Manually updating from BIOS to UEFI is tricky.
We all know and understand this. But getting to a secure Windows 10 sooner rather than later has reached a critical point. So, configuring all your Windows computers for UEFI and SecureBoot is necessary.
In our live webinar, we discussed how automation can be implemented to ease the strain of these migrations. You can listen to us on-demand here.
We had some questions during the session which we can answer for you below:
Question: Are any/all of these task sequences and their underlying scripts available to us (free)? Is the 1E tool available?
Answer: We have made these available to customers. The best way to get them is to contact your SE or sales rep and they can get us in touch with you to provide what we have with some background info.
Question: I manage our SCCM for a school system. We couldn’t get UEFI working in the past in our TS so we went legacy. We reimage our laptops yearly and this year I want to convert to UEFI. I’m using the CCTK to change the BIOS to UEFI and set the password etc. but can’t get beyond that unless I manually go back into SCCM and choose the second TS that has the OSD. I want to know how to change to UEFI and image all in one step (TS)?
Answer: Hard to say what the issue might be without more info about what version of ConfigMgr, what the Task Sequence looks like.
Question: Is there a way to manage passwords at BIOS level via SCCM?
Answer: Not natively. During the webinar, I demoed the idea of setting and clearing BIOS passwords from within a CM task sequence using the manufacturer’s tools. The advent of manufacturers allowing WMI access to their BIOS settings, it is feasible to create a ConfigMgr Compliance Item to check BIOS settings. At Dell, I saw a method to set the BIOS password, but OMCI would have to be installed on the endpoint for it to work. With HP, it is possible if the current password is blank. Lenovo allows a reset of an existing BIOS password, but you cannot set one if the current password is blank. It might be more straightforward, for Dell and HP at least, to use the vendor’s tools, i.e. CCTK or BCU.
Question: What about less bandwidth scenario when we don’t have a distribution point?
Answer: Microsoft has added LEDBAT to ConfigMgr to help with these scenarios, but I would be remiss if I didn’t say that this is what the 1E Nomad product is all about. Every Nomad project I have done ends up reducing the number of DPs by a large percent (90% or more). I have used Nomad with very small links in rural areas, and with cellular connections as well.
Question: I see the task sequence demo contains a couple of Intel CPU specific tasks (like Intel TXT). Does your solution support AMD based devices as well?
Answer: There is no dependency on whether the processor is Intel or AMD. The firmware acts as a sort of abstraction layer, and it is the firmware setting that we are working with. TXT is an Intel technology, but AMD has an equivalent and as long as the name of the setting in the firmware is consistent the BIOS to UEFI tool should work as described. The vendor tools can be used to fill any gaps as was shown in the examples in the webinar.
Question: So, can I add those BIOS steps in my task sequence to set up the BIOS so that my tech team doesn’t have to do it manually?
Answer: You can certainly talk to your SE or sales rep to request a copy of the sample task sequence, but make sure that you test thoroughly when you add the pieces to your existing task sequence.
Question: Will this also enable Wake on LAN settings?
Answer: No. These items can be added to the task sequence using the vendor’s tools. We also have a script that we can make available to customers. It handles BIOS settings for WoL, as well as the Power Management settings for the NIC.
Question: Is the BIOS to UEFI a free toolset?
Answer: BIOS to UEFI not sold as a separate product. It is licensed with Nomad.
Question: How do you deal with PPI (Physical Presence Interface) for HP’s when converting to UEFI?
Answer: Unfortunately, the decision to force physical presence during OSD (primarily TPM configuration) is up to the vendor, and if they require it, we have no workaround.