ThinkPad/ThinkCentre BIOS to UEFI Conversion using Configuration Manager 1610

Update: Verified to work on ThinkCentre's

A new Task Sequence Variable, TSUEFIDrive, was introduced in Configuration Manager Current Branch version 1610.  This variable will prepare the hard drive for transition to UEFI from legacy BIOS, in one task sequence.  This is extremely helpful if you're migrating systems from Windows 7 to Windows 10 in a refresh scenario.

A detailed walk-through by the Microsoft team on how to configure your Task Sequence for use with this variable can be found here.  We want to focus on step 5 from this guide:

- "Add a step to start the OEM tool that will convert the firmware from BIOS to UEFI. This will typically be a Run Command Line task sequence step with a command line to start the OEM tool." -

This blog post will demonstrate how to accomplish this scenario using the Think BIOS Config Tool.

On your test ThinkPad or ThinkCentre, use the Think BIOS Config tool to configure the BIOS settings you want applied to the rest of your ThinkPads/ThinkCentres and export to an .ini.

Here is a sample .ini that I exported from a ThinkPad T460:

WakeOnLAN,ACOnly
EthernetLANOptionROM,Enable
IPv4NetworkStack,Enable
IPv6NetworkStack,Enable
UefiPxeBootPriority,IPv4First
WiGigWake,Disable
USBBIOSSupport,Enable
AlwaysOnUSB,Enable
TrackPoint,Automatic
TouchPad,Automatic
FnCtrlKeySwap,Disable
FnSticky,Disable
FnKeyAsPrimary,Disable
BootDisplayDevice,LCD
SharedDisplayPriority,DockDisplay
TotalGraphicsMemory,256MB
BootTimeExtension,Disable
SpeedStep,Enable
AdaptiveThermalManagementAC,MaximizePerformance
AdaptiveThermalManagementBattery,Balanced
CPUPowerManagement,Automatic
OnByAcAttach,Disable
PasswordBeep,Disable
KeyboardBeep,Enable
AMTControl,Disable
LockBIOSSetting,Disable
MinimumPasswordLength,Disable
BIOSPasswordAtUnattendedBoot,Enable
BIOSPasswordAtReboot,Disable
BIOSPasswordAtBootDeviceList,Disable
PasswordCountExceededError,Enable
FingerprintPredesktopAuthentication,Enable
FingerprintReaderPriority,External
FingerprintSecurityMode,Normal
FingerprintPasswordAuthentication,Enable
SecurityChip,Active
TXTFeature,Disable
PhysicalPresenceForTpmProvision,Disable
PhysicalPresenceForTpmClear,Enable
BIOSUpdateByEndUsers,Enable
SecureRollBackPrevention,Disable
DataExecutionPrevention,Enable
VirtualizationTechnology,Enable
VTdFeature,Enable

EthernetLANAccess,Enable
WirelessLANAccess,Enable
WirelessWANAccess,Enable
BluetoothAccess,Enable
USBPortAccess,Enable
MemoryCardSlotAccess,Enable
IntegratedCameraAccess,Enable
MicrophoneAccess,Enable
FingerprintReaderAccess,Enable
NfcAccess,Enable
WiGig,Enable
BottomCoverTamperDetected,Disable
InternalStorageTamper,Disable
ComputraceModuleActivation,Enable
SecureBoot,Enable
SGXControl,SoftwareControl
BootMode,Quick
StartupOptionKeys,Enable
BootDeviceListF12Option,Enable
BootOrder,USBCD:USBFDD:NVMe0:HDD0:USBHDD:PCILAN
NetworkBoot,PCILAN
BootOrderLock,Disable
The 3 settings in bold are what's changing.  I chose the Virtualization settings for this example because all ThinkPads ship with these disabled.  If you want to leverage Device Guard at some point, which requires virtualization to be enabled as a prerequisite, you can achieve this in the same step. You can also reduce the .ini file down to just the lines containing the settings you care about.


If you have a mix of both ThinkPads and ThinkCentres, you can combine the settings to be changed in a single .iniHere's an example of an .ini that contains settings that will be applied to both platforms:

    VirtualizationTechnology,Enable
    Intel(R) Virtualization Technology,Enabled
    VTdFeature,Enable
    VT-d,Enabled
    SecureBoot,Enable
    Secure Boot,Enabled
 


(Notice there are two of each setting being applied.  This is because these values are worded differently between ThinkPad and ThinkCentre.)

Create a new Package in your ConfigMgr console that contains the HTA and the .ini and distribute to your distribution points.  Now, back to step 5 above, add the Run Command Line step to call the HTA and apply the .ini as shown below:


(Note: HTA support will need to be added to the boot image)

cmd.exe /c ThinkBiosConfig.hta "file=ThinkPadConfig.ini"

That's it! You'll notice the system restart twice for the changes to effect but the task sequence will resume and boot into PE to finish out the deployment since the boot image was staged to the hard drive prior to restart.

Comments

  1. Thanks, Phil! Good start. Any plans on posting a .ini that will work with both ThinkPads and ThinkCenter devices and only includes the things necessary for Win 10 security features (TPM, SecureBoot, CredentialGuard, etc)? Something more universal?

    ReplyDelete
  2. Thanks for your comment! The BIOS settings should apply across most ThinkPads so if you have a mix of them, a single .ini you export from an X1 Yoga, for example, would apply to a T460. Unfortunately, a different .ini will need to be used for ThinkCentre. Also, if you only need to change a couple of settings, you can remove everything else from the .ini. So from my example above, the 3 in bold can be listed, everything else can be taken out. Hope this helps!

    ReplyDelete
    Replies
    1. Correction, you SHOULD be able to combine the settings from ThinkPad and ThinkCentre into a single .ini file but you'll need to verify the values are correct, otherwise they will be ignored.

      Delete
  3. Very nice, would this work in MDT as well (such as the computer reboots) or require any massaging to make work?

    ReplyDelete
    Replies
    1. Hi Daniel. The TSUEFIDrive variable is the key piece in this scenario and I'm not certain it exists in MDT (yet).

      Delete
  4. This comment has been removed by the author.

    ReplyDelete
    Replies
    1. Hi, did you add the WinPE-HTA component to your boot image?

      Delete
  5. Mine keeps failing on the "format and partition disk" task, throwing the error 0x00000005 (access denied). I have it configured exactly as the microsoft link instructs however, the NTFS partition isn't detailed so maybe I'm doing that part wrong?
    Here are some log files:
    Disk 0 contains protected path "D:\_SMSTaskSequence\UserState" OSDDiskPart
    FALSE, HRESULT=00000005 (e:\nts_sccm_release\sms\client\osdeployment\osddiskpart\main.cpp,1238) OSDDiskPart
    Attempt to partition disk containing a protected path. Disk index = 0 OSDDiskPart
    OSDDiskPart.exe failed: 0x00000005 OSDDiskPart
    Failed to run the action: Format and Partition Disk.
    Access is denied. (Error: 00000005; Source: Windows) TSManager

    ReplyDelete
    Replies
    1. are you doing a refresh? if so and you're capturing user files to the same drive, the format step would throw that error. try disabling the format step and see if the task sequence goes through. have you tried creating a new task sequence (not capturing data using USMT) to verify the deployment was successful?

      Delete
    2. Yes it works fine using the BIOS to UEFI on a new task sequence image but not a Refresh. The refresh also works fine until I stick in the BIOS to UEFI steps.
      Don't I need the "format and partition" step in order for the tool to work? Doesn't it have to use that TSUEFIDrive variable?

      Delete
    3. i'll see if i can repro your issue and will post an update!

      Delete
    4. ok, so this won't work if you're hardlinking the user data locally. if you're doing an in-place refresh, you'll need to capture user data to a state migration point. i just verified this on a T440 and worked flawlessly. hope this helps!

      Delete
    5. That does help thank you! Now I have to setup a state migration point. This is my first time working on a Refresh scenario so I apologize for the questions.

      Delete
  6. Is there a way to run this if there is a supervisor password set?

    ReplyDelete
    Replies
    1. yes, the documentation included in the .zip details how the tool can be used if there is a supervisor password already set on the system.

      Delete
  7. I can't thank you enough for making this post. Well written, concise, and it works! This only thing that took me a little while to put together was that HTML / HTA needs to be enabled in the PE environment (not enabled by default in SCCM) before ThinkBiosConfig.hta works (never used anything like that before).

    Anyhow, you just made my month! Thank you so much!

    ReplyDelete
    Replies
    1. Thanks for the feedback! Much appreciated!

      Delete
  8. Good writeup, Phil. I am having issues with the reboot back into WinPE step. My test system (t450s - 1.28 bios) seems to perform all of the steps correctly, except when it needs to boot back into WinPE. If revert bios back to legacy and reboot the system, the task sequence continues - which isn't the expected outcome obviously. Have you seen this before in your testing?

    ReplyDelete
    Replies
    1. This comment has been removed by the author.

      Delete
    2. Hi Mario. What happens when the system attempts to boot back into PE? I will flash that BIOS version on one of our T450s' and see if I can repro your issue. I'll report back when I have an update for you.

      Delete
  9. Hi Phil. Seems that my restart step in another group is causing the failure. I am following the steps to setup TPM for bitlocker preprovisioning (from your other blog post). As soon as I remove that group, works flawlessly. Will report back as I think I know what could be the cause. I'll also comment on the tpm post as I have a few questions there. TIA.

    ReplyDelete
    Replies
    1. Hi Mario. Did you get this sorted out? Just to confirm, you're essentially trying to accomplish the pre-provisioning AND UEFI conversion in the same task sequence right?

      Delete
    2. Hi Phil - that is correct. Trying to pre-provision and UEFI conversion in the same task sequence. I will have some time tomorrow to test again.

      Delete
    3. Working as expected: Both taking owner ship ofTPM/pre-provisioning Bitlocker AND UEFI Conversion. Thanks for taking the time to respond, Phil.

      Delete
    4. Thanks for the update Mario! Glad it's working for you.

      Delete
  10. Before you start the task sequence, is the ThinkPad in setup mode or user mode for Secure boot?

    ReplyDelete
    Replies
    1. Hi, the system is in user mode. FYI, all ThinkPads are shipped in user mode.

      Delete
  11. OK, works fine.
    But what to do, if the TS runs again and the HTA dialog brings up a window:
    "no changes" and this windows has to clicked with OK.
    How can i suppress this?

    Thanks

    ReplyDelete
    Replies
    1. The Think BIOS Config Tool has been updated (v1.04) so that this dialog will no longer appear if it is executed by command line. Sorry for the inconvenience.

      Delete
  12. We have several models of ThinkPads in our environment. Is there a way to specify the file in the task sequence based on a variable or would manual input of the .ini file be a better option?

    ReplyDelete
    Replies
    1. Hi, could you explain what you mean by manual input?

      Delete
    2. If the UI is popping up a technician would be able to manually import the .INI file during the task sequence window. By placing individual config files within the WinPE image.

      I believe I answered my own question by utilizing WMI and multiple BIOS Tool calls with Condition checks to verify the manufacturer and model #. Messy but it will accomplish the task. I may modify in the future when I have more time to set a TSVariable of the model that can be reused to reduce the number WMI calls.

      Create Group Lenovo Conversion Tool
      - Add Condition - WMI Query
      - Select Manufacturer FROM Win32_ComputerSystem WHERE Manufacturer LIKE "%Lenovo%"

      Create Command Line Step E470 - OEM Conversion Tool
      - cmd.exe /c WinPE\ThinBiosConfig.hta "file=E470Config.ini"
      - Add Condition - WMI Query
      - Select Model from Win32_ComputerSystem WHERE Model LIKE "%20H1004TUS%"
      Create Command Line Step X1 - OEM Conversion Tool
      - cmd.exe /c WinPE\ThinkBiosConfig.hta "file=X1Config.ini"
      - Add Condition - WMI Query
      - Select Model from Win32_ComputerSystem WHERE Model LIKE "%34606V9%"

      Delete
    3. trinityr

      i mentioned in the blog if you have a mix of Think products, you can simply combine all BIOS settings into one .INI. however, if you want to stay organized and maintain an .INI for each unique system, what you described may work best in your environment. thanks for contributing!

      Delete
  13. Hello,

    Let me ask you how you are making the following work... Or actually let me explain you where I am stuck.

    1- I PXE boot into WinPE and launch my TS
    2- I apply the Bios Settings with ThinkBiosConfig.hta (works perfectly)
    3- I Partition the disk Standard(MBR) 250MB NTFS, 100% of the remaining NTFS

    Now when the TS reboots in WinPE it's pre-staging the boot image but not able to read it once the system get back in UEFI.

    If I try to partition GPT instead of MBR before it reboots then WinPE is not able to pre-stage the boot image and it fails.

    How can I make the TS reboot into WinPE and resume OSD?

    Thank you,

    ReplyDelete
    Replies
    1. Hi, what system are you testing with and what version of BIOS?

      Delete
    2. I ran into a similar issue when I wasn't partitioning enough space of the WinPE boot image. Adding HTA support and other options caused my boot image to grow to around 533MB. I bumped the Format and Partition Disk step from 250MB to 1024MB and the issue was resolved.

      Delete

Post a Comment