HP Bios Update Application - HP Revolve 810 G1/G2/G3

I've recently taken a little time to automate the Updates of our HP Laptops. I've found that HP Has different Bios Update programs based on the age of the machine.  Documentation was a bit lacking as well.  I'm assuming that other HP machines will fall into one of these two methods I'm using. I'm creating this using the Application Model instead of a package, however you can easily change this into a package with minimal changes.

AppModel Pros: Application Catalog, Detection Methods, Works in a TS
AppModel Cons: Can't use in WinPE

Package Pros: Simple, less time to setup, works in WinPE in a TS.
Package Cons: Simple, no detection, can't make available via Catalog.

Here is a run down of things we'll cover

  • Create your Content Folder Structure. (or download mine HERE)
  • Download & Extract Bios from HP
  • Create Bios Password File
  • Create Bios Update batch File
    • Suspend Bitlocker
    • Add runonce regkey to enable bitlocker after reboot
    • Apply Bios Update
    • Restart Machine with 2 Minute User Notification Popup.
  • Deploy
  • Add to TS Info

 

  1. Create your Package Content Structure.
    image
  2. HP Revolve 810 G1\G2\G3- Get the Bios HERE
    1. Save it to your 810G1 folder and Extract with 7zip
      image
    2. It should now look like this:
      image
    3. Repeat for the G2 and G3 Models, your folders should now look like: image
  3. Time To create the Password File.
    1. from the 810G2 folder, launch HpqPswd64.exe
      image
    2. Type in your Bios Password and Save the BIN file to your Password File Folder
    3. Copy that file from the Password File folder into each Bios Folder like so:
      image
      Always keep a copy on hand, if you ever run the process manually, the bios update will delete the password file from the folder. A security feature I'm sure.
  4. Lets write a simple batch file that will repair the bitlocker mof, suspend bit locker, add a Run once key to turn it back on after restart, update the bios and give a two minute warning for reboot.

    ----------

    1. REM Fix Bitlocker MOF if needed
      mofcomp.exe c:\windows\system32\wbem\win32_encryptablevolume.mof

      REM Suspend Bitlocker
      Manage-bde.exe -protectors -disable c:

      REM Add RunOnce key to Enable Bitlocker after Restart if it doesn't automatically via GPO / MBAM
      reg.exe ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v EnableBitlocker /T REG_SZ /D "Manage-bde.exe -protectors -enable c:" /F

      REM Update Bios
      hpqFlash64.exe -s -pHPBiosPassword.bin -lc:\Cabs\InstallLogs\HPBiosUpdate.log

      REM Reboot Computer (Does not affect WinPE, as it can't use shutdown.exe)
      shutdown.exe /r /f /t 120 /c "Updating Bios, please save your work, Computer will reboot in 2 minutes"

      ----------

      image

      1. -s = Silent
      2. -p = Calls Password File
      3. -l = Log File (You can remove this or add your own logfile path)
    2. Ok, lets do one for the 810 G2\G3, as it's a little different, as they've added some features and changed syntax.
    3. REM Fix Bitlocker MOF if needed
      mofcomp.exe c:\windows\system32\wbem\win32_encryptablevolume.mof

      REM Suspend Bitlocker (Not needed on the G2 / G3 Models, they have the "-b" option to disable bitlocker)
      REM Manage-bde.exe -protectors -disable c:

      REM Add RunOnce key to Enable Bitlocker after Restart if it doesn't automatically via GPO / MBAM
      reg.exe ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v EnableBitlocker /T REG_SZ /D "Manage-bde.exe -protectors -enable c:" /F

      REM Update Bios
      HPBIOSUPDREC64.exe -s -r -b -pHPBiosPassword.bin -lc:\Cabs\InstallLogs\HPBiosUpdate.log

      REM Reboot Computer (Does not affect WinPE, as it can't use shutdown.exe)
      shutdown.exe /r /f /t 120 /c "Updating Bios, please save your work, Computer will reboot in 2 minutes"
      ----------------
      image

      1. -s = Silent
      2. -r = NO Reboot
      3. -b = Suspend Bitlocker
      4. -p = Password file
      5. -l = logfile
    4. Time to Create an Application to deploy the Bios
      1. image
      2. image
      3. image
    5. Deployment Types
      1. image
        Name your Deployment, I do Model & Bios Version
      2. image
        Point to your Source Content
      3. image
        Program = your Script File
      4. image
        Detection = Registry Setting for the Bios Version
      5. image
        Set to Install for System - Whether or not
      6. image
        Set your Requirements to Computer Model (Blogged here)
      7. image
        Set 0 to Hard Reboot, so it will reboot, then run detection.
        If you want to add more return codes, you can find a list here... I have not tested them.
      8. It's pretty much identical for the other two systems, just change the content to the correct folder, and the detection to the bios version. - Tip: Update one, then point to that when you're getting your detection method.
  5. Deploy, seeing it in action.  I've deployed mine to "all users" so it shows up in the Catalog
    1. Installing from the Application Catalog:
      image
    2. Once it finishes the process, it give the 2 minute reboot warning. The software center will say "Requires restart"
      image
  6. You can also deploy to a Computer collection you've created.  This is how I typically do pushes, send out communications, then push to a collection.  But for awhile during testing, I like to make it available so I can run it from the catalog.
  7. Adding to Task Sequence.  So I was excited that HP bios support being updated in WinPE... but yet I was having it fail, saying it needed a full OS.  I thought "LAIR", I've tested the script in PE and it worked fine!  Then I realized, I was running it as an application, not a package... and that's what wouldn't work in PE.  So... I had to add this Bios Update Step later in my TS, after it was in Windows, just like I do with my Dell Bios Updates. - I've tried to leave some steps around it for Context as to where I've added the HP Bios Update Step.
    1. Note, in the script I call shudown.exe, which gives a two minute delay.  In the TS, there is a restart right after it the Application Runs, which will restart the system right away instead of waiting for the two minute timeout.  If you do decide to make this into a package, remove the shutdown.exe part of out if, as that is not available in WinPE.

      image

As always, I welcome comments and feedback.  I only set this up a few days ago, and tested on a couple machines, so there might be scenarios that need tweaking.  I'll update this if I find anything.  - @gwblok

Enforce UEFI during OSD or Nicely Fail with remediation.

UPDATE: 6/14 - A few days after I wrote this, Nickolaj posted a nice way to automate this for Dell Systems.  Check it out HERE.  Great post, I look forward to trying out.

I wanted to make sure that during Windows 10 OSD, machines were getting set to UEFI and Secure Boot.  I did not want to leave this up to the tech who was imaging the PC, while they catch it most of the time, there is still the chance they miss it, and I get a Windows 10 machine with Legacy Bios.

I added a group with a few steps to my TS that will trigger if _SMSTSBootUEFI is not True
, if _SMSTSinWinPE is True, and if it's one of my hardware manufactures.

  1. _SMSTSBootUEFI - This is the main variable, as it will say if the Machine is booted to UEFI or not
  2. _SMSTSinWinPE - This is so that these steps only run if in PE, If I'm doing an in place upgrade, I don't want it to check and fail.
  3. WMI Query for Hardware Manufacture - I have Dell & HP machines, which I want it to check on, but I don't want it to check on Virtual Machines.  At this point in the TS, the isVM variable isn't yet available, so this method works to exclude my VMs.

image

This will NOT completely automate the process from going from LEGACY to UEFI.  The TS will Fail if the Bios are set to LEGACY, but it's right in the beginning, and then you can start the Windows 10 TS again and it will install properly using UEFI & Secure Boot.

For a FULL solution, look to 1e's Bios to UEFI

This was as a failsafe to make sure our machines were set correctly right away instead of finding out after the fact that we imaged a machine to Windows 10 that was still using Legacy Mode.
Package Contents:
image

  1. MessageBox Script get HERE (Deployment Guys Technet Blog)
    You'll need to modify the MDTMessageBox.wsf script so it will automatically close the TS Progress bar.  Info found HERE (Niehaus's blog)
    You'll need to add this snipit into the script near the top:
    Set oTSProgressUI = CreateObject("Microsoft.SMS.TSProgressUI")
    oTSProgressUI.CloseProgressDialog
    Set oTSProgressUI = Nothing

    image
  2. ZTIUtility.vbs (From MDT scripts folder) - Just copy this file from your MDT Script Deployment Share, and paste it into your package content.
  3. Shutdown.exe, copied from c:\Windows\system32

TS Steps:

  1. Notify UEFI Status (Step 1) image
      1. Write your message here using syntax from the blog link, example:
        cscript.exe "MessageBox\MDTMessageBox.wsf" /text:"WARNING - This Machine is not set to UEFI in the BIOS - Please Shutdown, fix the Setting and Start again - The Next Step will Automatically try to FIX it for you if you're deploying to a DELL or HP machine and reboot. Please confirm it's Booting UEFI with Secure Boot Enabled" /type:64 /title:"UEFI
      2. in the Options, check the box for "Continue on Error"
  2. Dell Bios - SecureBoot - UEFI (Step 2) - Note, this step works on DELL, you'd have to modify for another Vendor - I have it skip this step if it is NOT a dell PC.
    image
    image

    1. This is just a script I'm using that calls the CCTK (Dell Command Configure) and sets bios to UEFI & Secure Boot.  Mike Terrill wrote a great blog post about how to do this, so I will not repeat it.
  3. HP Bios - SecureBoot - UEFI (Step 3) - This looks basically the same as Step 2, but it for our HP Machines
    image
    image
    1. You can get the HP Bios Configuration Software HERE
      The Documentation is located HERE
      Brenton wrote up a How To HERE
  4. Shutdown Machine (Step 3)
    image
    MessageBox\Shutdown.exe -s -t 00

 

So lets see it in Action (Dell E6540) - Tested also on HP Revolve 810 G2

  1. First Picture: Booting while in Legacy Mode w/ Secure Boot Disabled (Dell)
    image
  2. Starting Windows 10 TS
    image
  3. Starts that Step
    image
  4. TS runs the Message because it's not UEFI (while hiding the Installation Progress bar)
    image
  5. Computer then runs the Bios Settings to Change to UEFI
    image
  6. Computer then Shuts down.
  7. It now shows the correct Boot options and you can start your Windows 10 OSD again ensuring UEFI & Secure Boot.
    image

Other things you could add.. Email Service Desk or Admin if UEFI not enabled using a method like THIS.

Windows 10–Disable Lock Screen Tool Tips

This only came up recently as I’ve been exploring removing the Ctrl+Alt+Del requirement for logon.  I’ve disabled it on a few test machines.  Then I noticed in the upper right corner of my lock screen little messages, I could click on it, but nothing would happen.  Once I logged in, IE would launch w/ a Bing search about what I had clicked on.  I decided to remove that annoyance.

image

I found more info about it here: https://technet.microsoft.com/en-us/itpro/windows/whats-new/windows-spotlight
This is a group policy that controls the Lock Screen image and this tooltip.  I am already controlling the initial lock screen image via OSD, which changes a registry setting to point to a wallpaper I copy local.  We still allow our users to change it, but it starts with a corporate branded wallpaper.

I enabled the setting, pointed the GPO at the locally copied Wallpaper and checked the box.  On my test machine, I still saw the tooltips and the settings under personalization still showed the setting as “ON”

image

So now it was time to look for another way to do it.  After some guess work, I found the key in the registry that pertains to the setting: [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager]

image image

To change it, you need to set the registry to: "RotatingLockScreenOverlayEnabled"=dword:00000000

 

Now that we have the setting, we can deploy it.  You could push this via Group Policy, but I’m always a fan of using ConfigMgr, so I’ve created a simple script to deploy during OSD. I’ve created the script, added it to my Windows 10 OSD Package, in the same folder I keep my LockScreen Wallpaper. Download HERE

Load_LockScreenDisableToolTips.cmd:
-----
reg.exe load HKEY_LOCAL_MACHINE\defuser c:\users\default\ntuser.dat
REG ADD "HKEY_LOCAL_MACHINE\defuser\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /V RotatingLockScreenOverlayEnabled /T REG_DWORD /D 00000000 /F
reg.exe unload HKEY_LOCAL_MACHINE\defuser
-----

image

 

Now in OSD, you create a “Run Command Line” Step and add it like so:
cmd.exe /c LockScreen\Load_LockScreenDisableToolTips.cmd
image

 

OK, now you’ve added it to OSD, but you want to Deploy to your Windows 10 machines in production.

Lets make an Application!

image

image

image
No Content

image
Program: REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /V RotatingLockScreenOverlayEnabled /T REG_DWORD /D 00000000 /F

image
Browse to the registry key and set the Detection to 0

image
User Experience: Install for User

image
Requirements: OS = Windows 10

Now you can deploy.
Here is the AppEnforceLog from the computer it was deployed to.
image
From the log, You can see it ran the command line to disable tooltips

If you have the Settings open, you can actually watch it switch:
image

image

 

Things to Note:  I did not see tooltips on all machines that I disabled the Ctrl+Alt+Del policy on.  I believe it has to do with a couple of my machines I’ve also connected to MS Accounts for the Store, but most I have not.

PS… I feel a little guilty making a blog post about 1 registry key… but hey, the issue was annoying to me, so hopefully someone finds this useful and doesn’t have to spend time tracking down that key.

Integrate DaRT 10 Tools into your Recovery Partition during OSD

 

Requirements:

  1. Windows 10 ADK (Build 10586) – Download HERE
  2. Windows 10 ADK Hotfix to fix issue in ADK– Download HERE (We’ll get to this later)
  3. DaRT Recovery Image Installed –> Part of MDOP
  4. Windows 10 Media (Build 10586) Mounted

Setup:

ADK 10
image

DaRT
image

 

Launch the MS DaRT Recovery Image Wizard – If you see this error, it’s because of your Powershell group policy, to get around this, open elevated command prompt and do this: 
Reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\Powershell /v ExecutionPolicy /f
– Now try again
http://garytown.com/wp-content/uploads/2016/03/image-11.png

Choose 64-bit Dart Image – I’ve mounted the Windows 10 ISO to the D: drive
image

You can leave the tools to default
image

Check the box “Allow…” and let it default to 3388
image

Advanced Options, add any Storage & NIC drivers you’ll need & any WinPE addons
image image

Create Image: Select Create WIM, set the path to c:\cabs
image

- Note, if you want, at this step, you can check the box “Edit image” and then after it a short period, you’ll get the opportunity to add files.  I did this to add cmtrace and some other tools into the image

Now wait for a few minutes while it is generated
image

 

 

 

Adding HotFix to boot.wim (Only if you’re using Windows 10 1511 build 10586)

Extract the HotFix to c:\Cabs (I’m using 7zip)
It will create 2 schema files.

image

Also create the folder mount (C:\Cabs\Mount)

Make sure your boot.wim file is save to C:\Cabs\DaRT10\x64\boot.wim, you’ll then need to run these commands: ( original documentation here: https://support.microsoft.com/en-us/kb/3143760), this is modified based on where I’ve saved the files in my example.
Run from elevated “Deployment and Imaging Tools Environment”
image

  1. dism /mount-wim /wimfile:C:\Cabs\DaRT10\x64\boot.wim /index:1 /mountdir:C:\Cabs\mount
    image
  2. icacls C:\Cabs\mount\Windows\System32\schema.dat /save "%temp%\AclFile"
    image
  3. takeown /F C:\Cabs\mount\Windows\System32\schema.dat /A
    image
  4. icacls C:\Cabs\mount\Windows\System32\schema.dat /grant BUILTIN\Administrators:(F)
    image
  5. xcopy "C:\Cabs\schema-x64.dat" C:\Cabs\mount\Windows\System32\schema.dat /Y
    image
  6. icacls C:\Cabs\mount\Windows\System32\schema.dat /setowner "NT SERVICE\TrustedInstaller"
    image
  7. icacls C:\Cabs\mount\Windows\System32\ /restore "%temp%\AclFile"
    image
  8. dism /unmount-wim /mountdir:C:\Cabs\mount /Commit
    image

As you can see, Before:
image

After:
image

 

Ok, now we have our boot.wim file, it’s time to get it into the OSD process.

In the Standard ConfigMgr MDT Task Sequence, go to the Format and Partition Disk (UEFI)

Change the Windows RE Tools name to WinRE and change the size from 300 to 900
image

Create a Package with your boot.wim file and three batch files: (Download here)

SetDriveLetterLabel.cmd (This will take the Partition Labeled WinRE and assign letter R)
-------

REM ======start batch script=======
@echo off
setlocal ENABLEDELAYEDEXPANSION
:: Full path to diskpart.exe. Defaults are:
:: Windows 2000: "C:\Program Files\Resource Kit\diskpart.exe"
:: 2003/XP: "C:\windows\system32\diskpart.exe"
set dp=c:\windows\system32\diskpart.exe

:: Volume label
set label=WinRE

:: Temporary command file for diskpart.exe
set dps="%TEMP%\dp.txt"

echo list volume>%dps%
echo exit>>%dps%
set label_short=%LABEL:~0,11%
if exist %dp% (
for /f "delims=" %%i in ('%dp% /s %dps%') do (
set string=%%i
if not "!string:%label_short%=!"=="!string!" (
set volnum=!string:~9,3!
set volnum=!volnum: =!
)
)
if not "!volnum!"=="" (
echo Volume Label: %label%
echo Volume Number: !volnum!
echo select volume !volnum! >>%TEMP%\assignr.txt
echo assign letter=R >>%TEMP%\assignr.txt
%dp% /s %TEMP%\assignr.txt
) else (
echo Cannot find volume with label %label%
)
) else (
echo Cannot find %dp%&goto :EOF
)
REM =======end batch script========

 

-------

RemoveDriveLetterLabel.cmd (This will remove the drive Letters D/E/R).  I was having some computers add a D or E drive based on other factors, so I just added it to this script to remove those letters too.
---------
 

REM ======start batch script=======
@echo off
setlocal ENABLEDELAYEDEXPANSION
:: Full path to diskpart.exe. Defaults are:
:: Windows 2000: "C:\Program Files\Resource Kit\diskpart.exe"
:: 2003/XP: "C:\windows\system32\diskpart.exe"
set dp=c:\windows\system32\diskpart.exe

:: Volume label
set label=WinRE

:: Temporary command file for diskpart.exe
set dps="%TEMP%\dp.txt"

echo list volume>%dps%
echo exit>>%dps%
set label_short=%LABEL:~0,11%
if exist %dp% (
for /f "delims=" %%i in ('%dp% /s %dps%') do (
set string=%%i
if not "!string:%label_short%=!"=="!string!" (
set volnum=!string:~9,3!
set volnum=!volnum: =!
)
)
if not "!volnum!"=="" (
echo Volume Label: %label%
echo Volume Number: !volnum!
echo select volume !volnum! >>%TEMP%\remover.txt
echo remove letter=r >>%TEMP%\remover.txt

echo select volume !volnum! >>%TEMP%\removed.txt
echo remove letter=d >>%TEMP%\removed.txt

echo select volume !volnum! >>%TEMP%\removee.txt
echo remove letter=e >>%TEMP%\removee.txt

%dp% /s %TEMP%\remover.txt
%dp% /s %TEMP%\removed.txt
%dp% /s %TEMP%\removee.txt
) else (
echo Cannot find volume with label %label%
)
) else (
echo Cannot find %dp%&goto :EOF
)
REM =======end batch script========

-------

 

InstallDartUEFI.cmd (This deletes the old Windows Recovery WIM, creates the new folder structure and copies the boot.wim into place and assigns it as the recovery wim – It calls the script above to remove the drive letter when it’s done.)
--------

REM SetDriveLetterLabel.cmd - Now doing in Previous Step, sets WinRE partition to Letter R

REM Make Directory where DaRT Recovery WIM will be placed
mkdir R:\Recovery\WinRE

REM Copy DaRT Recovery WIM into Recovery Partition
copy boot.wim R:\Recovery\WinRE\winre.wim

REM Set Windows to use the new DaRT Recovery WIM
C:\Windows\System32\ReAgentc.exe /disable
C:\Windows\System32\ReAgentc.exe /setreimage /path R:\Recovery\WinRE /target C:\Windows
C:\Windows\System32\ReAgentc.exe /enable

REM Remove the Drive Letter for the Recovery Partition - Removes Letter R and D/E if exist.
RemoveDriveLetterLabel.cmd

-------

Package Contents:
image

 

In the TS:
In the State Restore Group, add two Steps

  1. Install WinRE – Dart10 – UEFI – Step1 (cmd /c SetDriveLetterLabel.cmd)
    image
  2. Install WinRE – Dart10 – UEFI – Step2 (cmd /c InstallDartUEFI.cmd)
    image

After OSD, you can go into your recovery options..  and choose Advanced Startup  - Once at the Option Screen, pick Troubleshoot –> Advanced –> Command Prompt
image image image

It will now reboot into the Windows Recovery Partition.
You’ll see a prompt for “Would you like to initialize network connectivity..”, click yes

It will now prompt you for your bitlocker Key, if bitlocker is enabled.  Enter it and click continue
The Command Prompt will Open, just go ahead and close it.

You will now see options, choose Troubleshoot –> Microsoft Diagnostics and Recovery Toolset will be an option.

Now that you launched DaRT, you’ll have several options available to you, including Remote Connection, which is what I’m using to connect in to grab the screen capture.
image

 

Several hand tools built in like LockSmith, to recover Admin Passwords.  This is handy if you have LAPS implemented, and the machine is deleted from the domain so you no longer have access to the Admin password.
image

File Restore in action:
image

 

And if you like, you can even add a web browser to your Image, because hey, why not!  Pale Moon 64bit seems to work alright. Smile  Just Extract the Program to a folder and copy that folder into your image.  Then use Explorer to browse to it.

image

So there you have it, integrating DaRT 10 into your Windows 10 10586 Deployments

I’ve tested this on Dell Latitude E6540, Precision 7510 & MS Surface Pro.  I’ve done this in the Past with DaRT 8 on an entire range of Dell devices without any issues.  But I’ve only started to implement this with DaRT10.

Enable Credential Guard in Windows 10 during OSD w/ ConfigMgr

I set this up a couple weeks ago and have been meeting to write something up.  Then before I could, Peter over at syscenramblings posted a nice how to HERE.

I’m going to post mine anyway, even if it’s not as fancy.  I’ve been going with the “KISS principle (keep it stupid simple)” model for OSD, and it’s been working well for me.  So while sure, you can do it in one step, I’m going to show you how to do it in several additional steps, but no packages are required. Smile

All information used to create these steps were based on this information: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/credential-guard
I did find what appears to be a discrepancy in their documentation, I make more notes at the bottom.

My Example is done on a New Dell Laptop
UEFI & SecureBoot Enabled in Bios.
My Credential Guard Setup is:

  1. Require Secure Boot and DMA Protection
  2. Credential Guard Enabled

I’ve got two sections in my TS setup for this, one Group that installs the Windows Components, and another that sets the registry keys.

  1. Group “Enable HyperV & Isolated User Mode UEFI” – This is done nearly right after applying the image, my image gets loaded to drive C, you’ll want to make sure you adjust accordingly.  This is still while in PE, even before loading the Drivers.
    image
    image
    1. Enable HyperV Role - Step 1
      cmd /c Dism.exe /image:c: /Enable-Feature /FeatureName:Microsoft-Hyper-V /All
      image
    2. Enable HyperV Role - Step 2 (This is Optional, I like to add the Client tools as many of my users use Local Virtual Machines)
      cmd /c Dism.exe /image:c: /Enable-Feature /FeatureName:Microsoft-Hyper-V-Management-Clients /All
      image
    3. Enable Isolated User Mode- Step 3
      cmd /c Dism.exe /image:c: /Enable-Feature /FeatureName:IsolatedUserMode
      image
  2. Group “Turn on Credential Guard” – Much later in TS, typically after I’ve already installed Apps, etc.
    image
    image
    1. Tweak - Enable virtualization-based security Key 1
      REG ADD "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceGuard" /V EnableVirtualizationBasedSecurity /T REG_DWORD /D 1 /F
      image
    2. Tweak - Enable virtualization-based security Key 2 *Differs from TechNet documentation, see notes below.
      REG ADD "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceGuard" /V RequirePlatformSecurityFeatures /T REG_DWORD /D 3 /F
      image
    3. Tweak - Enable virtualization-based security Key 3
      REG ADD "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA" /V LsaCfgFlags /T REG_DWORD /D 1 /F
      image

Just make sure you get a reboot in there, I got a few reboots in my TS between the first group and after the last group for other processes in the TS, since I already had reboots for those steps, I didn’t need to add any additional.  I would suggest doing what Peter illustrates in his post to add a reboot outside of the Task Sequence, I’ve been doing this for a couple years to resolve other issues at the advice of Johan during one of his sessions.  Peter’s Blog shows a nice illustration of how to set that up. 
After First Logon, I double check msinfo32 to confirm that indeed Credential Guard is running with the settings I wanted.

One thing I’ve noticed that seems to be a discrepancy in the TechNet article.
image

When I set the RequirePlatformSecurityFeatures  to 2, it does not list Secure Boot
image

However, if I set that key to 3, it then reports:
image

While I honestly don’t know if this makes a difference, I’d really like it to show up in msinfo32 correctly.  If you set the setting via Group Policy and NOT OSD, it does show correctly, and it will set the Registry to value 3.  So that’s what I’m going with.

PS.. I also have it setup in Group Policy using the settings outlined in that article for the Machines that were Imaged before I implemented this.  After imaging, and group policy applies, it does “fix” the registry keys you set during OSD, and it will show up in msinfo32 correctly.  I’d just let to get it right out of the gate instead of having to wait for Group Policy to kick in and reboot the machine.

Group Policy will also add the registry key HypervisorEnforcedCodeIntegrity ,which I’m not setting at all during OSD.
Here are the settings from machine setup via Group Policy post OSD
image

Here are is one that is setup through OSD before Group Policy updates it:
image

I hope you find this useful.

For the Machines that I had already deployed, I used Group Policy to enable the Settings, and pushed out a “Application” to finish the setup.
image

image
image

image
I changed Return Code 0 to “Hard Reboot” so when it’s done it would request you to reboot, so it could finish the Feature Installs, the Detection Method will also fail until after the reboot, as it is looking for the Feature IsolatedUserMode to be enabled in the registry.

Batch File: You don’t need the registry info in there, but incase you want to set this up without group policy , just add the keys.  I had it set that way so I could test before using Group Policy.
---------

dism /online /Enable-Feature /FeatureName:IsolatedUserMode /LogPath:C:\CABS\InstalLLogs\IsolatedUserMode.log /NoRestart

REG ADD "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceGuard" /V EnableVirtualizationBasedSecurity /T REG_DWORD /D 1 /F
REG ADD "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceGuard" /V RequirePlatformSecurityFeatures /T REG_DWORD /D 3 /F
REG ADD "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA" /V LsaCfgFlags /T REG_DWORD /D 1 /F

---------------

image

I only had to enable the feature IsolatedUserMode because I have HyperV enabled on all of my Windows 10 machines by default in OSD.  If you didn’t do this, you can modify that line to look like:

dism /online /Enable-Feature /FeatureName:IsolatedUserMode /FeatureName:Microsoft-Hyper-V /All /LogPath:C:\CABS\InstalLLogs\IsolatedUserMode.log /NoRestart

Hope this was useful.  Feel free to leave a comment.