/build/static/layout/Breadcrumb_cap_w.png

Systems Deployment Question


No iPXE SecureBoot is certainly hurting us right now.

04/07/2020 406 views

All of our machines have SecureBoot enabled.  Unfortunately, you can only disable that from the BIOS console of the system itself.  PXE UEFI SecureBoot doesn't exist.  Our campus is closed.  Has anyone devised a workaround?

2 Comments   [ + ] Show comments

Comments

  • If these are Dell machines you can use the Dell Command Configure Took Kit (CCTK.exe) to configure Bios settings through Windows. I just started to use this to configure WOL settings for some computers, but there are settings to enable or disable secure boot.

    I did run into some difficulty with some older computers whose bios did not seem to be compatible with the newest version of the Command Configure utility, but if the computer shipped with Windows 8 or above they seemed to be compatible.

    Also, you can check if Secure Boot is enabled with the powershell commamd:

    Confirm-SecureBootUEFI

    This will return True or False.
  • Latest version of CCTK.exe only has options to enable SecureBoot. From the website, "NOTE: You cannot disable secure boot using the Dell Command | Configure user interface. One of the methods of disabling secureboot is from the BIOS setup screen."
    • That message has been in CCTK since version 3.0 or 4.0. That's telling you, you can only do it from Shell or PowerShell Scripts.

      That means, not via clicks, but via CLI works fine.
      • Everytime I try it from the shell, --secureboot=disable, or secureboot=disabled, I get a...

        "Invalid Argument for the provided option 'SecureBoot' SecureBoot: If enabled, BIOS should only perform Secure Boot authentication and boot in UEFI mode without loading Compatibility Support Module (CSM). BIOS refers to this setting to decide on the POST behavior. You can disable this feature from BIOS setup screen. Arguments: Enabled."

        If I'm doing something wrong, please enlighten me.

All Answers

0

You install the Software (either Windows or if it's a KBE, you install it into the KBE (WinPE) (Read the KACE Admin guide).

Then you use a shell command to query info.

For example, this is a DELL Precision M3800 with Secure Boot Disabled:
3+wxynWp9s+5AAAAABJRU5ErkJggg==

I would recommend testing READ\Query commands first like these ^^, to make sure it works!
Sometimes, new models are not compatible with CCTK...  Make sure you are an admin.

Once I confirmed I can pull values from the BIOS, I used a Write Sentence:

yCtpQAAAAASUVORK5CYII=

Source:
https://topics-cdn.dell.com/pdf/command-configure-v41_reference-guide_en-us.pdf

Hopefully this is clear enough, in regards the Graphic Console, no idea.... I only learned the CLI, it's possible the UI has less options.

Answered 04/08/2020 by: Channeler
Red Belt

  • Well, this is good information to help someone ENABLE SecureBoot with the CLI. But, as in my OP, the goal I'm seeking is to DISABLE SecureBoot programatically, either by CLI or script.
 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ