RE: [mssms] Switch to UEFI during OSD

[Jason Sandys]

A direct membership rule could still include a group.

J

From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Ryan
Sent: Thursday, May 21, 2015 12:00 PM
To: ms...@lists.myitforum.com
Subject: Re: [mssms] Switch to UEFI during OSD


You could make it only allow direct membership rules... wouldn't that cover 
everything then?

On Thu, May 21, 2015, 12:17 PM Jason Sandys 
<ja...@sandys.us<mailto:ja...@sandys.us>> wrote:
What if someone accidentally adds a security group containing all domain 
computers to the collection?

There simply are too many what ifs and possibilities on this one and so yes, 
the below would help mitigate the risk, as does the high risk collection 
detection that they added to R2 SP1/RTM SP2, but nothing will ever mitigate the 
risk entirely – except not using required deployments. I’m not saying don’t use 
them (well, actually I do recommend never to use them) but if you choose to use 
them there is always some risk involved and that you need to understand as well 
as accept this and put checks in place to control the risk.

J

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com>] 
On Behalf Of Ryan
Sent: Thursday, May 21, 2015 10:06 AM

To: ms...@lists.myitforum.com<mailto:ms...@lists.myitforum.com>
Subject: Re: [mssms] Switch to UEFI during OSD

I can greatly reduce and/or eliminate that risk with status filter rules. I've 
been wanting to write a system that did the following:

Query 1: Whenever a TS deployment is made, run a PS script that checks the 
number of clients in the collection. If > a certain %, it changes the deadline 
date of the deployment. Also, it creates a status message query for the 
collection it's deployed to that runs a PS script whenever the collection 
properties are changed (ie, rule added). That script waits until the collection 
refresh is complete and then checks the number of clients. If > a certain %, it 
changes the deadline date of the deployment. It could also automatically remove 
any include collection rules to avoid the I added to x collection which 
includes to y collection which adds the computer to the imaging collection.

Query 2: Whenever a collection is removed it checks if any status filter rules 
are associated with the collection and, if there are, removes them.

Query 3: Whenever a TS deployment is removed it removes status filter rules 
associated with it.

I'd prefer something like this was built into ConfigMgr, but status filter 
rules could probably do it.

On Thu, May 21, 2015 at 9:53 AM, Jason Sandys 
<ja...@sandys.us<mailto:ja...@sandys.us>> wrote:
Nothing as long as someone doesn’t accidentally add unwanted systems to that 
collection or accidentally add a query that in turn adds unwanted systems (or 
all systems). These are risks for you to weigh and there are ways of mitigating 
them but there are at least three very well known cases of a TS being deployed 
as required to all systems in an environment and causing major havoc as well as 
being an RGE.

J

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com>] 
On Behalf Of Steve Whitcher
Sent: Thursday, May 21, 2015 9:38 AM

To: ms...@lists.myitforum.com<mailto:ms...@lists.myitforum.com>
Subject: Re: [mssms] Switch to UEFI during OSD

I do mandatory OS deployment TS, to a collection specifically for machines to 
be (re)imaged.  Is there something wrong with that?

On Tue, May 19, 2015 at 4:28 PM, Michael Niehaus 
<michael.nieh...@microsoft.com<mailto:michael.nieh...@microsoft.com>> wrote:
That would cause issues with a mandatory TS PXE boot, but hopefully no one does 
mandatory OS deployment task sequence deployments anyway ☺

Thanks,
-Michael

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com>] 
On Behalf Of Niall Brady
Sent: Tuesday, May 19, 2015 1:58 PM
To: ms...@lists.myitforum.com<mailto:ms...@lists.myitforum.com>

Subject: Re: [mssms] Switch to UEFI during OSD

no, it's not a ts, it's a prestart (before a ts) which would detect if legacy, 
and if so, change to uefi, reboot and then on with normal business.

On Tue, May 19, 2015 at 10:53 PM, Roland Janus 
<roland.ja...@hispeed.ch<mailto:roland.ja...@hispeed.ch>> wrote:
Doesn’t that reboot also mean the TS, with the prestart, has to run again?
That would be an issue with a required TS and PXE boot.

-Roland



From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com>] 
On Behalf Of Roland Janus
Sent: Dienstag, 19. Mai 2015 22:26
To: ms...@lists.myitforum.com<mailto:ms...@lists.myitforum.com>
Subject: RE: [mssms] Switch to UEFI during OSD

What’s the magic part here, that it is in prestart?
I can get HPs to switch to UEFI with a command line, but I think doing it in a 
single TS is the hard or impossible part.
Would prestart help here also?

-Roland


From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of 
warren_b...@dell.com<mailto:warren_b...@dell.com>
Sent: Dienstag, 19. Mai 2015 16:50
To: ms...@lists.myitforum.com<mailto:ms...@lists.myitforum.com>
Cc: bill_a_mo...@dell.com<mailto:bill_a_mo...@dell.com>
Subject: RE: [mssms] Switch to UEFI during OSD


Dell - Internal Use - Confidential
Dell IT has worked out a Legacy -> UEFI solution using the Dell PowerShell 
Provider.  Bill Moore blogged about it here - 
http://www.billamoore.com/2014/05/16/easy-legacy-efi-dells-powershell-provider/

Thanks,

Warren

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Michael Niehaus
Sent: Monday, May 18, 2015 11:58 PM
To: ms...@lists.myitforum.com<mailto:ms...@lists.myitforum.com>
Subject: RE: [mssms] Switch to UEFI during OSD

Overall, it’s a painful thing to do – most people who ask want to do this as 
part of an OS refresh, preserving user data and settings at the same time 
without moving data off of the system.  We don’t recommend even trying – just 
keep the system running legacy BIOS emulation until it’s replaced (or until you 
“reclaim” the system for redeployment).

If you just want to automate the switchover (and destroy the contents of the 
drive later), it’s a little easier, but still vendor-specific (to modify 
firmware settings).

You would only want to consider this for Windows 8 logo-certified devices 
(those running UEFI 2.3.1 or higher), since previous UEFI versions were way too 
flaky.

I would also start thinking about this as a point-forward change:  Stop 
deploying Windows 7 systems using legacy BIOS emulation if you are planning to 
upgrade or refresh them to Windows 10 sometime within the machine’s lifetime.

Thanks,
-Michael

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Niall Brady
Sent: Monday, May 18, 2015 9:49 PM
To: ms...@lists.myitforum.com<mailto:ms...@lists.myitforum.com>
Subject: Re: [mssms] Switch to UEFI during OSD

i've thought about it and perhaps you could build some type of script to run 
before the prestart even, which checks for UEFI and if not, set's the bios to 
UEFI (lenovo and others have scripts for that), then reboots to the correct 
mode before allowing you to select a UEFI mode task sequence
you'd have to use something that kicks off before the task sequence engine, 
like 
this<http://www.windows-noob.com/forums/index.php?/topic/12277-updated-script-how-can-i-check-for-network-connectivity-storage-before-starting-a-task-sequence-in-system-center-2012-r2-configuration-manager/>
i have not tested it but i believe it will work for some hardware at least, the 
key is that it would be a script that is not task sequence aware, that runs 
before your task sequence and involves user input of some sort (to make the 
decision)

On Tue, May 19, 2015 at 1:07 AM, Jason Sandys 
<ja...@sandys.us<mailto:ja...@sandys.us>> wrote:
Correct. There have discussions on this by Tim Mintner, Keith Garner, and 
Michael Niehaus and the conclusion is that this is not possible in an 
unattended manner or with a single TS.

J

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com>] 
On Behalf Of Roland Janus
Sent: Monday, May 18, 2015 5:02 PM
To: ms...@lists.myitforum.com<mailto:ms...@lists.myitforum.com>
Subject: [mssms] Switch to UEFI during OSD

Anyone tried that?

Switching the BIOS to UEFI with a command line isn’t the problem, but doing 
this as part of OSD might be.
Refresh using hardlinks can’t work, but anyone tried switching to UEFI during 
OSD for baremetal?
(That of course would lead to a mix of legacy and UEFI installations)

Assuming the computer is currently configured to use Legacy bios mode, that 
seems like a chicken/egg problem.

-Roland