Lenovo – BIOS to UEFI Secure Boot

I spent a lot of time this week working on coming up with a way to convert Lenovo devices from BIOS to UEFI with secure boot while also stupid proofing the process so that the Helpdesk wouldn’t screw it up. It took me awhile before I finally came across a great blog post by Gary Blok, which you can find here –> https://garytown.com/enforce-uefi-during-osd-or-nicely-fail-with-remediation

This was a great starting point to go off of, but there was no information for Lenovo PCs. So I used a lot of his information and combined it with scripts/documentation provided from Lenovo earlier this year. –> https://support.lenovo.com/us/en/documents/ht100612

So lets get into it.

First I had to decided what I wanted to accomplish in the Lenovo BIOS. I wanted to accomplish the following.

  • Security
    • Security Chip
      • Security Chip Selection – Intel PTT
      • Security Chip – Enabled
    • Virtualization
      • Intel Virtualization Technology – Enabled
      • Intel VT-d Feature – Enabled
    • Secure Boot
      • Secure Boot – Enabled
    • Password
      • Supervisor Password – Enabled
  • Startup
    • UEFI/LegacyBoot  – UEFI Only
    • CSM Support – No
    • Boot Order Locked – Enabled

Based off this information, I had to find the best way to accomplish each task through automation. However, Lenovo has quite the restriction on what can and can not be set with automation.Two of the things I wanted to accomplish could not be set through automated processes as Lenovo has deemed automation insecure and requires user interaction.

The two settings are:

  1. Setting and Enabling the Supervisor password for the first time (although if the Supervisor password is set, you can automate the updating/changing of it)
  2. Changing the Security Chip Selection from Discrete TPM (Using 1.2 mode) to Intel PTT (using 2.0 mode)

Task Sequence Configuration

screen-shot-2016-12-22-at-9-12-59-am

Step 1: Under initialization you will want to configure a folder called UEFI – Secure Boot Status and configure it with the following queries to test the UEFI status.

screen-shot-2016-12-22-at-9-18-42-am

Taking some information from Gary’s Blog you can setup the Notify UEFI Status step.

Remember, this is just a fail safe that automates one part of the process.

Add a MessageBox folder to whatever Scripts location you have setup in your environment.

screen-shot-2016-12-22-at-9-26-00-am

  1. MessageBox Script get HERE (Deployment Guys Technet Blog)
    You’ll need to modify the MDTMessageBox.wsf script so it will automatically close the TS Progress bar.  Info found HERE (Niehaus’s blog)
    You’ll need to add this snipit into the script near the top:
    Set oTSProgressUI = CreateObject(“Microsoft.SMS.TSProgressUI”)
    oTSProgressUI.CloseProgressDialog
    Set oTSProgressUI = Nothing

    image
  2. ZTIUtility.vbs (From MDT scripts folder) – Just copy this file from your MDT Script Deployment Share, and paste it into your package content.
  3. Shutdown.exe, copied from c:\Windows\system32

Screen Shot 2016-12-22 at 9.27.52 AM.png

You can edit the text any way you like as part of this command line step.

Step 2: Lenovo BIOS – Secure Boot – UEFI

This step will convert the machine to a Secure Boot state as required above. This is the most important portion of what I was trying to achieve, because otherwise I would have to reimage the PC to switch on Secure Boot.

screen-shot-2016-12-22-at-10-00-51-am

screen-shot-2016-12-22-at-10-03-12-am

Since Lenovo allows WMI calls into the BIOS for certain attributes, I used a script provided by them in their example scripts here. And created a package for just Lenovo scripts.

screen-shot-2016-12-22-at-10-06-22-am

Step 3: Shutdown the Machine

screen-shot-2016-12-22-at-10-10-40-am

After the machine enables Secure boot and UEFI, it will shutdown. The h=Helpdesk will then have to relaunch the task sequence to continue with the Windows 10 image. Hopefully before they do this, they double check to make sure my other requested settings that can not be automated are enabled.

Hopefully this helps many of you as I took a full day trying to piece this together. I will be following up this post with a post on automating the other Lenovo BIOS settings that I needed enabled post OS install.

Happy Holidays!

 

 

 

Lenovo – BIOS to UEFI Secure Boot

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s