Skip to content

Home

Jump to bottom
diablolot53 edited this page Sep 29, 2017 · 6 revisions

Overview

This script was created to provide a easy way to tell if a computer was booted from UEFI and if Secure Boot was enabled. It can be integrated into an SCCM or MDT task sequence to provide an easy check and notification of the UEFI/Secure Boot status before the imaging process has started.

Parameters

-SecureBoot

Runs the Secure Boot check. By default only the UEFI check is performed.

-Debug

Displays the debug window with the status of both checks. This is not recommend for use in a task sequence, but can be helpful for diagnostic tasks from the desktop.

Requirements

The script requires the following packages to be added to Windows PE:

  • WinPE-WMI
  • WinPE-NetFX
  • WinPE-Scripting
  • WinPE-PowerShell
  • WinPE-HTA

The Secure Boot check requires an additional package to be installed:

  • WinPE-SecureBootCmdlets

The following link from to TechNet explains how to install the additional packages to Windows PE - WinPE: Add packages

If running from the Windows Desktop, no additional packages are required.

SCCM Task Sequence Example

The following example details the steps required to integrate the script into an SCCM Task Sequence to verify that the computer was booted from UEFI and Secure Boot is enabled.

Add Script to Boot Image

Since this script will be executed prior to the hard disk being formatted, it's best to add the script directly to the boot image instead of running it from a package. This is done because SCCM will attempt to cache the package and if the hard drive is unformatted there may not be anyplace where it can download to which can cause the task sequence to fail.

  1. Mount the boot image using DISM

dism /Mount-Image /ImageFile:E:\Sources\BootImages\boot_1703.wim /Index:1 /MountDir:C:\mount

  1. Create a Scripts folder

mkdir C:\mount\Scripts

  1. Copy the uefi-checkscript.ps1 into the Scripts folder

copy uefi-checkscript.ps1 C:\mount\Scripts

  1. Unmount the boot image

dism /Unmount-Image /MountDir:C:\mount /Commit

  1. Update the distribution points with the modified image

Add UEFI Check to Task Sequence

  1. Add new Run Command Line step prior to the hard disk format

  2. In the command line section add the following line:

powershell.exe -ExecutionPolicy Bypass -Command "X:\Scripts\uefi-checkpoint.ps1"

Use the following line to enable the Secure Boot check:

powershell.exe -ExecutionPolicy Bypass -Command "X:\Scripts\uefi-checkpoint.ps1 -SecureBoot"

Clone this wiki locally