Convert Windows 7 (Legacy + MBR) to Windows 10 with Secure Boot (UEFI + GPT) - ThinkPad and ThinkCentre

Overview

One challenge we have seen and heard from our customers is being able to convert a Windows 7 or Windows 10 computer using Legacy BIOS to Windows 10 UEFI with Secure Boot. In this post, we are going to address a possible way this can done on a Lenovo ThinkCentre and ThinkPad computers in an automated fashion using MDT and WDS.

The scope of this solution will include:
  • PXE Boot to MDT WinPE Boot Image
  • Wipe and Load Only
    • No User Data Captured or Reloaded
    • Drive is re-partitioned and formatted as GPT instead of MBR
  • One disk – no multiple drive configurations
  • Select Think products:
    • ThinkPad Skylake models – all BIOS revisions
    • ThinkCentre – M700 Tiny, M800, M900, M900 Tiny, M900x Tiny 
      • minimum BIOS Version FWKT57A
To set our settings in the BIOS, we will be using the Think BIOS Configurator from the bottom of this blog post. This tool also has the ability to capture settings, so if there are other settings that need to be applied, manually setting them and then capturing them on a donor computer is a good idea.

Configuring WDS

For the process to complete successfully we will need to reboot after applying the Secure Boot and PXE settings. To continue with the process we will need to boot back into a default boot image. Follow the steps below to set the MDT x64 Boot Image as the default x64 boot image and default x64 UEFI boot image.
  1. In WDS, right click on the Server Name and select properties.




  2. Click on the Boot tab.
  3. In the Default boot image (optional) section, click the select button to the right of x64 architecture
    .


  4. Select the MDT x64 boot image.  If it is not there, please compile one and import it.


  5. Repeat the steps for the X64 (UEFI) architecture.

MDT

MDT itself will require some settings to be set either in the CustomSettings.ini or in the database for the task sequence to be started automatically with no interaction.

CustomSettings.ini

[Settings]
Priority=Default
Properties=

[Default]
OSInstall=Y
SkipAdminPassword=YES
SkipApplications=YES
SkipBitLocker=YES
SkipCapture=YES
SkipComputerBackup=YES
SkipComputerName=YES
SkipDomainMembership=YES
SkipFinalSummary=YES
SkipLocaleSelection=YES
SkipProductKey=YES
SkipRoles=YES
SkipSummary=YES
SkipTimeZone=YES
SkipUserData=YES

AdminPassword=<Your Administrator Password Here>

FinishAction=RESTART
SLShare=%DeployRoot%\Logs

SystemLocale=<Your System Locale Here>

TimeZoneName=<Your Time Zone Here>

UILanguage=<Your User Interface Language Here>

UserLocale=<Your User Locale Here>

SkipTaskSequence=YES

TaskSequenceID=SBW10 ;SBW10 is the Secure Boot Task Sequence.

_SMSTSOrgName=%TaskSequenceName%

OSDComputerName=<However you set the computer name>

Configure Share for Lenovo Scripts

In this example we will define some folders and create some scripts and ini files which will be referenced from Tasks that are added to the MDT task sequence. The share folder for this example is MDT2013U2.
  1. Navigate to the Scripts folder and create a folder named Lenovo to contain all the necessary components for this example.
  2. In the Lenovo folder, create a folder named BIOSConfig.



  3. In the Lenovo folder, create a text file and name it CleanBootDrive.txt.
  4. Add the following content

    SEL DIS 0
    CLEAN

  5. Navigate to the BIOSConfig folder.
  6. Download the Think BIOS Config tool tool and extract to this location.


  7. Create the following four files:

    ThinkCentreHDD.ini


    Primary Boot Sequence,SATA 1:SATA 2:SATA 3:Network 1



    ThinkCentreSecBootPXE.ini


    Boot Agent,PXE

    PXE IPV4 network stack,Enabled

    PXE IPV6 network stack,Enabled

    Secure Boot,Enabled

    Secure boot,Enabled

    Primary Boot Sequence,Network 1:SATA 1:SATA 2:SATA 3



    ThinkPadHDD.ini


    BootOrder,NVMe0:NVMe1:HDD0:HDD1:HDD2:HDD3:PCILAN



    ThinkPadSecBootPXE.ini


    IPv4NetworkStack,Enable

    IPv6NetworkStack,Enable

    UefiPxeBootPriority,IPv4First

    SecureBoot,Enable

    BootOrder,PCILAN:NVMe0:NVMe1:HDD0:HDD1:HDD2:HDD3

Task Sequence Groups and Tasks

The following information will detail the appropriate groups and tasks to add to the task sequence to ensure the conversion and setup goes through as expected.

Initialization Phase:


Add the group named Settings Only BIOS Change
Conditions:


  • If any conditions are true
    • WMI Namespace: root\wmi
      WMI Query: SELECT * FROM Lenovo_BiosSetting WHERE CurrentSetting Like 'Secure Boot,Disable%'
    • WMI Namespace: root\wmi
      WMI Query: SELECT * FROM Lenovo_BiosSetting WHERE CurrentSetting Like 'SecureBoot,Disable%'
    • WMI Namespace: root\wmi
      WMI Query: SELECT * FROM Lenovo_BiosSetting WHERE CurrentSetting Like 'Secure boot,Disable%'
Tasks in this group
  • Set Secure Boot and PXE (ThinkCentre)
    • Type: Run Command Line
    • Command Line:cmd /c %ScriptRoot%\Lenovo\BiosConfig\ThinkBiosConfig.hta "file=ThinkCentreSecBootPXE.ini"
    • Start in: %ScriptRoot%\Lenovo\BiosConfig
    • Condition:
      WMI Query: SELECT * FROM Win32_ComputerSystemProduct WHERE Version LIKE 'ThinkCentre%'
  • Set Secure Boot and PXE (ThinkPad)
    • Type: Run Command Line
    • Command Line:cmd /c %ScriptRoot%\Lenovo\BiosConfig\ThinkBiosConfig.hta "file=ThinkPadSecBootPXE.ini"
    • Start in: %ScriptRoot%\Lenovo\BiosConfig
    • Condition:
      WMI Query: SELECT * FROM Win32_ComputerSystemProduct WHERE Version LIKE 'ThinkPad%'
  • Clean Boot Drive
    • Type: Run Command Line
    • Command Line:diskpart /s %ScriptRoot%\Lenovo\CleanBootDrive.txt
  • Reboot from WinPE
    • Type: Run Command Line
    • Command Line: WPEUTIL REBOOT
Preinstall Phase:


Tasks in this group
  • Set Primary Boot Sequence to Hard Drive (ThinkCentre)
    • Type: Run Command Line
    • Command Line:cmd /c %ScriptRoot%\Lenovo\BiosConfig\ThinkBiosConfig.hta "file=ThinkCentreHDD.ini"
    • Start in: %ScriptRoot%\Lenovo\BiosConfig
    • Condition:
      WMI Query: SELECT * FROM Win32_ComputerSystemProduct WHERE Version LIKE 'ThinkCentre%'
  • Set Boot Order to Hard Drive (ThinkPad)
    • Type: Run Command Line
    • Command Line:cmd /c %ScriptRoot%\Lenovo\BiosConfig\ThinkBiosConfig.hta "file=ThinkPadHDD.ini"
    • Start in: %ScriptRoot%\Lenovo\BiosConfig
    • Condition:
      WMI Query: SELECT * FROM Win32_ComputerSystemProduct WHERE Version LIKE 'ThinkPad%'

Process

The intention is that once all of this is set up, the computer will be PXE booted and will select the x64 boot image. When the boot image loads, it will auto populate all information required to start an MDT deployment. 

At that point, it will go in to the default selected task sequence. After the task sequence is started, it will detect if the computer is already set for Secure Boot. If not, it will set the Secure Boot and Boot Order settings in the BIOS via WMI, clean the partitions on the drive using diskpart, and reboot. Since we set the LAN as first in the boot order, it then reboots back to the PXE server and loads the default x64 UEFI boot wim file. It will then bypass the selection to setup Secure Boot, since it is already set, and then set the boot order back to the Hard Disk Drive. 

 Since Secure Boot switches the BIOS to UEFI only, the standard MDT task sequence steps will take over to format the disk as GPT and partition the disk via the normal steps with the Boot (EFI), MSR, Windows Primary (NTFS), and Recovery (NTFS) partitions. After this, the process to deploy Windows 10 should proceed as normal.


Comments

  1. WMI Query: SELECT * FROM Lenovo_BiosSetting WHERE CurrentSetting Like 'Secure Boot,Disable%'
    WMI Query: SELECT * FROM Lenovo_BiosSetting WHERE CurrentSetting Like 'SecureBoot,Disable%'
    WMI Query: SELECT * FROM Lenovo_BiosSetting WHERE CurrentSetting Like 'Secure boot,Disable%'


    shouldn't this be Secure boot,Disabled and Secure Boot,Disabled for ThinkCentre products? Also, the Lenovo BIOS config tool does not display secure boot settings for ThinkCentre M93p and ThinkCentre M83 models. When I declare Secure Boot,Enabled in the ThinkCentreSecBootPXE.ini it does not turn that setting on in BIOS

    ReplyDelete
    Replies
    1. Yes, the ThinkCentre products do have a 'd' at the end. We keep pushing to get more consistency among our Think brands for this and hope to see improvements in the future. For the M93p and M83, please make sure you get the latest BIOS update. The Secure Boot setting in WMI was added by a BIOS update on those systems. If it's still missing, please post the details in our Enterprise Client Management Forum (http://lnv.gy/2nEVrNb).

      Delete

Post a Comment