UPDATE: 6/14 – A few days after I wrote this, Nickolaj posted a nice way to automate this for Dell Systems. Check it out HERE. Great post, I look forward to trying out.
I wanted to make sure that during Windows 10 OSD, machines were getting set to UEFI and Secure Boot. I did not want to leave this up to the tech who was imaging the PC, while they catch it most of the time, there is still the chance they miss it, and I get a Windows 10 machine with Legacy Bios.
I added a group with a few steps to my TS that will trigger if _SMSTSBootUEFI is not True
, if _SMSTSinWinPE is True, and if it’s one of my hardware manufactures.
- _SMSTSBootUEFI – This is the main variable, as it will say if the Machine is booted to UEFI or not
- _SMSTSinWinPE – This is so that these steps only run if in PE, If I’m doing an in place upgrade, I don’t want it to check and fail.
- WMI Query for Hardware Manufacture – I have Dell & HP machines, which I want it to check on, but I don’t want it to check on Virtual Machines. At this point in the TS, the isVM variable isn’t yet available, so this method works to exclude my VMs.
This will NOT completely automate the process from going from LEGACY to UEFI. The TS will Fail if the Bios are set to LEGACY, but it’s right in the beginning, and then you can start the Windows 10 TS again and it will install properly using UEFI & Secure Boot.
For a FULL solution, look to 1e’s Bios to UEFI
This was as a failsafe to make sure our machines were set correctly right away instead of finding out after the fact that we imaged a machine to Windows 10 that was still using Legacy Mode.
Package Contents:
- MessageBox Script get HERE (Deployment Guys Technet Blog)
You’ll need to modify the MDTMessageBox.wsf script so it will automatically close the TS Progress bar. Info found HERE (Niehaus’s blog)
You’ll need to add this snipit into the script near the top:
Set oTSProgressUI = CreateObject(“Microsoft.SMS.TSProgressUI”)
oTSProgressUI.CloseProgressDialog
Set oTSProgressUI = Nothing
- ZTIUtility.vbs (From MDT scripts folder) – Just copy this file from your MDT Script Deployment Share, and paste it into your package content.
- Shutdown.exe, copied from c:\Windows\system32
TS Steps:
- Notify UEFI Status (Step 1)
- Write your message here using syntax from the blog link, example:
cscript.exe “MessageBox\MDTMessageBox.wsf” /text:”WARNING – This Machine is not set to UEFI in the BIOS – Please Shutdown, fix the Setting and Start again – The Next Step will Automatically try to FIX it for you if you’re deploying to a DELL or HP machine and reboot. Please confirm it’s Booting UEFI with Secure Boot Enabled” /type:64 /title:”UEFI - in the Options, check the box for “Continue on Error”
- Write your message here using syntax from the blog link, example:
- Dell Bios – SecureBoot – UEFI (Step 2) – Note, this step works on DELL, you’d have to modify for another Vendor – I have it skip this step if it is NOT a dell PC.
- This is just a script I’m using that calls the CCTK (Dell Command Configure) and sets bios to UEFI & Secure Boot. Mike Terrill wrote a great blog post about how to do this, so I will not repeat it.
- HP Bios – SecureBoot – UEFI (Step 3) – This looks basically the same as Step 2, but it for our HP Machines
- Shutdown Machine (Step 3)
MessageBox\Shutdown.exe -s -t 00
So lets see it in Action (Dell E6540) – Tested also on HP Revolve 810 G2
- First Picture: Booting while in Legacy Mode w/ Secure Boot Disabled (Dell)
- Starting Windows 10 TS
- Starts that Step
- TS runs the Message because it’s not UEFI (while hiding the Installation Progress bar)
- Computer then runs the Bios Settings to Change to UEFI
- Computer then Shuts down.
- It now shows the correct Boot options and you can start your Windows 10 OSD again ensuring UEFI & Secure Boot.
Other things you could add.. Email Service Desk or Admin if UEFI not enabled using a method like THIS.
2 thoughts on “Enforce UEFI during OSD or Nicely Fail with remediation.”