Our last webinar was co-hosted by MVP rockstar Jörgen Nilsson. He and I were presented with over 50 questions during and after the session–all of which you can find the answers to in 2 blog posts available now. You can always re-watch the webinar on-demand! Let’s dive in:
A BIOS Password is recommended not just to make sure the same password is used so that no local Subsidiary sets their own password which will make scripting in the future impossible, but also to make sure the user/local IT don’t turn of security features in BIOS to troubleshoot. Not only will that stop credential Guard from working for instance but also trigger a BitLocker recovery.
A refresh is where the disk is not fully formatted before applying the operating system image, preserving the protected areas where any data has been backed up. The term wipe and load as it was used in the presentation was to describe where the disk if formatted ahead of applying the operating system which does not preserve any data on the disk.
Whether it is McAfee or any other vendor that I am aware of, you cannot perform a BIOS to UEFI conversion easily. One method is to decrypt the drive, perform you in-place upgrade to Windows 10, perform the BIOS to UEFI conversion with the MBR2GPT tool then re-encrypt. That would probably take the better part of a day or more for the decrypt/encrypt portions. The other method is to use one of the two methods I outlined during the webinar which we will go into more depth in a follow-up blog post.
No, I have not seen any. Typically these are handled with the wipe and load method.
The tool from Microsoft, MBR2GPT.exe, only converts the drive from an MBR to GPT format. It doesn’t address the hardware firmware settings. For that, you need either the vendor tools and scripts or the 1E BIOS to UEFI tool for many Dell, HP and Lenovo models.
This webinar is less about the process that has been covered previously and more about some of the more common challenges.
Yes. A blog that is coming soon from 1E will make the 1E ones available. (Jörgen will be making many of his available soon as well!)
Using either the native tools and custom scripts or the 1E BIOS to UEFI tools that come with Nomad, you would at a high level:
- Address / confirm BIOS passwords
- Address any recovery partitions prior to the in-place upgrade to Windows 10
- In-place upgrade to Windows 10
- Restart into WinPE 1703 or higher
- Convert your disk using MBR2GPT
- Change your firmware settings to UEFI & Secure Boot
- Enable TPM & virtualization
Currently there is no method we know of but both Jörgen and I are researching!
If the TPM is currently owned, no, it requires physical presence to ensure that malware isn’t involved.
Yes. You can either choose to perform a refresh then the BIOS to UEFI conversion or an in-place upgrade, then the BIOS to UEFI conversion.
All 3rd party disk encryption products that we are aware of today will require you to do one of the two: 1: Decrypt, upgrade or refresh, convert from BIOS to UEFI using the 1E tools and then re-encrypt. 2: Backup, wipe, convert using the 1E tools, load, restore. The latter method would be faster in most cases.
Secure Boot for the system and Credential Guard and Device Guard within the OS.
Both Credential Guard and Device Guard utilize virtualization.
Yes, when you use a third party (not BitLocker) encryption tool. With BitLocker being native to the OS, Microsoft provides methods that are easy to work with.
No, the 1E tools do not directly address BIOS updates. In most cases, you can perform these updates prior to your upgrade of the OS. In some cases, if your BIOS version is too far behind, you may have to do two upgrades: one to get you up to a minimum level to support the latest upgrade. Typically you follow the vendor’s instructions for installing them in an unattended manner.
Virtualization support is required for the security features Credential Guard and Device Guard.
Stay tuned…Upcoming blog posts will cover this in more detail.
Sounds like a Bug perhaps, make sure you are always on the latest version of Configuration Manager
Wipe and load scenarios are where the disk is formatted, so hard linking does not work.
That’s a lot of information in one post. Check out part 2 with more questions and answers–and don’t forget, you can re-watch the webinar on demand now.