Configure Workstation BIOS with SCCM to Take Advantage of Windows 10 Security Features – Part 2

In my last blog, I provided the recommended configurations that should be in place in order to support advanced Windows security features.  This blog provides the task sequence details on how to convert machines from BIOS to UEFI mode.

Configuring the BIOS on HP workstations with SCCM

  • Download the BIOS Configuration Utility (v4.0.25.1 is the current version at the time of this writing) from the HP Client Management Solutions page and install it on the HP workstation system.
  • Create an HP BIOS Configuration Utility Package in SCCM:
    • Make a folder for the HP_Bios_Config package in your package source share (for example: \\SCCM\Package_Source\HP\BIOS Configuration Utility\4.0.25.1).
    • Install the HP BIOS Configuration Utility on a HP system.
    • Find the install folder on the PC and copy the contents of the installation directory to the Package share. On an x86 systems, the default install location is C:\Program Files\Hewlett-Packard\BIOS Configuration Utility.
    • Create a file in the root of the Package directory called BCU.cmd containing the following text:

@ECHO OFFset cmdline=%*
ECHO == BIOS Settings ==
REM Determine Architecture
IF “%PROCESSOR_ARCHITECTURE%” == “AMD64” GOTO :X64
GOTO X86

:X64
SET BCU=”BiosConfigUtility64.exe”
GOTO RunBCU

:X86
SET BCU=”BiosConfigUtility.exe”
GOTO RunBCU

:RunBCU
ECHO –Running command %BCU% %CMDLINE%
%BCU% %CMDLINE%

EXIT /B %errorlevel%

In SCCM create a traditional package containing source files without a program.

  • Configure the BIOS on an HP workstation with the recommended settings from our blog – part 1.
          Note: You may have to reinstall Windows after changing the BIOS from legacy to UEFI
  • Export the Bios settings to a file using BiosConfigurationUtility64.exe, for example:
    • If a BIOS/UEFI password is set, you first need to use the HPQPswd GUI utility to create a .bin file such as HP_BIOS_PWD.bin with the encrypted password
    • Export the Bios config to a file using the command: BiosConfigUtility64.exe /GetConfig:HP9480.txt /cspwdfile:HP_BIOS_PWD.bin
    • You will want to export a config for each model you want to convert.
  • Copy the HP9840.txt config file to the HP_Bios_Config package source folder and update the distribution points.
  • Modify a task sequence to configure the HP BIOS.
  • Add a new group named Change HP BIOS to UEFI:
    • Add conditions to the new group
    • Set the condition for task sequence variable _SMSTSBootUEFI not equals true. This variable is needed to check if UEFI is already enabled on the group
    • Add additional conditions for each computer model needing conversion
    • Select * from win32_computersystem where MODEL like “%9480m%”

  • Add a Restart Computer task in the Option tab and set the validation for task sequence variable:  _SMSTSInWinPE  equals False
  • Add a Run Command Line to run the HP BIOS config Utility for each specific HP model:
    Command Line : BiosConfigUtility64.exe /setconfig:HP840G3.txt /
    cspwdfile:HP_BIOS_PWD.bin
    Package : HP_BIOS_Config_Util with configuration files
    WMI Query select * from win32_computersystem where MODEL like “%9480m%”

  • Add a Format and Partition Disk task and configure as follows:
    Disk type : GPT
    First partition:
    500MB
    Fat32 and Quick format
    Variable : TSUEFIDrive

Second Partition:
100% of remaining space
NTFS and Quick format

  • Add a Restart computer task. Be sure to select the boot image assigned to this task sequence.

Converting HP machines from BIOS compatibility mode to UEFI can be programmatically accomplished with SCCM task sequences, which allows you to deploy the most secure Windows 10 environment possible.  Need more information or assistance? Email info@peters.com. We are happy to help.

By |2018-12-18T11:46:50-05:00July 16th, 2018|Infrastructure Services|Comments Off on Configure Workstation BIOS with SCCM to Take Advantage of Windows 10 Security Features – Part 2

About the Author: