How to Configure a Task Sequence to Deploy Secure Windows 10 using PXE

Overview

Assumptions

  • User State: The task sequence defined in this document will fully wipe the hard drive of the system it is deployed to. If you would like to preserve the user state of the target machine, a state migration point or manual user state backup to another system should be done. Do not attempt to use USMT hardlinking as the user state will be lost.
  • Existing Windows 10 Task Sequence: This document describes the process of modifying an existing Windows 10 task sequence.
  • PXE Services: This guidance assumes that your environment supports PXE booting to run a Configuration Manager task sequence. When the task sequence below is run in Windows, it will attempt to PXE boot after the first reboot. It should not be required that F12 needs to be pressed to start the PXE boot as the deployment of the task sequence is set to Required.

Preparation

Vendor Utilities

In order to modify a computer's firmware from BIOS to UEFI and Secure Boot you must download each vendor's BIOS configuration utility. This guide only covers the three major computer manufactures: Dell, Hewlett-Packard and Lenovo so download the utilities which are applicable to your environment.

ConfigMgr Vendor Utility Package Source

This guide uses a ConfigMgr package to execute the various configuration changes during a task sequence. A package source folder must be created to contain the various vendor utilities which will be executed via the task sequence.

This document will use the following path and folder names as an example:

D:\PkgsSource\BIOS_UEFI_VendorTools

Create the Dell, HP, and Lenovo sub-folders under the BIOS_UEFI_VendorTools folder. You will be copying the various utilities to these folders later.


See the links below and download the required utilities.

Dell Command | Configure Utility

  1. Download Dell's Command Configure Utility: http://downloads.dell.com/FOLDER03164404M/1/Systems-Management_Application_54W6D_WN32_3.1.0.250_A00.EXE
  2. Extract the contents of the .EXE.
  3. In the folder where the content was extracted, execute the Command_Configure.msi.
  4. During the Command | Configure installation, take note of where you installed the utility.
    1. Once the installation is complete, navigate to the folder in which the utility was installed and copy the X86 and X86_64 folders to Dell folder created in the previous section.
  5. Rename the X86_64 folder to AMD64. This will allow you to use an environment variable when executing the cctk.exe commands.

HP BIOS Configuration Utility

  1. Download the newest version HP's BIOS Configuration Utility: http://ftp.hp.com/pub/caps/softpaq/cmit/HP_BCU.html
  2. To extract the contents of the utility to a specific folder, use the following example command line:
    sp74840.exe -f c:\temp\HPBIOSConfig -e 
  3. In the folder where the content was extracted run the Setup.exe within. In the installation wizard, take note of the location where the program is installed.
    1. In the package share open the HP folder and create two sub folders for X86 and AMD64.
  4. Navigate to the folder in which you installed the HP BIOS Configuration Utility program and copy the file BiosConfigUtility.exe to the X86 folder.
    1. Copy the file BiosConfigUtility64.exe to the AMD64 folder and rename it BiosConfigUtility.exe.
  5. In the HP folder, create a text file named: EnableUEFI-SecBoot.txt. Open the text file and add the following contents then save the file:
    BIOSConfig 1.0
    Network (PXE) Boot 
         Disable 
         *Enable 
    Legacy Boot Options 
         *Disable 
         Enable 
    UEFI Boot Options 
         Disable 
         *Enable 
    UEFI Boot Order 
         NETWORK:EMBEDDED:1 
         HDD:USB:1 
         HDD:SATA:1 
    Virtualization Technology (VTx) 
         Disable 
         *Enable 
    Configure Legacy Support and Secure Boot 
         Legacy Support Enable and Secure Boot Disable 
         *Legacy Support Disable and Secure Boot Enable 
         Legacy Support Disable and Secure Boot Disable 
    Configure Option ROM Launch Policy 
         All Legacy 
         *All UEFI 
         All UEFI Except Video 
    Save Custom Defaults 
         Do not Save 
    *Save 
  6. In the HP folder, create a text file named RevertBootOrder.txt. Open the text file and add the following contents: then save the file:
    BIOSConfig 1.0
    

    UEFI Boot Order     HDD:USB:1     HDD:SATA:1     NETWORK:EMBEDDED:1

  7. The resulting folder structure should look like this:

Lenovo BIOS Setup Script

  1. Download the Lenovo BIOS Setup script.zip file from: https://support.lenovo.com/us/en/documents/ht100612
  2. Extract the contents from scripts.zip to a temporary folder.
    1. Copy the SetConfig.vbs file to the Lenovo folder.

Creating the Vendor Utilities Package

  1. In the ConfigMgr console, create a new package named BIOS UEFI Vendor Tools.
  2. Check the box: This package contains source files, then click Browse to specify the location of the BIOS_UEFI_VendorTools folder. Click Next.
  3. At the "Program Type" screen, select Do not create a program and then click Next.
  4. Complete the wizard to create the package, then distribute the package to your distribution points.

Task Sequence Customization

This section describes the process of customizing a task sequence with the tasks required to enable UEFI and Secure Boot during a Windows 7 to Windows 10 upgrade. The example task sequence used in this section is a standard task sequence in ConfigMgr.

Vendor Utility Commands Prior to First Reboot

The task sequence deployment is designed to run while a machine is still running in Windows. After any user state capture, and prior to the first reboot, the various vendor utilities are called to switch the computer from legacy BIOS to UEFI and Secure Boot.

  1. In the task sequence, prior to the Restart in Windows PE step, add the following:

    New Group: Vendor Tools

    Condition - Task Sequence Variable: _SMSTSInWinPE = false

  2. Under the Vendor Tools group, create a group for each vendor:

    New Group: Dell

Condition - WMI Query: Select * from Win32_ComputerSystem where Manufacturer like '%DELL%'

  1. Under the Dell group, add the following tasks:

Task Type: Run Command Line

Name: Copy Dell BIOS Config Tools

Command line: %comspec% /c xcopy .\DELL\*.* %systemdrive%\BIOStoUEFI\DELL /s /y /i

Package: BIOS UEFI Vendor Tools

Task Type: Run Command Line

Name: Install Dell HAPI Drivers

Command line: %comspec% /c %systemdrive%\BIOStoUEFI\DELL\%processor_architecture%\HAPI\HAPIInstall.bat

Task type: Run Command Line

Name: Enable UEFI

Command line: %comspec% /c %systemdrive%\BIOStoUEFI\DELL\%processor_architecture%\cctk.exe bootorder -activebootlist=uefi

Task Type: Run Command Line

Name: Disable Legacy ROM

Command line: %comspec% /c %systemdrive%\BIOStoUEFI\DELL\%processor_architecture%\cctk.exe --legacyorom=disable

Task Type: Run Command Line

Name: Enable Secure Boot

Command line: %comspec% /c %systemdrive%\BIOStoUEFI\DELL\%processor_architecture%\cctk.exe --secureboot=enable

Task Type: Run Command Line

Name: Enable UEFI PXE

Command line: %comspec% /c %systemdrive%\BIOStoUEFI\DELL\%processor_architecture%\cctk.exe --uefinwstack=enable

Task Type: Run Command Line

Name: Force PXE Next Reboot

Command line: %comspec% /c %systemdrive%\BIOStoUEFI\DELL\%processor_architecture%\cctk.exe -forcepxeonnextboot=enable

Task Type: Run Command Line

Name: Enable Virtualization

Command line: %comspec% /c %systemdrive%\BIOStoUEFI\DELL\%processor_architecture%\cctk.exe --virtualization=enable

  1. Under the Vendor Tools group, create a group for HP.

    New Group: HP

    Condition: If Any of the conditions are true:

    WMI Query: Select * from Win32_ComputerSystem where Manufacturer like '%hp%'

    WMI Query: Select * from Win32_ComputerSystem where Manufacturer like '%hewlett-packard%'

  2. Under the HP group, add the following tasks:

Task Type: Run Command Line

Name: Copy HP BIOS Config Tools

Command line: %comspec% /c xcopy .\HP\*.* %systemdrive%BIOStoUEFI\HP /s /y /i

Package: BIOS UEFI Vendor Tools

Task Type: Run Command Line Name: Enable UEFI and SecureBoot

Command line: %systemdrive%\BIOStoUEFI\HP\%processor_architecture%\BiosConfigUtility.exe /set:%systemdrive%\BIOStoUEFI\HP\EnableUEFI-SecBoot.txt /l /verbose

  1. Under the Vendor Tools group, create a group for Lenovo.

    New Group: Lenovo

    Condition – WMI Query: Select * from Win32_ComputerSystem where Manufacturer like

    '%Lenovo%'

  1. Under the Lenovo group, add the following tasks:

Task Type: Run Command Line

Name: Copy Lenovo BIOS Config Tools

Command Line: %comspec% /c xcopy .\Lenovo\*.* %systemdrive%\BIOStoUEFI\Lenovo /s /y /i

Package: BIOS UEFI Vendor Tools

Task Type: Run Command Line

Name: Enable Virtualization

Command Line: cscript.exe %systemdrive%\BIOStoUEFI\Lenovo\SetConfig.vbs

VirtualizationTechnology Enable

Task Type: Run Command Line

Name: Disable PXE F12

Command Line: cscript.exe %systemdrive%\BIOStoUEFI\Lenovo\SetConfig.vbs

BootDeviceListF12Option Disable

Task Type: Run Command Line

Name: Change Boot Order

Command Line: cscript.exe %systemdrive%\BIOStoUEFI\Lenovo\SetConfig.vbs BootOrder PCILAN:USBFDD:USBHDD:HDD0:NVMe0

Task Type: Run Command Line

Name: Set Network Boot

Command Line: cscript.exe %systemdrive%\BIOStoUEFI\Lenovo\SetConfig.vbs NetworkBoot PCILAN

Task Type: Run Command Line

Name: Enable Secure Boot

Command line: cscript.exe %systemdrive%\BIOStoUEFI\Lenovo\SetConfig.vbs SecureBoot Enable

Vendor Utilities Prior to Setup Windows and ConfigMgr

  1. Prior to the Setup Windows and Configuration Manager task, create a new group for the vendor tools to revert the boot order to not PXE boot.

    New Group: Vendor Tools

  2. Under the Vendor Tools group, create a new group for HP:

    New Group: HP

    Condition: If Any the conditions are true:

    WMI Query: Select * from Win32_ComputerSystem where Manufacturer like '%hp%'

    WMI Query: Select * from Win32_ComputerSystem where Manufacturer like '%hewlett-packard%'

  3. Under the HP group, add the following tasks:

Task Type: Run Command Line

Name: Copy HP BIOS Config Tools

Command line: %comspec% /c xcopy .\HP\*.* %systemdrive%\BIOStoUEFI\HP /s /y /i

Package: BIOS UEFI Vendor Tools

Task Type: Run Command Line

Name: Revert Boot Order

Command line: %systemdrive%\BIOStoUEFI\HP\%processor_architecture%\BiosConfigUtility.exe /set:%systemdrive%\BIOStoUEFI\HP\RevertBootOrder_EnableSecBoot.txt

  1. Under the Vendor Tools group, create a new group for Lenovo.

    New Group: Lenovo

Condition: Select * from Win32_ComputerSystem where Manufacturer like '%Lenovo%'

  1. Under the Lenovo group, add the following tasks:

Task Type: Run Command Line

Name: Copy Lenovo BIOS Config Tools

Command line: %comspec% /c xcopy .\Lenovo\*.* %systemdrive%\BIOStoUEFI\Lenovo /s /y /i

Package: BIOS UEFI Vendor Tools

Task Type: Run Command Line

Name: Revert Boot Order

Command line: cscript.exe %systemdrive%\BIOStoUEFI\Lenovo\SetConfig.vbs BootOrder USBFDD:USBHDD:HDD0:PCILAN:NVMe0

Deploying the Task Sequence

  1. Prior to executing the deployment, identify or create a test collection which includes a Windows 7 client in which you want to wipe, switch the BIOS to UEFI and restore a Windows 10 image.
  2. If applicable, in the ConfigMgr console, right-click the collection and select Clear Required PXE

    Deployments.

  3. In the Configuration Manager console, right-click the task sequence and in the context menu, select Deploy.
  4. At the "General" screen, browse for the test collection you want to deploy the task sequence to and then click Next.
  5. At the "Deployment Settings" screen, set the task sequence "Purpose" to Required and use the dropdown next to "Make available to the following" to select: Configuration Manager clients, media and PXE, and then click Next.

  6. Continue through the "Deploy Software Wizard" as you would normally.