Thursday, 21 June 2018 08:11

Automating Dell BIOS Configuration Using MDT

Written by
Rate this item
(0 votes)

image

It’s been a busy couple of weeks for me, so I’m slowly going through a backlog of things to cover. The push to get modern continues with the third part of my series on automating the process of transitioning from BIOS to UEFI using MDT. Today's blog post discusses the process of configuring BIOS settings on supported Dell Inc. enterprise systems.

When transitioning to Windows 10, many organizations evaluate different sets of hardware. Consequently, during a customer engagement back in 2015, I worked with a various Dell Inc. machines and developed a wrapper for the Command | Configure command line utility (cctk.exe) - configuring BIOS settings is all about zero-touch automation. While geared towards the Microsoft Deployment Toolkit (MDT), the wrapper can be easily adapted for any OS deployment solution capable of running PowerShell scripts.

Dell Command | Configure utility (previously called Dell Client Configuration Toolkit (CCTK)) is probably the best firmware configuration tool out there that enables you to configure BIOS settings and their values and replicate BIOS settings across multiple supported desktops, workstations, or notebooks.

Download the latest version of Command | Configure utility from the Enterprise Client Wiki.

First things first, I recommend running Graphical User Interface (GUI) utility to create a configuration set for client systems.

image

After configuring the settings export to a .cctk text file commonly referred to as a config file by clicking the "Export Configuration" button.

image

The following is a sample configuration that you can use to bring your Dell Inc. machines to parity with Windows 10 security requirements:

[cctk]
bootorder=uefitype,uefi
cpuxdsupport=enable
embsataraid=ahci
legacyorom=disable
secureboot=enable
tpm=on
tpmactivation=activate
tpmppidpo=enable
tpmppipo=enable
virtualization=enable
vtfordirectio=on

It’s important to note that this is the minimal set of features that I would enable. Consequently, it’s essential to identify which additional features you intend to use and enable them as well.

Grab the script and the sample configuration from my GitHub repository.

Copy the contents of the C:\Program Files (x86)\Dell\Command Configure\X86_64 folder into the script's folder.

Note: If you are still using x86 Windows PE environment, use C:\Program Files (x86)\Dell\Command Configure\X86 instead, but you should really considering retiring this technical debt now. When deploying x64 Windows OS, you should also use 64-bit Windows PE boot media. Additionally, Microsoft gradually shifts its focus to x64 operating system, increasing failure risk with the legacy environment.

Open the PowerShell script in the editor of your choice. With Dell Inc. systems, the biggest gate historically has been securing BIOS password. Unlike HP's BCU, cctk only supports the BIOS setup password as clear text on the command line. While you can include your BIOS password in your config file, I would advise against it. For the simplicity's sake, I opted to use Base64 "encryption", but you could take this one step further and use AES encryption instead. Dennis Span shared an excellent tutorial on PowerShell password management back in 2017. Make sure that you change the password to the appropriate value by modifying the $EncodedPassword variable and setting your desired password. To encode a text string run following PowerShell command:

[Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("Pa55w0rd"))

You may also want to change the configuration file name as well.

Note: when run, the script will perform following actions:

  • Load the HAPI drivers into memory which significantly improves CCTK's performance and also provides the hooks required by the utility to function properly.
  • If the client does not have the setup password set, set the BIOS password.
  • Read the settings.cctk configuration file and deliver it to the system BIOS through WMI.

Then, copy everything to your deployment share, for example into the following folder: %SCRIPTROOT%\BIOS\Dell.

Assuming you are running the script during a "wipe-and-load" scenario (in-place upgrade works similarly though), create following two "Run Command Line" steps in the Pre-Install phase of your Windows 10 task sequence:

  • powershell.exe -command "Set-ExecutionPolicy Bypass"
  • powershell.exe -File %SCRIPTROOT%\BIOS\Dell\ConfigureDellBiosSettings.ps1

image

Add following execution condition to the Prepare TPM & Enable Secure Boot step:

image

The next time you run your task sequence, the script will set your BIOS password (if currently not set) and modify the system BIOS configuration.

Hopefully, you have found this information useful. Tweet me or comment below, if you have any questions.

Read 690 times Last modified on Thursday, 21 June 2018 08:39
More in this category: « Configuring HP BIOS Using MDT
  1. Comments (1)

  2. Add yours
There are no comments posted here yet
  1. Jitesh

Hi Anton,

Thanks for providing the extensive details. I've also created one doc for BIOS to UEFI Conversion through MDT Task Sequence with your guidance. If you can look at this or provide me your feedback that would be greatly appreciable.

link...

Hi Anton,

Thanks for providing the extensive details. I've also created one doc for BIOS to UEFI Conversion through MDT Task Sequence with your guidance. If you can look at this or provide me your feedback that would be greatly appreciable.

link: https://gallery.technet.microsoft.com/BIOS-to-UEFI-Conversion-cf824867

Read More
  Attachments
 

Leave your comments

Posting comment as a guest.
0 Characters
Attachments (0 / 3)
Share Your Location

Recent Posts

  • Yet Another Windows 10 Optimization Script
    As a reminder, Microsoft will be ending support for Windows 7 SP1 on January 14, 2020. I've had multiple enterprise…
    Written on Monday, 25 June 2018 16:09
  • Automating Dell BIOS Configuration Using MDT
    It’s been a busy couple of weeks for me, so I’m slowly going through a backlog of things to cover.…
    Written on Thursday, 21 June 2018 08:11
  • Configuring HP BIOS Using MDT
    This is the second post in my series that explores one of the most common questions I’ve been asked from…
    Written on Tuesday, 19 June 2018 09:54
  • BIOS to UEFI - The Easy Way: MBR2GPT
    This article is the first blog post in a series I'll write over the coming days that will provide a…
    Written on Monday, 11 June 2018 17:08
  • Force LAPS Password Reset during MDT OSD
    My customers often send me exciting cases. This particular one is especially interesting because it is common in infrastructures that…
    Written on Friday, 08 June 2018 10:10
  • Localizing Inbox Apps during OSD
    As a reader of this blog, I suspect that most of you, like me, are frequenting Twitter. And I bet…
    Written on Monday, 04 June 2018 18:18