none
Dell BIOS Flash64w during OSD RRS feed

  • Question

  • I currently image all dell computers with WDS/MDT. I currently have a TS's that does the following
    1) copies files to "x:\Bios" folder
    2) runs a bat file from "x:\bios" folder. Bat file script is:

    ::Change DIR::
    cd /d x:\bios
    
    ::Flash Bios::
    Flash64W.exe /b=OptiPlex7050.exe /s /f /noReboot /l=x:\bios\OptiPlex7050.log 
    
    I have also tried just: /s /noReboot and /s /l=x:\bios\OptiPlex7050.log

    The TS command line is: cmd /c x:\bios\7050.bat

    I have read the logs and it shows a success code = 2 Reboot Required, however it breaks the task sequence and salmon screens resulting in an error. After the BIOS Upgrade TS runs, the next TS is a restart so the bios can finish updating and then boot back into MDT so it resume where it left off. 

    I am running this on an OptiPlex7050, upgrading bios 1.11.x to 1.12.x  

    The purpose of the bios being updated in the beginning is to have the CCTK tool change bios settings, such as Legacy to UEFI and other such stuff that requires the WMI ACPI bios.

     Thanks for any support.

    Friday, June 21, 2019 6:31 PM

Answers

  • This guide will take you from start to finish with imaging a Windows OS device that currently runs on an outdated BIOS that is also still in Legacy mode, upgrades the bios to desired level, converts bios from legacy to UEFI and encrypts the new Windows OS using Bitlocker.

    In this example, I will be using computer a Dell OptiPlex 9020 with the A07 BIOS firmware in legacy mode with Windows 7 Pro, 64-bit installed.

    Results: A Dell OptiPlex 9020 on BIOS firmware A24 (newest as of this documentation) in UEFI mode, Windows 10 Pro with bitlocker encryption.

    Tools and knowledge needed:

    * WDS/MDT server. (I used Server 2016 to host my WDS and MDT build: 8456)

    * Copy of Windows 10 Pro (I used version 1903)

    * Dell CCTK 4.1 BIOS Configuration tool

    * Dell OptiPlex 9020 A07 (or whatever BIOS your currently running) and A24 (or whatever latest BIOS firmware is for your device)

    * Dell CCTK 4.1 Command Line Interface Reference Guide (Mine is in PDF format)

    * Basic understanding of WDS and MDT

    * Basic understanding of Powershell scripts (reading and writing)

    * Basic understanding of Batch scripts (reading and writing)

    * Basic understanding of DHCP Scope Rules

    I will expect you know how to: Create a task sequence. How to add your drivers to your OS in your desired way. How to add your WinPE to WDS Add software into MDT Add rules to your Deployment

    Step 1: Powershell scripts.

                Let me be the first to tell you I am no scriptwriter in any language. I learn what I need for what I need to accomplish and leave it as that. I believe in a world where I should be automating automation but hey, this stuff is difficult for me to learn so I do not practice with it often. *shugs* If you think there is a better way of writing a script I wrote, DO IT! And explain to me why it was better. I wrote what I wrote because it was easy for me to understand and worked well for my environment.


    UpgradeBios.ps1

    ##Overall purpose of this script it to identify the model of the dell device and upgrade the bios##
    ##Written by Casey Mullins##
    
    ##Identifies the Model and current BIOS version##
    $ComputerModel = (Get-WmiObject Win32_ComputerSystem).Model
    $BIOSVersion = (Get-WmiObject Win32_BIOS).SMBIOSBIOSVersion
    
    
    ##Updates the BIOS version if current version is less than desired version##
    if (($ComputerModel -eq 'Latitude 7490') -and ($BIOSVersion -le '1.9.3')) {
        C:\BIOSL7x90\Latitude7x90.exe /s
    }
    if (($ComputerModel -eq 'Latitude 7390') -and ($BIOSVersion -le '1.9.3')) {
        C:\BIOSL7x90\Latitude7x90.exe /s
    }
    if (($ComputerModel -eq 'Latitude 7280') -and ($BIOSVersion -le '1.14.1')) {
        C:\BIOSL7x80\Latitude7x80.exe /s
    }
    if (($ComputerModel -eq 'Latitude 5490') -and ($BIOSVersion -le '1.8.3')) {
       C:\BIOSL5x90\Latitude5X90.exe /s
    }
    if (($ComputerModel -eq 'Latitude 5480') -and ($BIOSVersion -le '1.14.2')) {
        C:\BIOSL5x80\Latitude5X80.exe /s
    }
    if (($ComputerModel -eq 'Latitude E7440') -and ($BIOSVersion -le 'A27')) {
        C:\BIOSLE7440\E7440A27.exe /s
    }
    if (($ComputerModel -eq 'Latitude E6430') -and ($BIOSVersion -le 'A23')) {
        C:\BIOSLE6430\E6430A23.exe /s
    }
    if (($ComputerModel -eq 'Latitude E5470') -and ($BIOSVersion -le '1.19.3')) {
        C:\BIOSO7020\O7020A17.exe /s
    }
    if (($ComputerModel -eq 'Latitude E5450') -and ($BIOSVersion -le 'A20')) {
        C:\BIOSLE7440\E7440A27.exe /s
    }
    if (($ComputerModel -eq 'Latitude E5440') -and ($BIOSVersion -le 'A20')) {
        C:\BIOSLE7440\E7440A27.exe /s
    }
    if (($ComputerModel -eq 'OptiPlex 7060') -and ($BIOSVersion -le '1.3.4')) {
        C:\BIOSO7060\OptiPlex7060.exe /s
    }
    if (($ComputerModel -eq 'OptiPlex 7050') -and ($BIOSVersion -le '1.12.1')) {
        cmd.exe /c C:\BIOS\O7050\7050.bat
    }
    if (($ComputerModel -eq 'OptiPlex 7040') -and ($BIOSVersion -le '1.14.0')) {
        C:\BIOS\O7040\OptiPlex7040.exe /s
    }
    if (($ComputerModel -eq 'OptiPlex 7020') -and ($BIOSVersion -le 'A17')) {
        C:\BIOS\O7020\O7020A17.exe /s
    }
    if (($ComputerModel -eq 'OptiPlex 9020') -and ($BIOSVersion -le 'A24')) {
        cmd.exe /c C:\BIOS\O9020\9020.bat
        } 
    
    TurnOnTPM.ps1
    ##This is actually CMD commands that I use Powershell to call upon CMD to configure the BIOS using the Dell CCTK 4.1 Tool##
    
    cmd.exe /C "C:\Program Files (x86)\Dell\Command Configure\X86_64\cctk.exe" --setuppwd=InsertYourPasswordHERE
    cmd.exe /C "C:\Program Files (x86)\Dell\Command Configure\X86_64\cctk.exe" --tpm=on --valsetuppwd=InsertYourPasswordHERE
    cmd.exe /C "C:\Program Files (x86)\Dell\Command Configure\X86_64\cctk.exe" --TpmSecurity=Enabled --valsetuppwd=InsertYourPasswordHERE
    cmd.exe /C "C:\Program Files (x86)\Dell\Command Configure\X86_64\cctk.exe" --tpmactivation=activate --valsetuppwd=InsertYourPasswordHERE
    cmd.exe /C "C:\Program Files (x86)\Dell\Command Configure\X86_64\cctk.exe" --TpmClear=enabled --valsetuppwd=InsertYourPasswordHERE
    cmd.exe /C "C:\Program Files (x86)\Dell\Command Configure\X86_64\cctk.exe" --setuppwd= --valsetuppwd=InsertYourPasswordHERE
    cmd.exe /C "C:\Program Files (x86)\Dell\Command Configure\X86_64\cctk.exe" --TpmPpiAcpi=Enabled
    cmd.exe /C "C:\Program Files (x86)\Dell\Command Configure\X86_64\cctk.exe" --TpmPpiClearOverride=Enabled
    cmd.exe /C "C:\Program Files (x86)\Dell\Command Configure\X86_64\cctk.exe" --TpmPpiDpo=Enabled
    cmd.exe /C "C:\Program Files (x86)\Dell\Command Configure\X86_64\cctk.exe" --TpmPpiPo=Enabled 
    
    ConvertPartitions.ps1
    ##Identifies if disk 0 is in MBR or GPT. If MBR, then the Powershell command changes it to GPT##
    ##Written by Casey Mullins##
    
    $partitionType = (Get-Disk).PartitionStyle
    $Convert = MBR2GPT.EXE /disk:0 /convert /allowFullOS
    
    if ($partitionType -eq  'MBR') {
          $Convert
          } 
    
    ConfigureBios.ps1
    (I actually have a lot of other BIOS configuration settings, however I am only illustrating the commands that are needed specifically for this conversion.)
    ##This configures the BIOS to Company Standards##
    cmd.exe /C "C:\Program Files (x86)\Dell\Command Configure\X86_64\cctk.exe" BootOrder --ActiveBootList=uefi
    cmd.exe /C "C:\Program Files (x86)\Dell\Command Configure\X86_64\cctk.exe" BootOrder --bootlisttype=uefi
    cmd.exe /C "C:\Program Files (x86)\Dell\Command Configure\X86_64\cctk.exe" --AcPwrRcvry=Last
    cmd.exe /C "C:\Program Files (x86)\Dell\Command Configure\X86_64\cctk.exe" --AttemptLegacyBoot=Disabled
    cmd.exe /C "C:\Program Files (x86)\Dell\Command Configure\X86_64\cctk.exe" --LegacyOrom=disabled
    cmd.exe /C "C:\Program Files (x86)\Dell\Command Configure\X86_64\cctk.exe" --UefiNwStack
    cmd.exe /C "C:\Program Files (x86)\Dell\Command Configure\X86_64\cctk.exe" --UsbEmuNoUsbBoot=Enabled
    cmd.exe /C "C:\Program Files (x86)\Dell\Command Configure\X86_64\cctk.exe" --WakeOnLan=Enable 
    

    Now that we have all the scripts, software, and pieces setup… let us get started.

    Step 2: Modifying your Task Sequence

    1. WDS/MDT & DHCP Scope settings
      1. You will need to have both DHCP Scope Settings, Option 66 and Option 67 for Legacy and UEFI. I would suggest creating a Policy for Legacy and a Policy for UEFI and either place them in the desired scope if you have your workstations separated from other traffic or just place on the IPv4 Policy for all scopes if you want the boot options for all devices. Legacy PXE booting is required because your current bios is set for PXE boot and not iPXE boot. Once you have imaged a computer and change the BIOS from Legacy to UEFI, you will need iPXE configure in your DHCP options to have your UEFI BIOS connect to WDS.
        1. Legacy:
          1. Option 66: IP of your WDS server
          2. Option 67: boot\x64\wdsnbp.com
        2. UEFI: Option 66: IP of your WDS Server
          1. Option 67: boot\x64\wdsmgfw.efi
      2. Test to make sure both BIOS can reach your WDS server before continuing.
    2. Add the following rules to your deployment if you are going to use TPM and backup Key to AD:
      1. BDEInstall=TPM
      2. BDERecoveryKey=AD
    3. Download latest versions or your desired versions of the Dell bIOS’ for you supported devices. Place them in their own folder, having them in a main folder called: “cmd /c xcopy /s "%SCRIPTROOT%\BIOS" "c:\BIOS" /i /y /r”
      1. Place this folder in a desired location within your deployment share. I placed mine inside the %SCRIPTROOT% folder for the moment.
    4. Add the CCKT tool into your MDT Application repository. (note the silent install command for the CCTK.msi uses the following command): msiexec.exe /i <NameOfProgram.msi /qn
    5. Create a folder in your deployment share under scripts ( aka %SCRIPTROOT% ) called “Powershell_Scripts” and copy all the scripts we will be using into this folder.
    6. Build a Task Sequence and verify your testing device images to Windows 10 Pro with no errors.
    7. Modify said Task Sequence with the following Groups and tasks:
      1. Add a new Group naming it: “Update BIOS – Activate TPM“ and place it directly under the “Tattoo” task inside the State Restore folder
      2. Add a command line under your new folder and call it “Copy All BIOS
        1. Command line:
          1. cmd /c xcopy /s "%SCRIPTROOT%\BIOS" "c:\BIOS" /i /y /r
      3. Add a Command Line naming it “UpgradeBios
        1. Command line:
          1. powershell -nologo -executionpolicy bypass -noprofile -file %SCRIPTROOT%\Powershell_Scripts\UpgradeBios.ps1
      4. Add a Restart Task
      5. Add a Install Application task naming it: “Install CCTK”
        1. Use: Install a Single Application and select your CCTK.
      6. Add a Command Line naming it “Turn On TMP”
        1. Command Line:
          1. powershell -nologo -executionpolicy bypass -noprofile -file %SCRIPTROOT%\Powershell_Scripts\TurnOnTPM.ps1
      7. Add a Restart Task
      8. Add a new Group below “Update BIOS – Activate TPM naming it “Convert Drive - Configure BIOS
        1. Under this folder you will create the following tasks:
      9. Add a Command Line naming it “ConvertDrive
        1. Command Line:
          1. powershell -nologo -executionpolicy bypass -file %SCRIPTROOT%\Powershell_Scripts\ConvertPartition.ps1
      10. Add a Command Line naming it “ConfigureBios
        1. Command Line:
          1. powershell -nologo -executionpolicy bypass -noprofile -file %SCRIPTROOT%\Powershell_Scripts\ConfigureBios1.ps1
      11. Add a Restart Task
      12. Add a Command Line task naming it “Delete ReAgent.xml” (This deletes the original ReAgent.XML that was created when your system partition was in MBR and is used by Bitlcoker when Bitlocker validates / verifies your device.
        1. Command Line:
          1. cmd.exe /c del  C:\Windows\System32\Recovery\ReAgent.xml
      13. Ensure your Bitlocker folder and all contents are enabled:
        1. Check TPM
        2. Enable Bitlocker
        3. Restart Computer (I do that for me)


    I like to place one last Restart Computer afterwards. From there on out, I complete the rest of my Task Sequence, such as installing all software needed. If you want to suspend Bitlocker from encrypting while your software and other tasks are being installed, you can use the following powershell command: Suspend-BitLocker -MountPoint "C:" -RebootCount 1  ß Change the number to how many times your system reboots before MDT finishes.

    Last of all, if you want to be able to kick this off on a computer that can be RDP or remoted into and has network access to WDS/MDT you can create a batch file with the following command: cscript.exe \\<Location to your deplomyment Share>\Scripts\Litetouch.vbs

    pause>nul

    You will then be prompted with the MDT Credential’s page, asked for which Task Sequence you want to choose and all the other stuff you would choose prior to starting your imaging process.

    That is it! It took me about 4 weeks to work on this project but now my Service Desk can kick off MDT when they RDP into a client’s Windows 7 computer that needs to be reimaged.



    • Marked as answer by TheUsD Thursday, July 4, 2019 9:30 PM
    • Edited by TheUsD Thursday, July 4, 2019 9:31 PM
    Thursday, July 4, 2019 9:29 PM

All replies

  • When do you have it run? While it is booted to WinPE or when it is running the OS?

    May I suggest a way that doesn't require you to manually download BIOS updates or make new batch files?

    See: 
    Dell BIOS update–WinPE–Model Independent–From Internet

    and

    Updated "Parse Dell Downloads" Script


    Daniel Vega

    Saturday, June 22, 2019 8:12 PM
  • Daniel,

    I currently have it doing during WinPE.

    What I am trying to accomplish is:

    1. Computer boots in WinPE under PXE boot
    2. TS: Initialization
    3. TS: Update Bios (determines Make/Model (That's working fine) and if said bios is below X version, upgrade bios, reboot, finish upgrade bios, boot back into MDT)
    4. TS: Configure Bios (Dell CCTK makes bios changes, reboot) 
    5. TS: Validation
    6. TS: State
    7. ETC...

    I can Upgrade the bios (logs show the bios was upgrade and ready for reboot but when I ask for a reboot command, it Salmon error's out. I've tried the "continue on error" but it still fails when the reboot is initiated.

    I appreciate the links you sent. I was not able to get either of them to work for me, unfortunately. That's what caused me to go this route. 

    Monday, June 24, 2019 12:48 PM
  • They have been working great for me. As for your setup, the problem is you will break your deployment if you reboot during WinPE.

    Where did it fail for you when you tried the script that downloads and updates the BIOS.


    Daniel Vega


    • Edited by Dan_Vega Monday, June 24, 2019 2:23 PM
    Monday, June 24, 2019 1:19 PM
  • It would not find the bios for the device so it wouldn't download it. I made a comment on the post back in Jan about this (Casey is me).

    I know I'm slightly changing topics with this next question so I apologize...

    If what I am trying breaks the deployment, then what do you suggest would be the best course of action?

    In a nutshell, the reason to make bios changes is that the company I work for is super behind on the times with imaging and their OS images. They were and are (I'm slowly getting the devices converted) on Legacy BIOS.

    With the exception of the main office branch, we have 29 centers with no onsite support. Our ServiceDesk guides users on how to reimage a computer. Prior to WDS/MDT we were using the archaic KACE. I've switched them over to MDT since joining the company. I have written instructions for the SD techs to guide users on how to change the bios settings to make them UEFI but both rarely follow directions which causes a lot of headache. This has brought me to my current situation.  I'd like to have it setup to where I can have the SD remote into the user's PC, run the a .bat file that connects to the LiteTouch.wsf so the SD tech and start the imaging process. 

    From there, the bios gets upgraded which will allow the 4.2 CCTK tool to configure the bios, to the settings we need. 

    BootOrder --ActiveBootList=uefi --AcPwrRcvry=Last BootOrder --ActiveBootList=uefi --AdminSetupLockout=Disabled --Aspm=Auto --Asset= --AutoOn=Disabled --AutoOnHr=0 --AutoOnMn=0 --BlockSleep=Disabled --ChasIntrusion=SilentEnable --CpuCores=All --CpuXdSupport=Enabled --CStatesCtrl=Enabled --DeepSleepCtrl=S4AndS5 --EmbNic1=EnabledPxe --EmbSataRaid=Raid --FanCtrlOvrd=Disabled --HddProtection=Disabled --IntegratedAudio=Enabled --IntelRapidStart=Disabled --IntlSmartConnect=Disabled --IrstTimer=30 --LegacyOrom=Disabled --LimitCpuidValue=Disabled --LogicProc=Disabled --NumLock=Enabled --OromKeyboardAccess=Enabled --PasswordBypass=Disabled --PasswordLock=Disabled --PostMebxKey=Enabled --PropOwnTag=  --RptKeyErr=Enabled --Sata0=Enabled --Sata1=Enabled --Sata2=Enabled --Serial1=Com1 --Serr=Enabled --SmartErrors=Disabled --Speedstep=Enabled --StrongPassword=Disabled --TpmSecurity=Enabled --TrustExecution=Disabled --TurboMode=Enabled --UefiNwStack=Enabled --Usb30=Enabled --UsbEmu=Enabled --UsbPortsFront=Enabled --UsbPortsFront30=Enabled --UsbPortsRear30=Enabled --UsbRearDual=Enabled --UsbRearDual2Stack=Enabled --UsbWake=Enabled --Virtualization=Enabled --VtForDirectIo=Enabled --WakeOnLan=Enable
    --SetupPwd=$$$$$$$$
    --tpm=on --valsetuppwd=$$$$$$$
    --tpmactivation=activate --valsetuppwd=$$$$$$$$
    --setuppwd= --valsetuppwd=$$$$$$$
    --TpmPpiAcpi=Enabled
    --TpmPpiAcpi=Enabled
    --TpmPpiPo=Enabled
    --TpmPpiDpo=Enabled

    Since we have devices ranging from Dell 9020's and E5440's to 7060's and newest XPS's, our Bios firmware versions are all over the place due to nobody updating them. 
    My train of thought was to have a device's BIOS updated to its newest version during the imaging process so I I only had one set of CCTK commands to manage and finally get this organization standardized.

    Make sense?
    Sorry to throw all that at you.

    Monday, June 24, 2019 2:40 PM
  • This person wrote a way to convert BIOS to UEFI by way of an upgrade task sequence.

    https://gallery.technet.microsoft.com/BIOS-to-UEFI-Conversion-cf824867

    If you want to wipe the system, Anton (he's on the forum at times) wrote up a process for doing that, but it does take away pre-provisioning if you're using BitLocker encryption.

    https://www.vacuumbreather.com/index.php/blog/item/76-bios-to-uefi-the-easy-way-mbr2gpt

    Then there's the Config Manager way.

    https://docs.microsoft.com/en-us/sccm/osd/deploy-use/task-sequence-steps-to-manage-bios-to-uefi-conversion


    Daniel Vega

    Monday, June 24, 2019 6:34 PM
  • I think I am going to go this route: (Something I came up with on the fly)

    Allow PXE and iPXE (UEFI Network Stacking) boot into WDS.
    MDT will auto detect which BIOS is currently configured, UEFI or Legacy (BIOS)
    If it is in Legacy, the image process will image in MBR.
    If a needed BIOS upgrade is detected, the bios will upgrade while in windows, computer reboots. 
    Dell CCTK tool gets install, then bios is configured to company standards (which puts BIOS from Legacy to UEFI)
    If  A task sequence will be set to run a powershell command that detects if the partition is GPT or MBR and if MBR then run:  MBR2GPT.EXE /disk:0 /validate /allowFullOS 

    That should then convert the MBR to GPT without data loss, thus allowing the system to reboot into UEFI since it was changed by the bios configuration.

    Thoughts?

    I'll report back with findings.
    • Edited by TheUsD Tuesday, June 25, 2019 4:12 PM
    Tuesday, June 25, 2019 4:10 PM
  • I finally figure it all out!

    I've successfully created a single Task Sequence to take a Windows OS that's currently in Legacy BIOS, boot into WDS/MDT, image the device, upgrade it's bios to latest version, change BIOS from Legacy to UEFI, convert Partition from MBR to GPT, and then encrypt the drive with Bitlocker that involves ZERO physical presents at the PC IF you are currently able to RDP or remote session into the device, the HDD/SDD is in good working order, and it has network access to WDS/MDT shares. Very ideal if your IT is remote OR you have very inexperienced Service Desk Staff.

    I'm not sure if I should post the steps here or post them somewhere else. I feel like this is a major accomplishment because I have yet to find anyone who has done it "all-in-one". I would love to get some direction on where to post this for the most exposure to help any others who go through this task.

    Thanks. 


    • Edited by TheUsD Thursday, July 4, 2019 6:02 PM
    Thursday, July 4, 2019 5:57 PM
  • This guide will take you from start to finish with imaging a Windows OS device that currently runs on an outdated BIOS that is also still in Legacy mode, upgrades the bios to desired level, converts bios from legacy to UEFI and encrypts the new Windows OS using Bitlocker.

    In this example, I will be using computer a Dell OptiPlex 9020 with the A07 BIOS firmware in legacy mode with Windows 7 Pro, 64-bit installed.

    Results: A Dell OptiPlex 9020 on BIOS firmware A24 (newest as of this documentation) in UEFI mode, Windows 10 Pro with bitlocker encryption.

    Tools and knowledge needed:

    * WDS/MDT server. (I used Server 2016 to host my WDS and MDT build: 8456)

    * Copy of Windows 10 Pro (I used version 1903)

    * Dell CCTK 4.1 BIOS Configuration tool

    * Dell OptiPlex 9020 A07 (or whatever BIOS your currently running) and A24 (or whatever latest BIOS firmware is for your device)

    * Dell CCTK 4.1 Command Line Interface Reference Guide (Mine is in PDF format)

    * Basic understanding of WDS and MDT

    * Basic understanding of Powershell scripts (reading and writing)

    * Basic understanding of Batch scripts (reading and writing)

    * Basic understanding of DHCP Scope Rules

    I will expect you know how to: Create a task sequence. How to add your drivers to your OS in your desired way. How to add your WinPE to WDS Add software into MDT Add rules to your Deployment

    Step 1: Powershell scripts.

                Let me be the first to tell you I am no scriptwriter in any language. I learn what I need for what I need to accomplish and leave it as that. I believe in a world where I should be automating automation but hey, this stuff is difficult for me to learn so I do not practice with it often. *shugs* If you think there is a better way of writing a script I wrote, DO IT! And explain to me why it was better. I wrote what I wrote because it was easy for me to understand and worked well for my environment.


    UpgradeBios.ps1

    ##Overall purpose of this script it to identify the model of the dell device and upgrade the bios##
    ##Written by Casey Mullins##
    
    ##Identifies the Model and current BIOS version##
    $ComputerModel = (Get-WmiObject Win32_ComputerSystem).Model
    $BIOSVersion = (Get-WmiObject Win32_BIOS).SMBIOSBIOSVersion
    
    
    ##Updates the BIOS version if current version is less than desired version##
    if (($ComputerModel -eq 'Latitude 7490') -and ($BIOSVersion -le '1.9.3')) {
        C:\BIOSL7x90\Latitude7x90.exe /s
    }
    if (($ComputerModel -eq 'Latitude 7390') -and ($BIOSVersion -le '1.9.3')) {
        C:\BIOSL7x90\Latitude7x90.exe /s
    }
    if (($ComputerModel -eq 'Latitude 7280') -and ($BIOSVersion -le '1.14.1')) {
        C:\BIOSL7x80\Latitude7x80.exe /s
    }
    if (($ComputerModel -eq 'Latitude 5490') -and ($BIOSVersion -le '1.8.3')) {
       C:\BIOSL5x90\Latitude5X90.exe /s
    }
    if (($ComputerModel -eq 'Latitude 5480') -and ($BIOSVersion -le '1.14.2')) {
        C:\BIOSL5x80\Latitude5X80.exe /s
    }
    if (($ComputerModel -eq 'Latitude E7440') -and ($BIOSVersion -le 'A27')) {
        C:\BIOSLE7440\E7440A27.exe /s
    }
    if (($ComputerModel -eq 'Latitude E6430') -and ($BIOSVersion -le 'A23')) {
        C:\BIOSLE6430\E6430A23.exe /s
    }
    if (($ComputerModel -eq 'Latitude E5470') -and ($BIOSVersion -le '1.19.3')) {
        C:\BIOSO7020\O7020A17.exe /s
    }
    if (($ComputerModel -eq 'Latitude E5450') -and ($BIOSVersion -le 'A20')) {
        C:\BIOSLE7440\E7440A27.exe /s
    }
    if (($ComputerModel -eq 'Latitude E5440') -and ($BIOSVersion -le 'A20')) {
        C:\BIOSLE7440\E7440A27.exe /s
    }
    if (($ComputerModel -eq 'OptiPlex 7060') -and ($BIOSVersion -le '1.3.4')) {
        C:\BIOSO7060\OptiPlex7060.exe /s
    }
    if (($ComputerModel -eq 'OptiPlex 7050') -and ($BIOSVersion -le '1.12.1')) {
        cmd.exe /c C:\BIOS\O7050\7050.bat
    }
    if (($ComputerModel -eq 'OptiPlex 7040') -and ($BIOSVersion -le '1.14.0')) {
        C:\BIOS\O7040\OptiPlex7040.exe /s
    }
    if (($ComputerModel -eq 'OptiPlex 7020') -and ($BIOSVersion -le 'A17')) {
        C:\BIOS\O7020\O7020A17.exe /s
    }
    if (($ComputerModel -eq 'OptiPlex 9020') -and ($BIOSVersion -le 'A24')) {
        cmd.exe /c C:\BIOS\O9020\9020.bat
        } 
    
    TurnOnTPM.ps1
    ##This is actually CMD commands that I use Powershell to call upon CMD to configure the BIOS using the Dell CCTK 4.1 Tool##
    
    cmd.exe /C "C:\Program Files (x86)\Dell\Command Configure\X86_64\cctk.exe" --setuppwd=InsertYourPasswordHERE
    cmd.exe /C "C:\Program Files (x86)\Dell\Command Configure\X86_64\cctk.exe" --tpm=on --valsetuppwd=InsertYourPasswordHERE
    cmd.exe /C "C:\Program Files (x86)\Dell\Command Configure\X86_64\cctk.exe" --TpmSecurity=Enabled --valsetuppwd=InsertYourPasswordHERE
    cmd.exe /C "C:\Program Files (x86)\Dell\Command Configure\X86_64\cctk.exe" --tpmactivation=activate --valsetuppwd=InsertYourPasswordHERE
    cmd.exe /C "C:\Program Files (x86)\Dell\Command Configure\X86_64\cctk.exe" --TpmClear=enabled --valsetuppwd=InsertYourPasswordHERE
    cmd.exe /C "C:\Program Files (x86)\Dell\Command Configure\X86_64\cctk.exe" --setuppwd= --valsetuppwd=InsertYourPasswordHERE
    cmd.exe /C "C:\Program Files (x86)\Dell\Command Configure\X86_64\cctk.exe" --TpmPpiAcpi=Enabled
    cmd.exe /C "C:\Program Files (x86)\Dell\Command Configure\X86_64\cctk.exe" --TpmPpiClearOverride=Enabled
    cmd.exe /C "C:\Program Files (x86)\Dell\Command Configure\X86_64\cctk.exe" --TpmPpiDpo=Enabled
    cmd.exe /C "C:\Program Files (x86)\Dell\Command Configure\X86_64\cctk.exe" --TpmPpiPo=Enabled 
    
    ConvertPartitions.ps1
    ##Identifies if disk 0 is in MBR or GPT. If MBR, then the Powershell command changes it to GPT##
    ##Written by Casey Mullins##
    
    $partitionType = (Get-Disk).PartitionStyle
    $Convert = MBR2GPT.EXE /disk:0 /convert /allowFullOS
    
    if ($partitionType -eq  'MBR') {
          $Convert
          } 
    
    ConfigureBios.ps1
    (I actually have a lot of other BIOS configuration settings, however I am only illustrating the commands that are needed specifically for this conversion.)
    ##This configures the BIOS to Company Standards##
    cmd.exe /C "C:\Program Files (x86)\Dell\Command Configure\X86_64\cctk.exe" BootOrder --ActiveBootList=uefi
    cmd.exe /C "C:\Program Files (x86)\Dell\Command Configure\X86_64\cctk.exe" BootOrder --bootlisttype=uefi
    cmd.exe /C "C:\Program Files (x86)\Dell\Command Configure\X86_64\cctk.exe" --AcPwrRcvry=Last
    cmd.exe /C "C:\Program Files (x86)\Dell\Command Configure\X86_64\cctk.exe" --AttemptLegacyBoot=Disabled
    cmd.exe /C "C:\Program Files (x86)\Dell\Command Configure\X86_64\cctk.exe" --LegacyOrom=disabled
    cmd.exe /C "C:\Program Files (x86)\Dell\Command Configure\X86_64\cctk.exe" --UefiNwStack
    cmd.exe /C "C:\Program Files (x86)\Dell\Command Configure\X86_64\cctk.exe" --UsbEmuNoUsbBoot=Enabled
    cmd.exe /C "C:\Program Files (x86)\Dell\Command Configure\X86_64\cctk.exe" --WakeOnLan=Enable 
    

    Now that we have all the scripts, software, and pieces setup… let us get started.

    Step 2: Modifying your Task Sequence

    1. WDS/MDT & DHCP Scope settings
      1. You will need to have both DHCP Scope Settings, Option 66 and Option 67 for Legacy and UEFI. I would suggest creating a Policy for Legacy and a Policy for UEFI and either place them in the desired scope if you have your workstations separated from other traffic or just place on the IPv4 Policy for all scopes if you want the boot options for all devices. Legacy PXE booting is required because your current bios is set for PXE boot and not iPXE boot. Once you have imaged a computer and change the BIOS from Legacy to UEFI, you will need iPXE configure in your DHCP options to have your UEFI BIOS connect to WDS.
        1. Legacy:
          1. Option 66: IP of your WDS server
          2. Option 67: boot\x64\wdsnbp.com
        2. UEFI: Option 66: IP of your WDS Server
          1. Option 67: boot\x64\wdsmgfw.efi
      2. Test to make sure both BIOS can reach your WDS server before continuing.
    2. Add the following rules to your deployment if you are going to use TPM and backup Key to AD:
      1. BDEInstall=TPM
      2. BDERecoveryKey=AD
    3. Download latest versions or your desired versions of the Dell bIOS’ for you supported devices. Place them in their own folder, having them in a main folder called: “cmd /c xcopy /s "%SCRIPTROOT%\BIOS" "c:\BIOS" /i /y /r”
      1. Place this folder in a desired location within your deployment share. I placed mine inside the %SCRIPTROOT% folder for the moment.
    4. Add the CCKT tool into your MDT Application repository. (note the silent install command for the CCTK.msi uses the following command): msiexec.exe /i <NameOfProgram.msi /qn
    5. Create a folder in your deployment share under scripts ( aka %SCRIPTROOT% ) called “Powershell_Scripts” and copy all the scripts we will be using into this folder.
    6. Build a Task Sequence and verify your testing device images to Windows 10 Pro with no errors.
    7. Modify said Task Sequence with the following Groups and tasks:
      1. Add a new Group naming it: “Update BIOS – Activate TPM“ and place it directly under the “Tattoo” task inside the State Restore folder
      2. Add a command line under your new folder and call it “Copy All BIOS
        1. Command line:
          1. cmd /c xcopy /s "%SCRIPTROOT%\BIOS" "c:\BIOS" /i /y /r
      3. Add a Command Line naming it “UpgradeBios
        1. Command line:
          1. powershell -nologo -executionpolicy bypass -noprofile -file %SCRIPTROOT%\Powershell_Scripts\UpgradeBios.ps1
      4. Add a Restart Task
      5. Add a Install Application task naming it: “Install CCTK”
        1. Use: Install a Single Application and select your CCTK.
      6. Add a Command Line naming it “Turn On TMP”
        1. Command Line:
          1. powershell -nologo -executionpolicy bypass -noprofile -file %SCRIPTROOT%\Powershell_Scripts\TurnOnTPM.ps1
      7. Add a Restart Task
      8. Add a new Group below “Update BIOS – Activate TPM naming it “Convert Drive - Configure BIOS
        1. Under this folder you will create the following tasks:
      9. Add a Command Line naming it “ConvertDrive
        1. Command Line:
          1. powershell -nologo -executionpolicy bypass -file %SCRIPTROOT%\Powershell_Scripts\ConvertPartition.ps1
      10. Add a Command Line naming it “ConfigureBios
        1. Command Line:
          1. powershell -nologo -executionpolicy bypass -noprofile -file %SCRIPTROOT%\Powershell_Scripts\ConfigureBios1.ps1
      11. Add a Restart Task
      12. Add a Command Line task naming it “Delete ReAgent.xml” (This deletes the original ReAgent.XML that was created when your system partition was in MBR and is used by Bitlcoker when Bitlocker validates / verifies your device.
        1. Command Line:
          1. cmd.exe /c del  C:\Windows\System32\Recovery\ReAgent.xml
      13. Ensure your Bitlocker folder and all contents are enabled:
        1. Check TPM
        2. Enable Bitlocker
        3. Restart Computer (I do that for me)


    I like to place one last Restart Computer afterwards. From there on out, I complete the rest of my Task Sequence, such as installing all software needed. If you want to suspend Bitlocker from encrypting while your software and other tasks are being installed, you can use the following powershell command: Suspend-BitLocker -MountPoint "C:" -RebootCount 1  ß Change the number to how many times your system reboots before MDT finishes.

    Last of all, if you want to be able to kick this off on a computer that can be RDP or remoted into and has network access to WDS/MDT you can create a batch file with the following command: cscript.exe \\<Location to your deplomyment Share>\Scripts\Litetouch.vbs

    pause>nul

    You will then be prompted with the MDT Credential’s page, asked for which Task Sequence you want to choose and all the other stuff you would choose prior to starting your imaging process.

    That is it! It took me about 4 weeks to work on this project but now my Service Desk can kick off MDT when they RDP into a client’s Windows 7 computer that needs to be reimaged.



    • Marked as answer by TheUsD Thursday, July 4, 2019 9:30 PM
    • Edited by TheUsD Thursday, July 4, 2019 9:31 PM
    Thursday, July 4, 2019 9:29 PM
  • }
    if (($ComputerModel -eq 'OptiPlex 9020') -and ($BIOSVersion -le 'A24')) {
        cmd.exe /c C:\BIOS\O9020\9020.bat
        } 

    Hi,

    could you elaborate what's the .bat is doing exactly, please?
    I am unable to update the BIOS of a 9020 from A12 to to A24. If I try it manually in WinPe it works, but not if called from TS Run Command Lin Step like this "Flash64W.exe /b=O9020A24.exe /s /f"

    Friday, August 23, 2019 1:54 PM
  • cd /d c:\BIOS\O9020
    flash64w.exe -b=O9020A25.exe /s
    Monday, August 26, 2019 12:31 AM
  • This has to be the best post i have seen about how to enable TPM/Bitlocker in MDT!

    Thank you!

    Thursday, September 5, 2019 1:50 PM
  • as far as the password for TPM

    I assume that 

    cctk.exe" --setuppwd=InsertYourPasswordHERE

    Sets up a the password for the bios? Is it required to have a bios password to use TPM?

    Also what version of CCtk are you using 3 or 4.2?
    • Edited by PeteBC Thursday, September 5, 2019 2:36 PM
    Thursday, September 5, 2019 1:59 PM
  • as far as the password for TPM

    I assume that 

    cctk.exe" --setuppwd=InsertYourPasswordHERE

    Sets up a the password for the bios? Is it required to have a bios password to use TPM?

    Also what version of CCtk are you using 3 or 4.2?

    I have 9020m to 7060's and soon 7070's along with several laptop models. I'm using 4.1 and about to move to 4.2

    In order to set some of the TMP settings in bios, you have to have a password. That being said, if you read the TPM PS script I made, you'll see you first install a bios password, and then use the bios password for the bios settings that need it. lastly, I remove said password because we don't want a bios password for our environment. Hope that helps! 

    Friday, September 6, 2019 1:10 AM