Turn off CM PowerShell update warnings

So I’ve been working in some strange Configuration Manager environments lately, sometimes they are not always up to date, yea… yea… I know. But they are test environments, so you know.

Problem

One of the problems I have is that when I call some CM PowerShell CmdLets, I get a warning:

erro1.JPG

WARNING: an update to the System Center 2012 Configuration
Manager Cmdlet Library is available. Please go to 
'http://go.microsoft.com/fwlink/?LinkId=<something>' 
to download the latest version. Running cmdlet version: 
<someversion> Latest cmdlet version: <someversion>.

Well the output has been driving me nuts, and I finally decided to dig into the problems and find out how to suppress the message.

A Hint

Niall Brady has a blog post on the subject:

How to fix “Warning: An update to the System Center 2012 Configuration Manager Cmdlet Library is available.”

But his recommended fix is to install the latest cmdlet library, well, I suppose I could do that, but I was wondering if there was an easier. way.

Reverse Engineering

I decided to do some reverse Engineering.

  • What dll files to the CM PowerShell cmdlets live?
    get-command get-cmsite | format-list *
    Unfortunately, did not reveal too much.
  • Did a Grep of the dll’s to find the error message, same files.
  • Finally able to track down the function: get-CMCmdletUpdateCheck and a match to the error string
  • Skip the Update? Yes I want to skip the update, that looks like it’s what I want.
    code1.JPG

Well it turns out this was a round about way to the Get-CMCmdletUpdateCheck Cmdlet which does what I was looking for.

Example

Simply run Set-CMCmdletUpdateCheck with -IsUpdateCheckEnabled $False to suppress the output:

Set-CMCmdletUpdateCheck -CurrentUser -IsUpdateCheckEnabled $False

 

code2.JPG

Nice and quiet :^)

 

BIOS to UEFI SecureBoot on Lenovo Desktops Gotcha! Part II

Good news for those IT departments out there that want to automated the process of moving from BIOS to UEFI with Secure Boot on Lenovo Desktop Machines!

As you may recall from my last post, I’ve been struggling to get any Lenovo Desktop Machines to move from non-SecureBoot to SecureBoot. But I recently found out that Lenovo may have updated their BIOS to support this (could it be?) We got a tentative confirmation from our contact at Lenovo, so it was time to do some testing.

I got a Lenovo M700 Tiny (great machine), and updated to the latest BIOS version. Looks like the BIOS version created Aug 2016 added some SecureBoot functionality. Looking good!

I created a tool internally at 1E to test moving from various BIOS/CSM/UEFI/SecureBoot/MBR/GPT states, so I ran the tool, and low and behold, it passed. The new M700 Tiny Firmware update allows for Non-SecureBoot to SecureBoot.

I haven’t tested other Lenovo Desktops (yet), but I’m cautiously Optimistic that the M73/83/93 will be updated as well. For several of our customers, that’s a major percentage of machines that can now be updated.

The next thing to talk to Lenovo about is to change Laptops functionality so we can turn on UEFI with CSM support and without SecureBoot. This would allow us to install Windows 7 in UEFI mode.

Looking forwards to Microsoft Ignite in Sept 2016!

( Thanks Joe! :^)

BIOS to UEFI SecureBoot on Lenovo Desktops Gotcha!

Been working with several IT departments trying to get our BIOS to UEFI solution qualified on as many OEM hardware models as possible, but unfortunately we have hit a snag that will affect Lenovo customers who need to move from BIOS to UEFI with SecureBoot using automated tools.

Lenovo does have an WMI API for programmatically making changes to the BIOS from within Windows (either the full OS or WinPE). That’s great! Unfortunately there are two areas where their implementation is lacking compared to Dell or HP:

  1. On Lenovo Laptops, we can change from BIOS to UEFI with SecureBoot, but they don’t offer the ability to move from BIOS to UEFI without SecureBoot. Why would we want to do that? Well if we were installing Windows 7 in UEFI mode (with anticipation of upgrading to Windows 10 with SecureBoot in the future).
  2. On Lenovo Desktops, the opposite problem, we can change from BIOS to UEFI without SecureBoot, but we can’t change to BIOS to UEFI with SecureBoot. And this is a problem.

I did contact Lenovo directly, and their official response is that they are aware of the issue, but the lack of support for API access to/from SecureBoot on desktop models is “by-Design”. Lenovo is only half right, Disabling Secure Boot must always require physical presence, that is clearly documented by UEFI spec:

http://www.uefi.org/sites/default/files/resources/UEFI_Secure_Boot_in_Modern_Computer_Security_Solutions_2013.pdf

 DISABLING SECURE BOOT 

[…]

Users may disable Secure Boot entirely, using a system setup screen enabled at boot time. Each manufacturer has its own interface for this option. In all cases, end user must be physically present to establish proof of possession (POP) associated with the changes.

However, Enabling secure boot has no such requirement (that I can find), and Dell, HP, and Lenovo ThinkPad devices do support enabling SecureBoot programmatically.

I have tried to explain this point to Lenovo, but to no success. This sucks for customers that need to use tools to make changes at scale. Manually enabling SecureBoot can be a labor intensive process.

Recommendation:

Therefore, I have to unfortunately make the recommendation:

Guidance: Enterprise customers should avoid Lenovo Desktops if they are still using Windows 7 and have plans to upgrade to Windows 10 with SecureBoot in the near future. Lenovo does not have any enterprise management tools to support this.

-Keith

wpf4ps

Display WPF XAML code in PowerShell

Last week I went to the Minnesota Management Summit at the Mall of America #MMSMOA, and I got inspired to work on a few projects in my backlog.

One of the presentations I went to was with Ryan Ephgrave (@EphingPosh on Twitter.com), and his talk on “Better Know a PowerShell UI“.

Overall it was a great presentation, and I learned a lot. And got me thinking about some of the things I could do with a framework I started earlier in the year but never got around to finishing.

WPF4PS

Without further adieu, I present Windows Presentation Framework for PowerShell (WPF4PS). It is also the first project I’ve released as source code on GitHub:

https://github.com/keithga/WPF4PS

Background

Most WPF + PowerShell examples are created with a lot of custom code to add in event handlers for the User Interface elements. The goal is to find all control elements on the page and if there is a pre-defined function created, then use it. Which means minimal code for overhead.

Example

Here is a fully functional example:

  • Load the WPF4PS module
  • Import a XAML defined in Visual Studio
  • Create a scriptBlock to handle the button Click
  • Create a HashTable to pass data between our script that the XAML Window
  • Call the Show-XAMLWindow function
  • Get the value of the TextBox from the Hash

wpf4ps

<#
.SYNOPSIS
WPF4PS framework Examples

.DESCRIPTION
Simple Example

.NOTES
Copyright Keith Garner, All rights reserved.

#>

[cmdletbinding()]
param()

import-module $PSScriptRoot\wpf4ps -force

$MyXAML = @"
<Window x:Class="WpfApplication1.MainWindow"
 xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation"
 xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"
 xmlns:d="http://schemas.microsoft.com/expression/blend/2008"
 xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006"
 xmlns:local="clr-namespace:WpfApplication1"
 mc:Ignorable="d"
 Title="MainWindow" FontFamily="Segoe WP Semibold" Width="400" Height="300" Name="WindowMain" >
 <Grid>
 <Label>Hello World</Label>
 <Button x:Name="Button1" Content="Big Red Button" Width="125" Height="25" Background="#FFDD0000" Margin="0,60,0,0"/>
 <TextBox x:Name="textBox1" Height="23" Width="200" />
 </Grid>
</Window>
"@

$MyControl = [scriptBlock]{

    function global:button1_click()
    {
        "Click the Big Red Button`n" + $TextBox1.TExt  | show-MessageBox 
        $WindowMain.Close()
    }

}

$MyHash = [Hashtable]::Synchronized(@{ textBox1 = "Hello World" })

Show-XAMLWindow -XAML $MyXAML -ControlScripts $MyControl -SyncHash $MyHash

$MyHash.TextBox1 | Write-Host

Next

My goal is to work out the kinks and eventually upload/share this on PowerShellGallery.com.

For example:

  • I created two Show-XAMLWindow() functions in the library, one inline and another Async. I still don’t know what the usage case of Async is.
  • Ryan Ephgrave did some XAML + Powershell examples in his “Better Know a PowerShell UI” blog series with XAML “Binding” elements, something I have not used in the past, so I excluded them from this package.
  • I had to do some weirdness with the declaring the functions above as “global” to make them visible to the Module

If you have feedback on the layout or usage, please let me know.

-k

Install Windows 7 in UEFI

I’m here at the Minnesota Management Summit at the Mall of America.

We got some exciting stuff going on here at 1E around Windows 10 and security features like Secure Boot and Device Guard, and I’ve have been digging into the details of BIOS and UEFI.

The big challenge in this space is helping clients and customers who are currently running Windows 7 to upgrade to Windows 10 with Secure Boot, If you rolled the UEFI firmware back to CSM/BIOS mode, then your machine can’t leverage the super cool Windows 10 In-Place Upgrade functionality to upgrade from Windows 7 to Windows 10. Instead, we will need to perform a wipe and reload on the machine. Stay tuned to 1E for more information this week on BIOS to UEFI.

This all happens when you get a machine that supports UEFI and Secure Boot (Say a machine with a Windows 8, Windows 8.1 or Windows 10 Logo), and you want to install Windows 7. Windows 7 can’t work with UEFI and Secure Boot, because Windows 7 isn’t a supported Secure Boot operating System. Windows 7 does support UEFI, however you may have some more problems getting Windows 7 loading in UEFI, so we may need to add some CSM components, in a “Hybrid Mode” to load. For many IT departments, Getting Windows 7 to load with UEFI is hard, so they load in BIOS mode instead.

Moving forwards, We are now have a new recommendation:

“Install new Computers for Windows 7 in UEFI mode without Secure Boot!” [1] [2]

[1] – May require an updated BIOS

[2] – May require CSM “Hybrid Mode” not full BIOS mode.

The advantage here, is that if/when it becomes necessary to migrate to Windows 10 and leverage the security features of Windows 10, all we need to do is run the standard Windows 10 In-place upgrade task sequence for SCCM/OSD or MDT.  Don’t fall into the CSM/BIOS trap!  :^)

OEM Specific settings

Now, honestly, we have had some problems getting Windows 7 running on a pure “UEFI” implementation, instead we have found out that you must enable *some* legacy aspects of CSM, but not the full CSM mode. We call this “UEFI Hybrid” mode, after the name HP gave this mode (see below).

So how would this look on various machines? Well, we can go into the BIOS and change the settings

Dell

  • “LegacyoRom” set to “enable”
  • “ActiveBootList” set to “UEFI”

Lenovo

  • “UEFI/Legacy Boot” set to “Both”
  • “UEFI Priority […]”  = “UEFI First”
  • “CSM Support”  = “YES”

HP

  • “Boot Mode”  = “UEFI Hybrid (with CSM)”

Hopefully this should help you move forwards to Windows 10, yet still deploy Windows 7 for your existing needs.

-k

MMSSPEAKING_NODATE

Keith Garner at MMS next week

Just a reminder that I will be at the Minnesota Management Summit (MMS) next week.

For the most part I’m excited about meeting up with ya all, learning about the state of the industry, and new products/features coming out. :^).

See you at the Mall of America!