedit /store $BCDFileName /default $GUID
    cmd /c "bcdedit /store $BCDFileName /set {default} device ramdisk=[boot]\Images\$ImageName\boot.$ImageName.wim,{ramdiskoptions}"
    cmd /c "bcdedit /store $BCDFileName /set {default} osdevice ramdisk=[boot]\Images\$ImageName\boot.$ImageName.wim,{ramdiskoptions}"
    bcdedit /store $BCDFileName /set --%{default} systemroot \WINDOWS
    bcdedit /store $BCDFileName /set --%{default} winpe Yes
    bcdedit /store $BCDFileName /set --%{default} detecthal Yes
    cmd /c "bcdedit /store $BCDFileName /set {ramdiskoptions} ramdisktftpblocksize $TFTPBlockSize"
    }

Using the example inputs will generate the following output (bcdedit /store boot.LiteTouchPE_x64.bcd /enum all):

Windows Boot Manager
--------------------
identifier              {bootmgr}
description             Boot Manager
fontpath                \Boot\Fonts
default                 {default}

Windows Boot Loader
-------------------
identifier              {default}
device                  ramdisk=[boot]\Images\LiteTouchPE_x64\boot.LiteTouchPE_x64.wim,{ramdiskoptions}
description             LiteTouchPE_x64
osdevice                ramdisk=[boot]\Images\LiteTouchPE_x64\boot.LiteTouchPE_x64.wim,{ramdiskoptions}
systemroot              \WINDOWS
detecthal               Yes
winpe                   Yes

Setup Ramdisk Options
---------------------
identifier              {ramdiskoptions}
description             Windows PE
ramdisksdidevice        boot
ramdisksdipath          \boot.sdi
ramdisktftpblocksize    8192

And if you were wondering if I got 1E PXE Everywhere to boot a MDT LiteTouch boot image – the answer is absolutely!

Originally posted on https://miketerrill.net/