Mike on Windows Config Mgr and Secure Boot

Mike Terrill has 2 blog posts on Windows Configuration Manager and UEFI Secure Boot:

BIOS and Secure Boot State Detection during a Task Sequence
With all of the security issues and malware lately, BIOS to UEFI for Windows 10 deployments is becoming a pretty hot topic (unless you have been living under a rock, UEFI is required for a lot of the advanced security functions in Windows 10). In addition, with the Windows 10 Creators Update, Microsoft has introduced a new utility called MBR2GPT that makes the move to UEFI a non-destructive process. If you have already started deploying Windows 10 UEFI devices, it can be tricky to determine what state these devices are in during a running Task Sequence. The Configuration Manager Team introduced a new class called SMS_Firmware and inventory property called UEFI that helps determine which computers are running in UEFI in Current Branch 1702. This can be used to build queries for targeting and reports, but it would be nice to handle this plus Secure Boot state (and CSM) during a running Task Sequence. We do have the Task Sequence variable called _SMSTSBootUEFI that we will use, but we need to determine the exact configuration in order to execute the correct steps.[…]

BIOS and Secure Boot State Detection during a Task Sequence Part 1

BIOS and Secure Boot State Detection during a Task Sequence Part 2

 

Mike Terrill on Windows 10’s Secure Boot and Cfg Mgr

Mike Terrill has an article on using Windows 10 and Secure Boot, and using Configuration Manager to show the state of Secure Boot:

Inventory Secure Boot State and UEFI with ConfigMgr

Now that Windows 10 has been released, you are probably starting to take a closer look at the new OS and the related security benefits that it has to offer.  Secure Boot is a supported security feature in Windows 10 that secures the boot process by only allowing the loading of drivers and boot loaders that are signed with a trusted signature.  The first versions of Windows to support Secure Boot were Windows 8 and Windows Server 2012.  Secure Boot requires computer systems to be running UEFI 2.3.1 (or later).  Legacy ROMs or compatibility support modules (CSM) must be disabled in order to enable Secure Boot. In this blog, I will show you how to extend the Configuration Manager hardware inventory so that you can report on the state of Secure Boot in your environment.  This will not only tell you which systems have Secure Boot enabled or disabled, but it will also help you detect systems that are not currently running UEFI (the ones running in BIOS mode).  Identifying these systems will be helpful when determining the deployment method that you will select when moving to Windows 10.  If it is a requirement of your security team that all systems running Windows 10 must also be running Secure Boot, it will give you an idea on how much effort will be involved during the deployment process. […]

Inventory Secure Boot State and UEFI with ConfigMgr