Thursday, 21 June 2018 08:11

Automating Dell BIOS Configuration Using MDT

Written by
Rate this item
(1 Vote)

image

It’s been a busy couple of weeks for me, so I’m slowly going through a backlog of things to cover. The push to get modern continues with the third part of my series on automating the process of transitioning from BIOS to UEFI using MDT. Today's blog post discusses the process of configuring BIOS settings on supported Dell Inc. enterprise systems.

When transitioning to Windows 10, many organizations evaluate different sets of hardware. Consequently, during a customer engagement back in 2015, I worked with a various Dell Inc. machines and developed a wrapper for the Command | Configure command line utility (cctk.exe) - configuring BIOS settings is all about zero-touch automation. While geared towards the Microsoft Deployment Toolkit (MDT), the wrapper can be easily adapted for any OS deployment solution capable of running PowerShell scripts.

Dell Command | Configure utility (previously called Dell Client Configuration Toolkit (CCTK)) is probably the best firmware configuration tool out there that enables you to configure BIOS settings and their values and replicate BIOS settings across multiple supported desktops, workstations, or notebooks.

Download the latest version of Command | Configure utility from the Enterprise Client Wiki.

First things first, I recommend running Graphical User Interface (GUI) utility to create a configuration set for client systems.

image

After configuring the settings export to a .cctk text file commonly referred to as a config file by clicking the "Export Configuration" button.

image

The following is a sample configuration that you can use to bring your Dell Inc. machines to parity with Windows 10 security requirements:

[cctk]
bootorder=uefitype,uefi
cpuxdsupport=enable
embsataraid=ahci
legacyorom=disable
secureboot=enable
tpm=on
tpmactivation=activate
tpmppidpo=enable
tpmppipo=enable
virtualization=enable
vtfordirectio=on

It’s important to note that this is the minimal set of features that I would enable. Consequently, it’s essential to identify which additional features you intend to use and enable them as well.

Grab the script and the sample configuration from my GitHub repository.

Copy the contents of the C:\Program Files (x86)\Dell\Command Configure\X86_64 folder into the script's folder.

Note: If you are still using x86 Windows PE environment, use C:\Program Files (x86)\Dell\Command Configure\X86 instead, but you should really considering retiring this technical debt now. When deploying x64 Windows OS, you should also use 64-bit Windows PE boot media. Additionally, Microsoft gradually shifts its focus to x64 operating system, increasing failure risk with the legacy environment.

Open the PowerShell script in the editor of your choice. With Dell Inc. systems, the biggest gate historically has been securing BIOS password. Unlike HP's BCU, cctk only supports the BIOS setup password as clear text on the command line. While you can include your BIOS password in your config file, I would advise against it. For the simplicity's sake, I opted to use Base64 "encryption", but you could take this one step further and use AES encryption instead. Dennis Span shared an excellent tutorial on PowerShell password management back in 2017. Make sure that you change the password to the appropriate value by modifying the $EncodedPassword variable and setting your desired password. To encode a text string run following PowerShell command:

[Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("Pa55w0rd"))

You may also want to change the configuration file name as well.

Note: when run, the script will perform following actions:

  • Load the HAPI drivers into memory which significantly improves CCTK's performance and also provides the hooks required by the utility to function properly.
  • If the client does not have the setup password set, set the BIOS password.
  • Read the settings.cctk configuration file and deliver it to the system BIOS through WMI.

Then, copy everything to your deployment share, for example into the following folder: %SCRIPTROOT%\BIOS\Dell.

Assuming you are running the script during a "wipe-and-load" scenario (in-place upgrade works similarly though), create following two "Run Command Line" steps in the Pre-Install phase of your Windows 10 task sequence:

  • powershell.exe -command "Set-ExecutionPolicy Bypass"
  • powershell.exe -File %SCRIPTROOT%\BIOS\Dell\ConfigureDellBiosSettings.ps1

image

Add following execution condition to the Prepare TPM & Enable Secure Boot step:

image

The next time you run your task sequence, the script will set your BIOS password (if currently not set) and modify the system BIOS configuration.

Hopefully, you have found this information useful. Tweet me or comment below, if you have any questions.

Read 24471 times Last modified on Thursday, 21 June 2018 08:39
  1. Comments (11)

  2. Add yours
This comment was minimized by the moderator on the site

Hi Anton,

Thanks for providing the extensive details. I've also created one doc for BIOS to UEFI Conversion through MDT Task Sequence with your guidance. If you can look at this or provide me your feedback that would be greatly appreciable.

link...

Hi Anton,

Thanks for providing the extensive details. I've also created one doc for BIOS to UEFI Conversion through MDT Task Sequence with your guidance. If you can look at this or provide me your feedback that would be greatly appreciable.

link: https://gallery.technet.microsoft.com/BIOS-to-UEFI-Conversion-cf824867

Read More
Jitesh
This comment was minimized by the moderator on the site

I gotta be missing something easy, I have this all configured and it bombs out any ideas?

teak
This comment was minimized by the moderator on the site

Hi Anton. Thanks for this. When I run this it opens a cmd window 3 times (corresponding to each command). When the settings file is applied, the cmd window does not close automatically and has to be closed manually to resume the task sequence....

Hi Anton. Thanks for this. When I run this it opens a cmd window 3 times (corresponding to each command). When the settings file is applied, the cmd window does not close automatically and has to be closed manually to resume the task sequence. Is there anyway around this? My research has so far drawn a blank! Any help appreciated!

Cheers,

Steve

Read More
Steve
This comment was minimized by the moderator on the site

Hi,

I have added the above into my MDT task sequence however it doesn't seem to be editing the bios upon rebooting.

When it boots into Windows and I run the PowerShell script manually it is editing the bios. The only this its not doing is...

Hi,

I have added the above into my MDT task sequence however it doesn't seem to be editing the bios upon rebooting.

When it boots into Windows and I run the PowerShell script manually it is editing the bios. The only this its not doing is enabling TPM. The TPM box is ticked but is set to disabled.

Any ideas.

Cheers
Tony

Read More
Tony
This comment was minimized by the moderator on the site

Are you setting BIOS password as well? Any TPM operations usually require a valid BIOS password. Can you check the output of cctk.exe when running the command manually?

Anton Romanyuk
This comment was minimized by the moderator on the site

See #120 above. My problem above was that I had not created a multiplatform config file and that was causing the cttk process to hang when called in the script.

Steve
This comment was minimized by the moderator on the site

Hi Anton,

the script doesnt seem to find the settings.cctk.. changed to script to $PSScriptRoot\.. or adjusted the "Start in" in the TS.. not luck.. Log:

@{commandTitle=Importing default BIOS settings; stdout=
Input file 'settings.cctk' not...

Hi Anton,

the script doesnt seem to find the settings.cctk.. changed to script to $PSScriptRoot\.. or adjusted the "Start in" in the TS.. not luck.. Log:

@{commandTitle=Importing default BIOS settings; stdout=
Input file 'settings.cctk' not found.
; stderr=; ExitCode=33}

Any ideas?

Read More
Peer
This comment was minimized by the moderator on the site

Are you running this from ConfigMgr TS or MDT TS? Regardless, you could try copying sources to local hard drive and initiating the script from there. You could also try adding some additional verbose logging (for example logging current paths set...

Are you running this from ConfigMgr TS or MDT TS? Regardless, you could try copying sources to local hard drive and initiating the script from there. You could also try adding some additional verbose logging (for example logging current paths set by the script in an effort to narrow down the issue).

Read More
Anton Romanyuk
This comment was minimized by the moderator on the site

Hi Peer and Anton.
I need help.
Im experiencing the same problem with
Input file 'settings.cctk' not found.
; stderr=; ExitCode=33}
I´ve tried to copying the source to local harddrive, but no luck.
Im running MDT TS

I dont know how to add...

Hi Peer and Anton.
I need help.
Im experiencing the same problem with
Input file 'settings.cctk' not found.
; stderr=; ExitCode=33}
I´ve tried to copying the source to local harddrive, but no luck.
Im running MDT TS

I dont know how to add verbose logging for current paths set
Did you solved it?

Read More
Johan
This comment was minimized by the moderator on the site

I still can't get this to work, It fails on the Set-ExecutionPolicy Bypass - The system cannot find the file specified Error 80070002. I don't suppose you could upload a screenshot of the settings in the task sequence?

Kind regards,

Andy

Andy
This comment was minimized by the moderator on the site

For anyone else struggling, I found that If I run it as a powershell script in the post installation section it works perfectly.

Kind regards,

Andy

Andy
There are no comments posted here yet

Leave your comments

  1. Posting comment as a guest.
0 Characters
Attachments (0 / 3)
Share Your Location

Recent Posts