I’m here at the Minnesota Management Summit at the Mall of America.
We got some exciting stuff going on here at 1E around Windows 10 and security features like Secure Boot and Device Guard, and I’ve have been digging into the details of BIOS and UEFI.
The big challenge in this space is helping clients and customers who are currently running Windows 7 to upgrade to Windows 10 with Secure Boot, If you rolled the UEFI firmware back to CSM/BIOS mode, then your machine can’t leverage the super cool Windows 10 In-Place Upgrade functionality to upgrade from Windows 7 to Windows 10. Instead, we will need to perform a wipe and reload on the machine. Stay tuned to 1E for more information this week on BIOS to UEFI.
This all happens when you get a machine that supports UEFI and Secure Boot (Say a machine with a Windows 8, Windows 8.1 or Windows 10 Logo), and you want to install Windows 7. Windows 7 can’t work with UEFI and Secure Boot, because Windows 7 isn’t a supported Secure Boot operating System. Windows 7 does support UEFI, however you may have some more problems getting Windows 7 loading in UEFI, so we may need to add some CSM components, in a “Hybrid Mode” to load. For many IT departments, Getting Windows 7 to load with UEFI is hard, so they load in BIOS mode instead.
Moving forwards, We are now have a new recommendation:
“Install new Computers for Windows 7 in UEFI mode without Secure Boot!” [1] [2]
[1] – May require an updated BIOS
[2] – May require CSM “Hybrid Mode” not full BIOS mode.
The advantage here, is that if/when it becomes necessary to migrate to Windows 10 and leverage the security features of Windows 10, all we need to do is run the standard Windows 10 In-place upgrade task sequence for SCCM/OSD or MDT. Don’t fall into the CSM/BIOS trap! :^)
OEM Specific settings
Now, honestly, we have had some problems getting Windows 7 running on a pure “UEFI” implementation, instead we have found out that you must enable *some* legacy aspects of CSM, but not the full CSM mode. We call this “UEFI Hybrid” mode, after the name HP gave this mode (see below).
So how would this look on various machines? Well, we can go into the BIOS and change the settings
Dell
- “LegacyoRom” set to “enable”
- “ActiveBootList” set to “UEFI”
Lenovo
- “UEFI/Legacy Boot” set to “Both”
- “UEFI Priority […]” = “UEFI First”
- “CSM Support” = “YES”
HP
- “Boot Mode” = “UEFI Hybrid (with CSM)”
Hopefully this should help you move forwards to Windows 10, yet still deploy Windows 7 for your existing needs.
-k
Keith's Consulting Blog 
The Intel 6th-Gen “Skylake” hardware (like the HP Spectre Pro x360 G2) has no Legacy mode and also utilizes TPM 2.0. If you use BitLocker, you’ll also need hotfix KB2920188 for Windows 7 for these machines with TPM 2.0. Otherwise, the OS won’t see the TPM at all.
Another note: if you make the mistake of kicking off your bare metal restore by booting WinPE to Legacy ROM (which is an easy mistake for our techs to make, since we use USB boot media and don’t use PXE), you’ll get MBR partitions, which won’t work with TPM 2.0. You have to boot the UEFI boot image to get GPT partitions, which is another requirement for TPM 2.0. The symptom here is that Windows 7 sees the TPM but can’t manage it and tells you that “you need to contact your BIOS manufacturer for an updated BIOS”.
Hi! We deploy Windows 7 x64 on HP EliteBook 840 G3 / HP ProBook 650 G2 with TPM 2.0. The first thing is that Legacy Support Disable and Secure Boot Disable is configured to get the GPT partitions. Before we activate TPM 2.0 we set the registry keys to prevent the new Windows 10 encryptions. After installing the OS – the last step before the notebook starts to install device drivers – we use the BIOS configuration utiliy again to set Legacy Support Enable and Secure Boot Disable to support Windows 7 x64 with TPM 2.0. This works like a charm for us.
… Dietmar
We also deploy Windows 7 x64 to the HP EliteBook 840 G3. We just set the BIOS to Legacy Support Enable and Secure Boot Disable from the start and boot to UEFI. GPT partitions are created, and no BIOS changes are needed later in the task sequence.
There must be a difference between the models because if we set Legacy Support Enable and Secure Boot Disable at the beginning we are not able to PXE boot into UEFI. With this configuration the legay PXE boot appears and the ConfigMgr-Task Sequence formats the disk with MBR. I checked this many hundred times ;-). Legacy Support Disable and Secure Boot Disable let us install Windows 7 or Windows 10 out of box – we get this notebooks pre-configured from HP. After Windows 10 installation we set Legacy Support Disable and Secure Boot Enable.