When transitioning to Windows 10, many organizations evaluate different sets of hardware. Consequently, during a customer engagement back in 2015, I worked with a various Dell Inc. machines and developed a wrapper for the Command | Configure command line utility (cctk.exe) - configuring BIOS settings is all about zero-touch automation. While geared towards the Microsoft Deployment Toolkit (MDT), the wrapper can be easily adapted for any OS deployment solution capable of running PowerShell scripts.
Dell Command | Configure utility (previously called Dell Client Configuration Toolkit (CCTK)) is probably the best firmware configuration tool out there that enables you to configure BIOS settings and their values and replicate BIOS settings across multiple supported desktops, workstations, or notebooks.
Download the latest version of Command | Configure utility from the Enterprise Client Wiki.
First things first, I recommend running Graphical User Interface (GUI) utility to create a configuration set for client systems.
After configuring the settings export to a .cctk text file commonly referred to as a config file by clicking the "Export Configuration" button.
The following is a sample configuration that you can use to bring your Dell Inc. machines to parity with Windows 10 security requirements:
[cctk] bootorder=uefitype,uefi cpuxdsupport=enable embsataraid=ahci legacyorom=disable secureboot=enable tpm=on tpmactivation=activate tpmppidpo=enable tpmppipo=enable virtualization=enable vtfordirectio=on
It’s important to note that this is the minimal set of features that I would enable. Consequently, it’s essential to identify which additional features you intend to use and enable them as well.
Grab the script and the sample configuration from my GitHub repository.
Copy the contents of the C:\Program Files (x86)\Dell\Command Configure\X86_64 folder into the script's folder.
Note: If you are still using x86 Windows PE environment, use C:\Program Files (x86)\Dell\Command Configure\X86 instead, but you should really considering retiring this technical debt now. When deploying x64 Windows OS, you should also use 64-bit Windows PE boot media. Additionally, Microsoft gradually shifts its focus to x64 operating system, increasing failure risk with the legacy environment.
Open the PowerShell script in the editor of your choice. With Dell Inc. systems, the biggest gate historically has been securing BIOS password. Unlike HP's BCU, cctk only supports the BIOS setup password as clear text on the command line. While you can include your BIOS password in your config file, I would advise against it. For the simplicity's sake, I opted to use Base64 "encryption", but you could take this one step further and use AES encryption instead. Dennis Span shared an excellent tutorial on PowerShell password management back in 2017. Make sure that you change the password to the appropriate value by modifying the $EncodedPassword variable and setting your desired password. To encode a text string run following PowerShell command:
You may also want to change the configuration file name as well.
Note: when run, the script will perform following actions:
- Load the HAPI drivers into memory which significantly improves CCTK's performance and also provides the hooks required by the utility to function properly.
- If the client does not have the setup password set, set the BIOS password.
- Read the settings.cctk configuration file and deliver it to the system BIOS through WMI.
Then, copy everything to your deployment share, for example into the following folder: %SCRIPTROOT%\BIOS\Dell.
Assuming you are running the script during a "wipe-and-load" scenario (in-place upgrade works similarly though), create following two "Run Command Line" steps in the Pre-Install phase of your Windows 10 task sequence:
- powershell.exe -command "Set-ExecutionPolicy Bypass"
- powershell.exe -File %SCRIPTROOT%\BIOS\Dell\ConfigureDellBiosSettings.ps1
Add following execution condition to the Prepare TPM & Enable Secure Boot step:
The next time you run your task sequence, the script will set your BIOS password (if currently not set) and modify the system BIOS configuration.
Hopefully, you have found this information useful. Tweet me or comment below, if you have any questions.