Contact Us Get Free Products
Search icon Contact Us Get Free Products
SCCM/MECM

BIOS UEFI Conversion using SCCM Task Sequence

Jonathan LefebvreFebruary 02 20174 Min Read

Contributor of System Center Dudes. Based in Montreal, Canada, Senior Microsoft SCCM consultant, working in the industry for more than 10 years. He developed a strong knowledge of SCCM and MDT to build automated OS deployment solution for clients, managed large and complexe environment, including Point of Sale (POS) related projects.

Jonathan Lefebvre

Table of Content
SCD Collaborators

With the release of SCCM Current branch 1610, one of the interesting new feature is the ability to do a BIOS to UEFI conversion in a task sequence. This would also allow to use Secure Boot with Windows 10 for strengthen security.

In this blog, we’ll explain how to convert BIOS to UEFI with a task sequence on HP computers. This solution can also be applied for Dell and Lenovo computers.

SCCM BIOS UEFI Conversion Prerequisites

Before starting, you need 3 things :

[su_box title=”Note” style=”glass” title_color=”#F0F0F0″]If you are not yet on 1610, you can achieve BIOS to UEFI following this procedure from Johan Schrewelius and Jörgen Nilsson.[/su_box]

  • The computer manufacturer must provide a tool for BIOS configuration
  • Package for Bios Configuration Utility and configuration file must be created (procedure included in this post)

Create BIOS and UEFI Configuration File

First, we need to create a configuration file that will be used in our task sequence. A configuration file, is basically a text file that will be used to change an option in the BIOS of the targeted computer. We’ll use an HP computer for our example.

You don’t have to create multiple files for each models, the same BIOS configuration file should apply to all HP models. The only settings included in the BIOS configuration file will be those required to change to UEFI. If needed, additional or model specific BIOS configuration could be apply at a later time in the task sequence.

Here’s an example of a configuration file that will :

  • Disable legacy boot option (BIOS)
  • Enable UEFI boot options
  • Enable Secure Boot

[su_box title=”UEFI.txt” style=”glass” title_color=”#F0F0F0″]BIOSConfig 1.0
Fast Boot
Disable
*Enable
Legacy Boot Options
 *Disable
 Enable
Legacy Boot Order
<no legacy boot options available>
UEFI Boot Options
 Disable
 *Enable
UEFI Boot Order
HDD:SATA:1
HDD:USB:1
NETWORK IPV6:EMBEDDED:1
NETWORK IPV4:EMBEDDED:1
Configure Legacy Support and Secure Boot
 Legacy Support Enable and Secure Boot Disable
 *Legacy Support Disable and Secure Boot Enable
 Legacy Support Disable and Secure Boot Disable
Clear Secure Boot keys
*Disable
Enable
Reset Secure Boot keys to factory defaults
*Disable
Enable
Enable MS UEFI CA key
No
*Yes[/su_box]

Package Creation of BIOS Configuration Utility and Configuration

We will now create a standard program that contain all the source file. The content directory must contain the BIOS configuration utility, the configuration file and the password file.

SCCM BIOS UEFI conversion

  • No program is needed, as we will use Run Command Line in the task sequence

SCCM BIOS UEFI conversion

SCCM BIOS to UEFI Conversion in Task Sequence

We will now create or edit an exiting task sequence to include the step to convert the BIOS to UEFI.

  • Add a new group before the Install Operating System section

SCCM BIOS UEFI conversion

  • In the Option tab, set the condition for task sequence variable  _SMSTSBootUEFI not equals true. This variable is needed to check if UEFI is already enabled on the group

SCCM BIOS UEFI conversion

  • You could also add another condition for computer manufacturer or model if you have older PC that don’t support UEFI

SCCM BIOS UEFI conversion

  • Add a Restart Computer task, in the Option tab, set the validation for task sequence variable  _SMSTSInWinPE  equals False

SCCM BIOS UEFI conversion

[su_box title=”Bitlocker consideration” style=”glass” box_color=”#000000″ title_color=”#F0F0F0″]

If the drive, before starting the task sequence, as BitLocker enabled, adding a standard Partition Disk for BIOS is required.

The Partition Disk 0 – BIOS can be copied before the Convert BIOS to UEFI.

This is needed because when BitLocker is enabled, the disk cannot be accessed in WinPE. Therefore the Convert BIOS to UEFI task will fail execute the script from _SMSTaskSequence local path.

[/su_box]

  • Add a Run Command Line to run the HP BIOS config Utility
  • Command Line : BiosConfigUtility64.exe /setconfig:UEFI.txt /cspwdfile:current.bin
  • Package : Bios configuration utility with configuration files (Created in previous step)
  • This must be a Run Command Line and not a program. Program are not allowed to run under WinPE

SCCM BIOS UEFI conversion

  • Add a Format and Partition Disk task and configure as following :
  • Disk type : GPT

SCCM BIOS UEFI conversion

    • First partition :
      • 500MB
      • Fat32 and Quick format
      • Variable : TSUEFIDrive

SCCM BIOS UEFI conversion

    • Second Partition default 100% of remaining space

SCCM BIOS UEFI conversion

  • Add a Restart computer task. Make sure to select The boot image assigned to this task sequence

SCCM BIOS UEFI conversion

  • After the restart, the BIOS will be configured with UEFI and Secure boot Only. It will partition and format the disk.

SCCM BIOS UEFI conversion

That’s it, you can now do the same tasks for your other manufacturer. Leave your comments and experience in the comment section bellow.

BIOS BIOS to UEFI HP BIOS config utility OS deployment SCCM 1610 SCCM CB Task Sequence UEFI
SCD Collaborators
Comments (48)

David

02.07.2017 AT 01:30 AM
We have a similar but related problem with supporting both new hardware and legacy hardware. We constantly have to swap between x86 and x64 PXE boot image to get the differing hardware to build from the task sequences. We publish our task sequences to the "unknown computers" collection to avoid building the same hardware several times and to keep AD clean. Could we use your method above to determine the BIOS version and then pick the correct boot image without having to constantly swap the boot images on our task sequences around (more annoyingly PXE uses the last advertised tasks sequence boot image when booting into PXE) thanks, David
Hide replies 0

Taylor Harris

02.06.2017 AT 10:54 AM
This is a good write-up - I essentially did all of this on my own when wanting to automate BIOS configuration settings in our imaging process for my colleagues but I've only recently run into the UEFI/Secure Boot battle. PC's are coming out of the box with UEFI enabled now so it's a pain to have to change it before you can network boot and and image the PC so I've configured DHCP and WDS to only use the UEFI PXE image now which solves that. The issue is, we're still using Windows 7 which does NOT support secure boot. HP will give you a nice message that your OS is not authorized if you try booting Windows 7 with secure boot on so I have to disable it now in the BIOS configuration settings that are already getting applied. Everything is great up until this point, where when setting the secure boot changes with the BIOS utility, the next reboot prompts you for a 4-digit code before proceeding, as it does when you change these settings manually. Is there no way to bypass this?? This breaks the automation I'm trying to achieve by requiring the attending technician to go BACK to the computer they just kicked a deployment off on to be available to stand by and enter a code before the rest of the process can continue.
Hide replies 1

Jonathan Lefebvre

02.06.2017 AT 11:37 AM
Thanks Taylor! I've faced the Windows 7 and UEFI issue on Dell computers. Client had no time to allow me to automate this, so the solution was to switch to BIOS prior OSD. 🙁 I'll keep this in mind if I face this with newer HP computer. Jonathan
Hide replies 0

Kevin

02.02.2017 AT 03:35 PM
I am following your TS, which is pretty much like Nickolaj so i thought maybe i was doing something wrong... I am using a Dell system, so i get that it will react differently during the OEM conversion part, but the system should reboot regardless. The challenge seems to be that the laptop never restarts. Right after the disk partition step it always fails. Do you find that the above creates a C: on Fat32 and D: on NTFS? It is possible that it is my OEM Conversion tasks, but they seem to work (enabling HAPI, UEFI, Secure boot, etc..) I just cannot seem to figure out why it refuses to reboot the system... even the first Restart does not do anything (although i am already PXE using WinPE)
Hide replies 2

Taylor Harris

02.06.2017 AT 12:38 PM
Another thing to keep in mind, the "Restart Computer" step, which is set to reboot back into the currently assigned boot image, will "stage" the boot image first by expanding the boot.wim file to a temporary location on your hard disk that SCCM OSD has chosen to use as the location to store temporary cache files from your packages (and boot images). This location should be defined in the _SMSTSDataPath task sequence variable. My guess is that your drive letter is changing after you format the disk to a letter different than is initially defined in _SMSTSDataPath so the task sequence step fails when copying the boot iamge to your local drive since that location is no logner vaild. To verify this (if you have F8 command window support and PowerShell enabled in your WinPE image), you can press F8 for a command window, drop to PowerShell, and use the Microsoft.SMS.TSEnvironment COM object to query the variable value and see where its location is pointing to. From PowerShell (in the boot image when you encounter the error), do the following (one line at a time): $TSEnv = New-Object -COMObject Microsoft.SMS.TSEnvironment $TSEnv.Value("_SMSTSDataPath") This will tell you the path that SCCM initially defined as the location it stores its temp data on. If the drive letter in that variable is not the drive letter your partitioned drive has, then there's your issue. If not, use notepad to open X:\Windows\Temp\SMSTSLog\smsts.log and look toward the end of the file for more info and details on the error you encounter when trying to stage the boot image and "Restart Computer" Let us know what you find!
Hide replies 1

Kevin

02.07.2017 AT 10:05 AM
Hi Taylor/Jonathan I do have Powershell in WinPE. When i ran the commands you suggested it did not present me with anything, it just wanted me to enter more information (did a line return) In the logs it appears that errors show up during the entire TS. Failed to save environment to (80070057) Failed to save execution state and environment to local disk. All of my BIOS/UEFI settings worked and the format partition is fine. I have no conditions on the last restart TS. So i don't think the error is specifically related to the reboot. My disk is wiped using diskpart (so there are no previous partitions or OS) My CCTK stuff are coming from the WinPE disk (x🙂 (not a program) The pop up message i get on the screen is 0x80070490 I even tried putting the format and partition task at the beginning so that it creates a proper partition. Because it does do everything, if i force restart the machine and it boots back up, it finishes off the task sequence..
Hide replies 2

Stefan Farnik

02.09.2017 AT 07:38 AM
Hello Kevin, i had the same here, am I right that your second stripped down TS is using another WinPE image ? That you haven't redistributed / updated the first one ? As said, I had the same issue, when i thought that after upgrading to 1610 I didn't update the boot image. When I did, it worked - so there are some additional / changes SCCM binaries which are needed in boot image.
Hide replies 1

seb

02.09.2017 AT 03:50 PM
Kevin: for MDT TS (and from WinPE) try to add bios config after the "partition if necessary" step at the beginning of the TS. the "Failed to save environment to (80070057)" is definitively something about the mdt scripts not being able to be copied on the drive (and check that your drive is correctly converted back to MBR and not GPT) If you want to put the bios to uefi configs after the "new Computer only" step I think you'll have to repeat the whole "partition if necessary" group, followed by a "use toolkit package" and "gather" (and UDI wizard after that if you're using it (I do) for your last remark how do you reimage the machine? from windows (software centre?) if so you'll probably need to do the same under the refresh only step (I didn't try that yet). But at this point uefi should already be enabled and therefore skipped right (so that's maybe a completely different problem) I also found (on Dell system, didn't try on HP) that I needed 2 steps, separated by a reboot, to apply the uefi config because when you switch to uefi some settings are not instantly available, and I don't want it to boot on the uefi network stack as it does by default when windows is not yet installed. hope that helps, good luck !🙂
Hide replies 0

seb

02.07.2017 AT 11:05 AM
Kevin, if you're testing on the same system you may want to reset the bios setup (manually choosing legacy or to the defaults depending) and then convert your disk to mbr before re trying the task sequence and bios to uefi conversion. Do you use MDT in your TS?
Hide replies 1

Kevin

02.07.2017 AT 01:52 PM
Hi Seb, After it fails, i revert the BIOS to legacy, put all my settings back to normal and start again. My TS does have MDT integrated, but i am even testing this on a plain SCCM TS without MDT and it still fails at the same part. I only wipe the drive using diskpart... if i add a format for mbr then do all of my Dell tasks, and convert it still fails. I do also have a TS that is just a BIOS to UEFI from Mike Terrill that works, but only works on it's own. I am trying to combine things, and now that i moved to 1610 to leverage that, it does not work as intended. I also tried different models, but it seems even if i finally get Windows 10 installed, if i need to reimage the machine, i run into all kinds of errors as well.
Hide replies 0

Jonathan Lefebvre

02.06.2017 AT 12:06 PM
Hi Kevin, Yes it does create a C: with Fat32 and another partition with NTFS. those are temporary. As for the reboot not rebooting, the 1st reboot is set to NOT reboot if already in WinPE. Take a look at the 2nd reboot(after the Disk partition) if you have any condition on it. It should not have any. Jonathan
Hide replies 0
Related posts
Benoit LecoursMay 24 20242 Min Read
Renew Intune Apple MDM Push Certificate

To enroll and manage iOS/MAC devices in Intune, you must create an Intune Apple Certificate. These...

SCCM/MECM
Benoit LecoursMay 08 20243 Min Read
Deploy Microsoft Authenticator app using Microsoft Intune

With the increasing number of mobile users requesting access to external resources many...

SCCM/MECM
Benoit LecoursApril 30 20242 Min Read
Understanding Intune Autopilot Error 0x8007052e

Two days ago, Microsoft had an outage affecting Intune AutoPilot Pre-Provisionning. Users...

SCCM/MECM
Request a Quote

Please fill out the form, and one of our representatives will contact you in Less Than 24 Hours. We are open from Monday to Friday.

Consulting Services

Subscription

PatchMyPC

Reports and Guides

I'm interested in working with you

Consulting services and time banks are used for generic requests. All others are fixed-price plans.

Never share sensitive information (credit card numbers, social security numbers, passwords) through this form.
Request Sent

Thank you for your request. You will receive an email with more details. Take note that we normally work from Monday to Friday. We will get in touch with you as soon as possible.

Comment Sent

Thank for your reply!

Error

Something went wrong!