Thursday, 21 June 2018 08:11

Automating Dell BIOS Configuration Using MDT

Written by
Rate this item
(3 votes)


It’s been a busy couple of weeks for me, so I’m slowly going through a backlog of things to cover. The push to get modern continues with the third part of my series on automating the process of transitioning from BIOS to UEFI using MDT. Today's blog post discusses the process of configuring BIOS settings on supported Dell Inc. enterprise systems.

When transitioning to Windows 10, many organizations evaluate different sets of hardware. Consequently, during a customer engagement back in 2015, I worked with a various Dell Inc. machines and developed a wrapper for the Command | Configure command line utility (cctk.exe) - configuring BIOS settings is all about zero-touch automation. While geared towards the Microsoft Deployment Toolkit (MDT), the wrapper can be easily adapted for any OS deployment solution capable of running PowerShell scripts.

Dell Command | Configure utility (previously called Dell Client Configuration Toolkit (CCTK)) is probably the best firmware configuration tool out there that enables you to configure BIOS settings and their values and replicate BIOS settings across multiple supported desktops, workstations, or notebooks.

Download the latest version of Command | Configure utility from the Enterprise Client Wiki.

First things first, I recommend running Graphical User Interface (GUI) utility to create a configuration set for client systems.


After configuring the settings export to a .cctk text file commonly referred to as a config file by clicking the "Export Configuration" button.


The following is a sample configuration that you can use to bring your Dell Inc. machines to parity with Windows 10 security requirements:


It’s important to note that this is the minimal set of features that I would enable. Consequently, it’s essential to identify which additional features you intend to use and enable them as well.

Grab the script and the sample configuration from my GitHub repository.

Copy the contents of the C:\Program Files (x86)\Dell\Command Configure\X86_64 folder into the script's folder.

Note: If you are still using x86 Windows PE environment, use C:\Program Files (x86)\Dell\Command Configure\X86 instead, but you should really considering retiring this technical debt now. When deploying x64 Windows OS, you should also use 64-bit Windows PE boot media. Additionally, Microsoft gradually shifts its focus to x64 operating system, increasing failure risk with the legacy environment.

Open the PowerShell script in the editor of your choice. With Dell Inc. systems, the biggest gate historically has been securing BIOS password. Unlike HP's BCU, cctk only supports the BIOS setup password as clear text on the command line. While you can include your BIOS password in your config file, I would advise against it. For the simplicity's sake, I opted to use Base64 "encryption", but you could take this one step further and use AES encryption instead. Dennis Span shared an excellent tutorial on PowerShell password management back in 2017. Make sure that you change the password to the appropriate value by modifying the $EncodedPassword variable and setting your desired password. To encode a text string run following PowerShell command:


You may also want to change the configuration file name as well.

Note: when run, the script will perform following actions:

  • Load the HAPI drivers into memory which significantly improves CCTK's performance and also provides the hooks required by the utility to function properly.
  • If the client does not have the setup password set, set the BIOS password.
  • Read the settings.cctk configuration file and deliver it to the system BIOS through WMI.

Then, copy everything to your deployment share, for example into the following folder: %SCRIPTROOT%\BIOS\Dell.

Assuming you are running the script during a "wipe-and-load" scenario (in-place upgrade works similarly though), create following two "Run Command Line" steps in the Pre-Install phase of your Windows 10 task sequence:

  • powershell.exe -command "Set-ExecutionPolicy Bypass"
  • powershell.exe -File %SCRIPTROOT%\BIOS\Dell\ConfigureDellBiosSettings.ps1


Add following execution condition to the Prepare TPM & Enable Secure Boot step:


The next time you run your task sequence, the script will set your BIOS password (if currently not set) and modify the system BIOS configuration.

Hopefully, you have found this information useful. Tweet me or comment below, if you have any questions.

Read 56549 times Last modified on Thursday, 21 June 2018 08:39

Recent Posts

  • Windows 10 21H2 Built-In Apps: What to Keep
    The development of the Windows 10, version 21H2 is finished and the update will soon be available for download from…
    Written on Wednesday, 20 October 2021 11:41
  • Group Policy Changes in Windows 10 21H2
    As Windows 10, version 21H2 update development winds down, Microsoft is now preparing for the final release of the Windows…
    Written on Wednesday, 20 October 2021 07:20
  • Group Policy Changes in Windows 10 20H1 Preview
    As Windows 10 Vibranium Update (20H1) development winds down, Microsoft is now beginning the phase of checking in the final…
    Written on Tuesday, 14 January 2020 04:51
  • An alternative ESU MAK Activation Solution
    This blog post was shared with me by a colleague of mine, Daniel Dorner, a Microsoft Premier Field Engineer. It’s…
    Written on Wednesday, 04 December 2019 21:04
  • The Case of Missing UE-V Templates
    My customers often deal with unexpected Windows behavior and this case is no different. This particular one is especially interesting…
    Written on Tuesday, 03 September 2019 12:20
  • The Case of Changing Default Printer
    While I sometimes long for the day when I no longer have to deal with unexpected Windows 10 behavior, there’s…
    Written on Wednesday, 14 August 2019 20:36