So – here we are again. This time on the second post about SEMM for Surface Devices.
On previous post I wrote what is SEMM and how to use UEFI Configurator which is… not automated and require every time action from the Administrator. On this post I will show you how to automate this SEMM via UEFI Manager and… Intune. For the activating the SEMM on the device – Administrator will need to insert the two last characters from certificate thumbprint only one time. No more Administrator rights needed. But…
This method will be much difficult to use.
So let’s start!
Requirements
First requirement is certificate. We generated this certificate last time and I will be using again this same certificate.
The second requirement is installation of UEFI Manager via Intune
Third requirement is installation Configuration Scripts via Intune.
So let’s start.
Certificate
I will be using this same certificate which was generated for the UEFI Configurator. No changes on this step. If you want to know how to generate this certificate – check my previous post about SEMM.
Deploy UEFI Manager via Intune
To do this step, you need to download UEFI Manager from Surface Tools for IT page and select proper version (x64 or x86).
Also, please download the PSADT from their repository – it will be much faster to create unified package for your environment.
When you have that two files, expand them, copy MSI from Downloads / or other folder to Files folder for PSADT folder like here:
And by the way – change the name for PSADT folder for something nice-looking – like on my screenshot 🙂
Next go to the AppDeployToolkit folder and edit file named: AppDeployToolkitConfig.xml
Change line 33 to:
<Toolkit_LogPath>C:\ProgramData\Microsoft\IntuneManagementExtension\Logs</Toolkit_LogPath>This change will allow you to have logs on the IME folder. Much faster to troubleshoot 🙂
Last step for this preparation of package is editing the file named: Deploy-Application.ps1
Change line 89 to:
[String]$DeployMode = 'Silent',To have fully silent installation.
Edit the lines from 110 to 118 with proper information, like on my screen:
Comment line 185 and 188 with # character – we don’t want to have any popups.
And for the line:
## <Perform Installation tasks here>
Add new action:
Execute-MSI -Action 'Install' -Path "$dirFiles\SurfaceUEFI_Manager_v2.102.139.0_x64.msi"Of course, please remember about changing the filename to proper if version of your file is different.
For the uninstallation phase and task you can use:
Execute-MSI -Action 'Uninstall' -Path "{EFF45053-B732-41E6-9506-33A298A48BD0}"Of course, don’t forget to comment those two lines. We don’t need again any popups 🙂
Save file and run Microsoft Win32 Content Prep Tool to create package.
Check my screenshot how I do that.
When the package is created create a new Win32app from Intune. I will be not focusing on that part, just paste some information:
For the installation command use:
Deploy-Application.exe -DeploymentType InstallFor the Uninstall command use:
Deploy-Application.exe -DeploymentType UninstallFor the detection use MSI product code:
{EFF45053-B732-41E6-9506-33A298A48BD0}And deploy this application to your devices.
For the UEFI Manager it will be everything, because now we need to do some much difficult thing – like scripting!
Deploy SEMM Scripts via Intune
And here it is. We need to start scripting 🙂
First – create a folder where you will be storing everything.
Second, download the file named: SEMM_PowerShell.zip from Surface Tools for IT page.
Third – copy three files to newly created folder:
- Certificate which will be using
- ConfigureSEMM.ps1 from downloaded PowerShell examples
- ResetSEMM.ps1 from downloaded PowerShell examples
When you have prepared three files, you can start modifying your script.
We will start with…
ResetSEMM.ps1
Open that file on your favorite code editor and find file with variable: $certName. Then edit this variable with proper name of your certificate.
Second – you need to find variable named: $password. On this variable you need to provide a password which you used during creation of certificate.
For the ResetSEMM.ps1 it will be everything.
ConfigureSEMM.ps1
Do this same thing which you do for ResetSEMM.ps1 about variables. Fill $certName and $password with proper information.
After that find section named:
# Configure SettingsAnd start configuring it by adding proper SettingsByID like on my example..
write-host "Changing settings required by Piesik.me lab"
$uefi.SettingsById[302].ConfiguredValue = $DisabledValue
$uefi.SettingsById[304].ConfiguredValue = $DisabledValue
$uefi.SettingsById[305].ConfiguredValue = $DisabledValueThose three lines are disabling all cameras on managed device.
You can also comment lines:
$uefi.SettingsById[200].ConfiguredValue = $SecureBootKeysSettingsValue
$uefi.SettingsById[407].ConfiguredValue = "0"
$uefi.SettingsById[501].ConfiguredValue = "your_password"
$uefi.SettingsById[501].ClearConfiguredValue()I will be not changing those values…
Save that file and we will start creating package for Intune.
Like on below screen:
Now, create new Win32App in the Microsoft Intune. As previous, I will not show every step, just provide some information.
Install Command:
%windir%\sysnative\windowspowershell\v1.0\powershell.exe -ExecutionPolicy Bypass -file "ConfigureSEMM.ps1"Uninstall command:
%windir%\sysnative\windowspowershell\v1.0\powershell.exe -ExecutionPolicy Bypass -file "ResetSEMM.ps1"Detection Rule via Registry:
Key path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Surface\SEMM
Value Name: CertName
Detection method: String Comparision
Operator: Equals
Value: NameOfYourCertificate.pfx
As dependencies you can add previous UEFI Manager application. That will allow to first install package, after that – script.
Anything else?
No, it will be everything. Because now the application and the script will be installed. Administrator after installation and reboot need to fill two characters from certificate thumbprint and confirm installation of SEMM.
But…
Hey, Jakub! You just provided some examples how to manage cameras – like on below code:
$uefi.SettingsById[302].ConfiguredValue = $DisabledValue
$uefi.SettingsById[304].ConfiguredValue = $DisabledValue
$uefi.SettingsById[305].ConfiguredValue = $DisabledValueBut where did you found those information?!
Let’s see how to get those information on the next post 🙂
