CCMEXEC.COM – System Center blog

CCMEXEC.COM – by Jörgen Nilsson

Browsing Posts tagged UEFI

I should have written this post a while ago but haven’t had time yet. When using the new BIOS-UEFI conversion solution in Configuration Manager 1610, https://docs.microsoft.com/en-us/sccm/osd/deploy-use/task-sequence-steps-to-manage-bios-to-uefi-conversion If you are still on 1606 or earlier you can still use this method: http://ccmexec.com/2016/07/switch-from-bios-to-uefi-seamless-using-configuration-manager-ts-in-6-simple-steps/

I have seen the below error 0×80070490 when the computer tries to restart the first time after the OEM tools are used to convert from BIOS-UEFI, it has been different reasons behind it.

Error code

Let’s start with what is new behind the scenes, the reason this wasn’t possible before is that the restart computer step checked that the partitioning matches the Booted Operating System, so if we booted in Legacy BIOS it checks that the partitions are correct otherwise it fails, this is overridden with the new variable used for the UEFI partition, “TSUEFIDrive”.

TSUEFIDRive

There are new files in the boot images that makes this possible, “BCD-EFI-64” in the x64 Boot image and “BCD-EFI-32” in the x86 boot image. This file is required and used when the computer restarts the first time from booted after conversion to UEFI is done. They are in the OSDinjection.xml file so they are added to the boot image when they are created.

OSDInjection.xml

And that is exactly what is causing the above error at least from what I have seen it could probably be more reasons for it to fail but the two reasons I have seen are the following

1. The Boot image used are not updated since the upgrade to Configuration Manager 1610. In that case the new file is not present in the boot image and the restart will fail.

Boot Image updated

Solution: Simply update the boot images on the DP, then the needed file is added to it.

2. If you have modified the OSDinjection.xml file manually after 10/26/2016 then the file is newer than the osdinjection.xml that is included with the Configuration Manager 1610 upgrade, and then the upgrade process will NOT replace the osdinjection.xml file. Also causing the same error as above.

OSDinjection_Date

Solution: This can be solved by either adding the missing lines for the new files in the osdinjection.xml file or copy it from the following path:            <ConfigurationManagerinstalldir>\EasySetupPayload\c43a89e4-b642-4fc8-abf0-255bf5d88d82\SMSSETUP\BIN\X64 if you haven’t made any modifications to it.

And then update the boot images after that.

Every time I have seen that error it has because one of the above and it has solved the issue for me every time :D

There is some post and forum posts stating that you must upgrade to ADK 1607 for it to work, that is not the case from what I have seen. It could solve the issue though as you will create new or update existing boot images and then the new files are added.

There are some issues in ADK 1607, driver installation on Windows 7 and 802.1x support for instance so some will still need to use ADK 1511 and it works just fine.

This solution has been created and tested by a colleague of mine Johan Schrewelius, he has done most of the work so I cannot give him enough credit for this. We have been using it for a while now and it works great, it is 100% unsupported ;-) as we change values on a read-only variables in the TS.

If you are using Configuration Manager 1610 or later there is now a supported built-in way to do this. https://docs.microsoft.com/en-us/sccm/osd/deploy-use/task-sequence-steps-to-manage-bios-to-uefi-conversion

1         Background

The release of Windows 10 in combination with steadily increasing security demands means an operating system upgrade, or fresh install, today also includes security measures that not long ago where sort of luxury or only experimental.

Two major such are UEFI and Secureboot; a significant challenge as not even Configuration Manager 1602 supports a seamless transformation from Legacy Bios to UEFI.

This post describes our method of achieving the desired; one (1) Task Sequence that starts in Legacy mode and results in an UEFI configured computer with Secureboot enabled. A script and files for configuring HP computers have been included as example. No PXE boot is required as we boot from the local disk when we reboot. This is a short flow of what happens:

1. Configure Bios to UEFI and Secureboot using the tool for the vendor/model

2.Then we partition the local disk to GPT and format it

3.Copy an exported Boot image from a package to the local disk

4.Change the value for a read-only variable _SMSTSServiceStart using the 1E tool

5.Restart the computer and boot to the local installed Operating System

6.Change the second read-only variable _SMSTSBootUEFI to true and then the TS and all builtin steps for formatting will see that it is a machine running UEFI.

In the Task Sequence it looks like this:

BiosUefi35

Done!

To implement our solution, you need to download Legacy2Uefi as well as TSEnv2.exe from 1E (http://info.1e.com/website-freetools-1e-tsenv2) 1E has been generous enough to share this powerful tool with us, and we cannot thank them enough.

2         Obstacles

There are two major obstacles that prevents us from achieving our goal using a standard TS.

Firstly, we will not be able to apply a boot-image nor an operating system to a GPT disk on what is detected as a MBR System.

Secondly, if we (which we nevertheless will do later) apply bootable media to disk by running a script we will not be able to restart the computer in a controlled fashion as built-in controls (smsboot.exe) will prevent this based on inconsistencies in TS configuration, i.e.  the TS-variable “_SMSTSServiceStartType” not being set to auto, which is required to allow rebooting to an installed operating system. Unfortunately, this variable is read-only and we cannot modify it using supported means. But what if we use unsupported means……

3         Read-only TS-variables < TSEnv2.exe

It is usually not recommended to use unsupported means; this however could be the time when circumstances call for it? TSEnv2.exe is able to modify read-only TS-variables and since that is what stands between us and a successful Legacy to UEFI transformation, that’s exactly what we are going to do.

TSEnv2.exe comes in both 32- and 64-bit versions, it is also depending on native Configuration Manager libraries, at least tscore.dll. This makes it reasonable to include it in our boot images using OSDInjection.

4         OSDInjection

To include TSEnv2.exe in already existing, as well as in new, boot images do the following on the primary site server or CAS that “owns” the images. And yes you can use the MDT feature as well to include the files when you create a new MDT Boot Image instead.

  1. Localize your ..\OSD\bin directory.
    BiosUefi1
  2. Copy the corresponding version of TSEnv2.exe to the x64 as well as the i386 subfolder.
    BiosUefi2
  3. Once the files have been copied we need to tell ConfigMgr to actually include them the next time an image is created or updated. This is done by editing “osdinjection.xml” which is found in ..\bin\x64:
    BiosUefi3

Remark – there’s only one osdinjection.xml, not one per architecture.


Remember to Backup osdinjection.xml before editing.

osdinjection.xml holds the “recipe” for boot images and needs to be supplemented with information about the new files.

Open osdinjection.xml in notepad or similar.

As we know there’s already a native file with similar name (tsenv.exe) we will search for that and copy the section, thus avoiding misspelling.

First hit when searching should give you this:

BiosUefi33

Copy (duplicate) the section and replace the file name:

BiosUefi34

The result should look like this:
BiosUefi4

Repeat for x64 (second hit when searching for tsenv.exe):
BiosUefi5

Save and close osdinjection.xml. Next time a boot image is updated on distribution points TSEnv2.exe will be included.


5         Bootable media Package

As stated earlier we will apply bootable media to disk by script, therefor we will need to create a package containing the necessary files. Use the same procedure as when creating bootable media for use on a USB boot stick, then mount the iso-file and copy the entire content to a new folder on your package share.

Remark – you cannot reuse an old iso; it has to be “fresh” with TSEnv2.exe included.
BiosUefi6

Make sure to also include “copy.cmd” from Legacy2Uefi.zip.

Create a package in ConfigMgr from the folder, do not create any program.


6         Task Sequence

At this point boot images should be updated and include TSEnv2.exe. We should also have a new package including the small copy.cmd command file. The rest of the work is done in the TS-editor, let’s start….

6.1       Create a new group

Create a new group, call it “Transform to UEFI”.
BiosUefi7

In our case we have a few extra conditions but as a minimum you should check that the machine isn’t already configured for UEFI (_SMSTSBootUEFI equals False).
BiosUefi8

The steps within in the group will be explained over the next couple of pages.


6.2       TS Steps

6.2.1      UEFI Config

This step will have to be adapted to local circumstances. It’s simply an example that shows how to reconfigure a HP Laptop to UEFI mode.

Legacy2Uefi.zip contains a folder with only two files:
BiosUefi9

ConfigUEFI.ps1 is designed to utilize HP’s Bios Configuration utility, which is not included. You also need to create your BIOS password file with the HP tool.

uefi.txt contains a minimum of settings to configure UEFI with SecureBoot.

To make this fully operational more files are needed, these files must be added locally. If you’re an administrator with experience in HP computer this is hopefully enough information to get it working, this is a picture of a functional set of files:

BiosUefi10

As we prefer keeping bios config files on a network share the step looks like this at most of our customers:
BiosUefi11

Command: powershell.exe -NoProfile -ExecutionPolicy ByPass -File “%BiosShare%\%Model%\BCU\ConfigUEFI.ps1″

If your running Dell, Lenovo or any other brand – modify as needed. If you don’t have Powershell included in your boot images the script is useless and has to be replaced.


6.2.2      Partition Disk 0 – UEFI Simple

Use a standard “Format and Partition Disk” step to create a GPT disk with a minimal UEFI-compatible partition. The automatically assigned drive letter will be stored in “OSDisk”.
BiosUefi12
BiosUefi13


6.2.3      Copy Boot Media to Disk

This is a straight forward “Run Command Line” step that uses the media package and “copy.cmd” to copy the media (iso) content onto the new partition.
BiosUefi14

”OSDisk” contains the drive letter and tells copy.cmd where to put the content.

Command: copy.cmd %OSDisk%


6.2.4      SET _SMSTSServiceStartType=auto

Another “Run Command Line” step; that invokes TSEnv2.exe and sets ”_SMSTSServiceStartType” to ”auto”.
BiosUefi15

Command: TSEnv2.exe set _SMSTSServiceStartType=auto

6.2.5      Restart Computer

Next we restart the computer using a standard “Restart Computer” step. Because of the previous modification of the read-only TS-variable we will now be allowed to reboot to the currently installed default operating system, e.g. our media (iso).

BiosUefi16

6.2.6      SET _SMSTSBootUEFI=true

Finally, we need to modify a second read-only TS-variable. When the TS started the computer was running “Legacy BIOS” and “_SMSTSBootUEFI” was set to “false”.

We need to correct that, as we are now running in UEFI mode.
BiosUefi17

Command: TSEnv2.exe set _SMSTSBootUEFI=true

7         Done

The rest of the Task Sequence will after the reboot execute as UEFI, no PXE boot needed totally unattended, except for Lenovo Thinkcentre machines but that is a different topic.