This solution has been created and tested by a colleague of mine Johan Schrewelius, he has done most of the work so I cannot give him enough credit for this. We have been using it for a while now and it works great, it is 100% unsupported 😉 as we change values on a read-only variables in the TS.
If you are using Configuration Manager 1610 or later there is now a supported built-in way to do this. https://docs.microsoft.com/en-us/sccm/osd/deploy-use/task-sequence-steps-to-manage-bios-to-uefi-conversion
1 Background
The release of Windows 10 in combination with steadily increasing security demands means an operating system upgrade, or fresh install, today also includes security measures that not long ago where sort of luxury or only experimental.
Two major such are UEFI and Secureboot; a significant challenge as not even Configuration Manager 1602 supports a seamless transformation from Legacy Bios to UEFI.
This post describes our method of achieving the desired; one (1) Task Sequence that starts in Legacy mode and results in an UEFI configured computer with Secureboot enabled. A script and files for configuring HP computers have been included as example. No PXE boot is required as we boot from the local disk when we reboot. This is a short flow of what happens:
1. Configure Bios to UEFI and Secureboot using the tool for the vendor/model
2.Then we partition the local disk to GPT and format it
3.Copy an exported Boot image from a package to the local disk
4.Change the value for a read-only variable _SMSTSServiceStart using the 1E tool
5.Restart the computer and boot to the local installed Operating System
6.Change the second read-only variable _SMSTSBootUEFI to true and then the TS and all builtin steps for formatting will see that it is a machine running UEFI.
In the Task Sequence it looks like this:
Done!
To implement our solution, you need to download Legacy2Uefi as well as TSEnv2.exe from 1E (http://info.1e.com/website-freetools-1e-tsenv2) 1E has been generous enough to share this powerful tool with us, and we cannot thank them enough.
2 Obstacles
There are two major obstacles that prevents us from achieving our goal using a standard TS.
Firstly, we will not be able to apply a boot-image nor an operating system to a GPT disk on what is detected as a MBR System.
Secondly, if we (which we nevertheless will do later) apply bootable media to disk by running a script we will not be able to restart the computer in a controlled fashion as built-in controls (smsboot.exe) will prevent this based on inconsistencies in TS configuration, i.e. the TS-variable “_SMSTSServiceStartType” not being set to auto, which is required to allow rebooting to an installed operating system. Unfortunately, this variable is read-only and we cannot modify it using supported means. But what if we use unsupported means……
3 Read-only TS-variables < TSEnv2.exe
It is usually not recommended to use unsupported means; this however could be the time when circumstances call for it? TSEnv2.exe is able to modify read-only TS-variables and since that is what stands between us and a successful Legacy to UEFI transformation, that’s exactly what we are going to do.
TSEnv2.exe comes in both 32- and 64-bit versions, it is also depending on native Configuration Manager libraries, at least tscore.dll. This makes it reasonable to include it in our boot images using OSDInjection.
4 OSDInjection
To include TSEnv2.exe in already existing, as well as in new, boot images do the following on the primary site server or CAS that “owns” the images. And yes you can use the MDT feature as well to include the files when you create a new MDT Boot Image instead.
- Localize your ..\OSD\bin directory.
- Copy the corresponding version of TSEnv2.exe to the x64 as well as the i386 subfolder.
- Once the files have been copied we need to tell ConfigMgr to actually include them the next time an image is created or updated. This is done by editing “osdinjection.xml” which is found in ..\bin\x64:
Remark – there’s only one osdinjection.xml, not one per architecture.
Remember to Backup osdinjection.xml before editing.
osdinjection.xml holds the “recipe” for boot images and needs to be supplemented with information about the new files.
Open osdinjection.xml in notepad or similar.
As we know there’s already a native file with similar name (tsenv.exe) we will search for that and copy the section, thus avoiding misspelling.
First hit when searching should give you this:
Copy (duplicate) the section and replace the file name:
The result should look like this:
Repeat for x64 (second hit when searching for tsenv.exe):
Save and close osdinjection.xml. Next time a boot image is updated on distribution points TSEnv2.exe will be included.
5 Bootable media Package
As stated earlier we will apply bootable media to disk by script, therefor we will need to create a package containing the necessary files. Use the same procedure as when creating bootable media for use on a USB boot stick, then mount the iso-file and copy the entire content to a new folder on your package share.
Remark – you cannot reuse an old iso; it has to be “fresh” with TSEnv2.exe included.
Make sure to also include “copy.cmd” from Legacy2Uefi.zip.
Create a package in ConfigMgr from the folder, do not create any program.
6 Task Sequence
At this point boot images should be updated and include TSEnv2.exe. We should also have a new package including the small copy.cmd command file. The rest of the work is done in the TS-editor, let’s start….
6.1 Create a new group
Create a new group, call it “Transform to UEFI”.
In our case we have a few extra conditions but as a minimum you should check that the machine isn’t already configured for UEFI (_SMSTSBootUEFI equals False).
The steps within in the group will be explained over the next couple of pages.
6.2 TS Steps
6.2.1 UEFI Config
This step will have to be adapted to local circumstances. It’s simply an example that shows how to reconfigure a HP Laptop to UEFI mode.
Legacy2Uefi.zip contains a folder with only two files:
ConfigUEFI.ps1 is designed to utilize HP’s Bios Configuration utility, which is not included. You also need to create your BIOS password file with the HP tool.
uefi.txt contains a minimum of settings to configure UEFI with SecureBoot.
To make this fully operational more files are needed, these files must be added locally. If you’re an administrator with experience in HP computer this is hopefully enough information to get it working, this is a picture of a functional set of files:
As we prefer keeping bios config files on a network share the step looks like this at most of our customers:
Command: powershell.exe -NoProfile -ExecutionPolicy ByPass -File “%BiosShare%\%Model%\BCU\ConfigUEFI.ps1”
If your running Dell, Lenovo or any other brand – modify as needed. If you don’t have Powershell included in your boot images the script is useless and has to be replaced.
6.2.2 Partition Disk 0 – UEFI Simple
Use a standard “Format and Partition Disk” step to create a GPT disk with a minimal UEFI-compatible partition. The automatically assigned drive letter will be stored in “OSDisk”.
6.2.3 Copy Boot Media to Disk
This is a straight forward “Run Command Line” step that uses the media package and “copy.cmd” to copy the media (iso) content onto the new partition.
”OSDisk” contains the drive letter and tells copy.cmd where to put the content.
Command: copy.cmd %OSDisk%
6.2.4 SET _SMSTSServiceStartType=auto
Another “Run Command Line” step; that invokes TSEnv2.exe and sets ”_SMSTSServiceStartType” to ”auto”.
Command: TSEnv2.exe set _SMSTSServiceStartType=auto
6.2.5 Restart Computer
Next we restart the computer using a standard “Restart Computer” step. Because of the previous modification of the read-only TS-variable we will now be allowed to reboot to the currently installed default operating system, e.g. our media (iso).
6.2.6 SET _SMSTSBootUEFI=true
Finally, we need to modify a second read-only TS-variable. When the TS started the computer was running “Legacy BIOS” and “_SMSTSBootUEFI” was set to “false”.
We need to correct that, as we are now running in UEFI mode.
Command: TSEnv2.exe set _SMSTSBootUEFI=true
7 Done
The rest of the Task Sequence will after the reboot execute as UEFI, no PXE boot needed totally unattended, except for Lenovo Thinkcentre machines but that is a different topic.
You say:
“In the Task Sequence it looks like this:”
Can you please show what it is in the TS, not just a picture?
Hej,
Ska TSEnv2.exe ligga under SMS\bin\x64 i iso-filen? Den kommer inte med trots att vi uppdaterat boot imagen och skapat en ny iso.
Mvh
BK
Hej,
sorry för sent svar, nej den syns inte utan ligger i Boot.wim filen.
Mvh Jörgen
Can you please show the whole TS or share the XML?
Please share the complete task sequence. Is this valid for fresh install as well?
This is gold! I’ve tested this out on Dell machines (Win7 legacy bios -> Win10 UEFI) and it works flawlessly.
Great effort.
I have Lenovo Thinkcentre M91, after TSEnv2.exe set _SMSTSServiceStartType=auto & Restart, my computer go blank with flashing dash, nothing showing afterward. Did I do something wrong here? please help
Hi,
If nothing happended since last I tried there it now way to use Lenovos tools to enable UEFI on a thinkcentre machine without user interaction… 🙁
/Jörgen
When the system restarts back into WinPE, the task sequence does not continue. It comes back to the UI wizard to select a task sequence.
Never mind that last comment I made. When it boots back into WinPE, it fails immediately. What WinPE files exactly should I be using to use to boot back into WinPE for the TS to start again?
On our Dell Optiplex 790’s, I am unable to add the UEFI boot option. I even messed around with LTIApply.wsf, BCDEDIT, and BCDBoot, and it seems like you cannot add a UEFI boot option while booted legacy. We have lots of older Dell systems, so that is a problem for me. If I go into the BIOS and add the boot option manually, it does reboot and continue the task sequence… so close, yet so far.
If anyone knows how to get this to work, I would be very grateful!
Tack för svaret, det fungerar perfekt!
Mvh BK
Where is SMSTSServiceStartType in SCCM 2012 R2? my SMS log said “can’t find variable”
Hi Kai
I had the same issue but found that having the TSENV2 statement further down my task sequence seemed to work i.e. after setting your normal TS settings.
Hi Jörgen
I also created a solution for this task. With another approach. I have an “Apply Operating System Image” step in my task sequence that is only executed if “_SMSTSBootUEFI is true”. But if “_SMSTSBootUEFI is false” then I simply execute a script that takes all the information from the _SMSTaskSequence variable. From there I get the ConfigFileName, ConfigFilePackage, DestinationVariable, ImageIndex and ImagePackageID. Having this information I can download the sources by executing smsswd.exe and then I apply the image using DISM.exe. This all works without reboot. This switch in BIOS has to be done with the corresponding vendor tools. If you’re interested in more details just leave a comment. We plan to use my solution for over 60’000 systems.
Kind regards
Matias
This worked like a magic! Great thanks to you! It actually saved our environment.
We are not able to boot with UEFI because PXE boot doesn’t work in it properly. But wee need GPT to utilize TPM 2.0 (which can be used only with UEFI). Now we boot in legacy mode and then switch to UEFI following your advise.
I had to modify TS slightly to locate ConfigUEFI.ps1, uefi.txt and BiosConfigUtility64.exe for HP on a network share instead of you %BiosShare%.
I also edited uefi.txt to the following content (for modern HP models like HP Folio G1):
English
Configure Legacy Support and Secure Boot
Legacy Support Enable and Secure Boot Disable
*Legacy Support Disable and Secure Boot Enable
Legacy Support Disable and Secure Boot Disable
Configure Option ROM Launch Policy
All Legacy
*All UEFI
All UEFI Except Video
BTW, what %BiosShare% corresponds to? I don’t see such variable in the list of standard variables.
Hi Jörgen
I’m just working now on similliar solution for my MDT and I have probably stupid question :).
I was able to change my BIOS setting with vendor’s script, I have changed IsUEFI TS variable.
I have run first tests without any reboot during Windows PE phase – I mean, I haven’t rebooted to UEFI Windows PE. It have partitione in GPT and applied Windows. Task sequence just goes smoothly to the end and in msinfo32 there is information, that it is BIOS set to UEFI and SecureBoot state set to On. For what reason the reboot to PE is required? Am I missing something?
Trying this on Dell’s. The change to UEFI works using CCTK, but I don’t seem to be able to alter the UEFI boot order before the reboot. If a USB stick is left in the system during the reboot then it wants to boot to that device rather than to the temporary partition where the boot image was stored.
On Reboot to the media Partition I got a “invalid Partition table. Any advice?
Matias what’s your solution look like?
I have Lenovo M91, using script in TS to configure BIOS to UEFI boot, after “Restart Computer”. Boot into no operating system found. Is there any special step that I need to put into my TS.. Thanks
Hi
I hit a probleem when my HP desktops refused to boot from flat FAT32 partitions. I modified some steps to make WinPE boot more UEFI compliant (mainly creating separate EFI boot partition).
https://blog.zoomik.pri.ee/posts/standards-compliant-uefi-boot-is-required-for-bios-to-uefi-conversion-in-configuration-manager-task-sequence/
Kai, make sure that “Make this the Boot Disk” to the 4gb media partition task. I went as far as adding a uefi partition task right before it and right after the SET _SMSTSBootUEFI=true task. Make sure for the restart task that it is the currently installed os.
Question:
If I need to make additional restart(s), would I need to run the same three steps again?
Currently rebooting (using these steps) after switching dell bios to uefi and enabling tpm but I then need to activate TPM after rebooting into the media partition and reboot one more time.
Has anyone gotten this to work with an MDT integrated SCCM task sequence? We have SCCM (current branch) 1606 with MDT 2013 u2 integrated. Everything works as expected until the apply OS task sequence step. It gives a 0x00000001 error at that point. I’m guessing I’d have no problems if I was just using a standard SCCM task sequence.
Thanks,
Andre
Hi everybody,
does anybody have an idea how can I set the UEFI config in the WinPE?
My problem is that I can’t use a network share, because it’s not possible to run a command line in the WinPE with a different User.
Also it’s not possible to download a package, because there is no partition at this step.
My last idea is to copy the files in the Boot Image, but this would be my last way to solve this issue.
Thanks for any help!
Dario
Hi,
You can use the “Map Network drive step” in WinPE and there you can specify credentials to map the network drive, works just fine.
Regards,
Jörgen
I am using MDT, and have the same issue as Brad Williams. When it reboots it starts the Deployment Task Sequence again.
Hi Mr. Nilsson,
thanks for your fast help. This worked very well for me!
Best Regards
Dario
This should now be much easier after ConfigMgr version 1610 was released: https://docs.microsoft.com/en-us/sccm/osd/deploy-use/task-sequence-steps-to-manage-bios-to-uefi-conversion
Agreed!!! 😀
I use the new method included in ConfigMgr 1610, but I get an error during the reboot after creating the FAT partition and do the Dell UEFI enabling.
What goes wrong ?
I noticed that Microsoft explains the configuration and that the GPT disk is not configured to be active….could that be the issue ?
I have this setup in ConfigMgr 1606 + MDT 2013 8443.
I have it executing just after the “Preinstall” step (within WinPE), screenshot in this link.
https://1drv.ms/i/s!AuDsWGX4hC4Pi-x1ARHllm8X8QEQUQ
It works fine up to the point where it restarts. It restarts into WinPE, and then it fails while it is initializing and cannot find the TS.
The SMSTS.log file shows this error, and retries 20+ times.
ConvertBootToLogicalPath failed to convert ‘MULTI(0)DISK(0)FDISK(0)\SOURCES\BOOT.WIM’ (0x80070003). Retrying
and then it gives these two errors after it gives up.
Failed to find the current TS configuration path
ConfigPath::FindConfigPath(sConfigPath), HRESULT=80070003
Do I need to place this in a different part of the TS? from the screenshots provided in this post I noticed it was placed after the second “Status 1” step and just before normal formatting prior to laying down the OS.
Should I not be trying this with an MDT integrated TS? I know 1610 was just released and it provides this function, however I noticed there are some bugs people are finding when upgrading from 1606. That, and it hasn’t been made available to my environment yet.
fixed link to screenshot.
https://1drv.ms/i/s!AuDsWGX4hC4Pi-x3LSmzEkOPftgwzg
Doe anyone know the equivalent variables in MDT for _SMSTSServiceStartType and _SMSTSBootUEFI? Those are SCCM varaibles so changing them in MDT won’t have an effect.
https://docs.microsoft.com/en-us/sccm/osd/deploy-use/task-sequence-steps-to-manage-bios-to-uefi-conversion
We are using this method in our task sequence and really like it. I had a question though. What happens when you add a new driver to Winpe? Doesn’t that driver need to be present in the expanded boot media also? Do you just create a new ISO from the updated boot image, expand it, and then update your package?
I am seeing this issue on a new Dell Optiplex 7050, where it will perform all the steps up until the reboot into the boot media, then network fails.
Thank you.