Disable Edge Welcome Page & Default Browser Prompt During OSD – Win 10 1607


This idea was borrowed and adapted from Jorgen Nilsson’s post, all credit goes to him: https://4sysops.com/archives/disable-welcome-to-microsoft-edge-page-and-default-browser-prompt-in-windows-10-1607/ – For more info, check out that blog, he lays it out really nice.  For something more fancy than batch files, use that post. Smile

I’ve modified it to be two batch files that create registry keys and use the “runonce” key.
This is very similar to how I Pin Internet Explorer Icon to the Taskbar, which is why I went with this method.


This method will use two Batch Files: (Included in download in EdgeBrowser Folder)

  1. EdgeDisablePrompt.cmd
    REM Load Default User's Registry to HKLM\defuser, then import the settings needed.
    REM Sets RunOnce for each user who logs in to run the script that will Pin Internet Explorer to the TaskBar
    reg.exe load HKEY_LOCAL_MACHINE\defuser c:\users\default\ntuser.dat
    reg.exe ADD HKEY_LOCAL_MACHINE\defuser\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v EdgeDisablePrompt /T REG_SZ /D "c:\cabs\EdgeDisableDefaultPrompt.cmd" /F
    reg.exe unload HKEY_LOCAL_MACHINE\defuser
    REM Copy File required to local machine c:\cabs
    xcopy "EdgeBrowser\EdgeDisableDefaultPrompt.cmd" "c:\cabs\" /Y /S
    1. This batch file is mounting the Default User Profile, adding a RunOnce key called EdgeDisablePrompt, which will run the the 2nd batch file when the user logs on the first time.  It then copies the 2nd batch file local so it can run on first logon.
  2. EdgeDisableDefaultPrompt.cmdimage
    REM Adds Keys to disable prompt and first run
    Reg.exe ADD "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main" /v DisallowDefaultBrowserPrompt /T REG_SZ /D "" /F
    Reg.exe ADD "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main" /v IE10TourShown /T REG_DWORD /D "1" /F
    Reg.exe ADD "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FirstRun" /v LastFirstRunVersionDelivered /T REG_SZ /D "" /F
    1. This batch file creates the registry keys for the logged on user, that will disable the Edge First Run Prompt & Page.

Ok, now that you have your scripts, add them to your Windows 10 OSD Scripts Package, then add it to OSD.

New Command Line Step: cmd.exe /c EdgeBrowser\EdgeDisablePromptSetup.cmd

After you’ve imaged a computer, the first time you login in, you’ll see a command window open and close very quickly (when its adding those registry keys for Edge), then when you open Edge, it will not prompt for setting it to default or show the First run home Page.

Then when you launch Edge, it will go to your Corporate Default Page (Set via Group Policy)
Computer Configuration \ Administrative Templates \ Windows Components \ Microsoft Edge

Dell Warranty Reporting via ConfigMgr - Dell Warranty API

Update 8/18 – Finally received our Production Key.  In the Meantime @Geodesicz also modified the script to run in either Sandbox or Production mode.  It will try if the Key can be used on Dells production API environment, and move forward if it can, otherwise, if errors, then falls back to the SandBox API. – I’ve pasted the updated Script in below and updated the latest version in the download.

Update 7/15 - Working with Dell, found we were using the older API, needed to be using v4 instead of v2 API.  Currently rewriting entire Script to use new API calls.  Will update this Post once the new script is done and tested with the updated API URL.  Will provided updates scripts and Reports once complete.

Update 7/11 - Modified Script to use the Actual Dell API URL instead of their SandBox URL. (Updated Text below & Download Zip File)

Recently I attended MNSCUG meeting where Jason Sandys presented on ConfigMgr database.  He showed his OSD Info Script that would write information to WMI so that you could then capture it with the hardware inventory to report back on additional information.  That got me thinking about what else I'd like to have in WMI to report on... Dell Warranty Info!

Started looking for a Dell Warranty Script to get me started, found one HERE. Used that to sparks some other ideas.  Contacted Dell to get the Dell Warranty API access process started. - Email here: SS-API_Support_Team@Dell.com to get the conversation started, you'll have to fill out some questionnaire, etc., but eventually, you'll get your access and own personal API Key.

I worked with my friend @Geodesicz (Mark) who is a PowerShell wizard, and he was able to build me the script I wanted.  Pulls Dell Warranty Info from Dell's warranty API and places that info into WMI on the workstation.  We are using a new namespace called ITLocal, which was already on the machines since we had implemented Jason Sandys OSDInfo Script the week before and decided to use that namespace for consistency.

Download Our Script HERE - Code shown below:

Write Dell Warranty Information to WMI V2.2
Queries Dell Web Service API V4 for Warranty Info
Creates Custom WMI Namespace and Class
Writes Warranty Info to WMI
Requires PowerShell V5
You can also add this custom class to be collected by Configuration Manager hardware inventory
Script written by Mark Godfrey (http://www.tekuits.com/blog) and Gary Blok (http://garytown.com/) - MN.IT


# Get Service Tag of Local Machine
$ServiceTag = Get-WmiObject -Class Win32_Bios | select -ExpandProperty SerialNumber
# Query Web Service API
    $URL1 = "https://api.dell.com/support/assetinfo/v4/getassetwarranty/$ServiceTag"
    $URL2 = "?apikey=$apikey"
    $URL = $URL1 + $URL2
    $Request = Invoke-RestMethod -URI $URL -Method GET
Catch [System.Exception]
    Write-Output "Production API URL failed, switching to sandbox API"
    $URL1 = "https://sandbox.api.dell.com/support/assetinfo/v4/getassetwarranty/$ServiceTag"
    $URL2 = "?apikey=$apikey"
    $URL = $URL1 + $URL2
    $Request = Invoke-RestMethod -URI $URL -Method GET
$Warranties = $Request.AssetWarrantyResponse.assetentitlementdata | where ServiceLevelDescription -NE 'Dell Digitial Delivery'
$AssetDetails = $Request.AssetWarrantyResponse.assetheaderdata

# Set Vars for WMI Info
$Namespace = 'ITLocal'
$Class = 'Warranty_Info'

# Does Namespace Already Exist?
Write-Verbose "Getting WMI namespace $Namespace"
$NSfilter = "Name = '$Namespace'"
$NSExist = Get-WmiObject -Namespace root -Class __namespace -Filter $NSfilter
# Namespace Does Not Exist
If($NSExist -eq $null){
    Write-Verbose "$Namespace namespace does not exist. Creating new namespace . . ."
    # Create Namespace
       $rootNamespace = [wmiclass]'root:__namespace'
    $NewNamespace = $rootNamespace.CreateInstance()
    $NewNamespace.Name = $Namespace

# Does Class Already Exist?
Write-Verbose "Getting $Class Class"
$ClassExist = Get-CimClass -Namespace root/$Namespace -ClassName $Class -ErrorAction SilentlyContinue
# Class Does Not Exist
If($ClassExist -eq $null){
    Write-Verbose "$Class class does not exist. Creating new class . . ."
    # Create Class
    $NewClass = New-Object System.Management.ManagementClass("root\$namespace", [string]::Empty, $null)
    $NewClass.name = $Class
    $NewClass.Qualifiers.Add("Description","Warranty_Info is a custom WMI Class created by Gary Blok(@gwblok) and Mark Godfrey(@geodesicz) to store Dell warranty information from Dell's Warranty API.")
    $NewClass.Properties.Add("ComputerName",[System.Management.CimType]::String, $false)
    $NewClass.Properties.Add("Model",[System.Management.CimType]::String, $false)
    $NewClass.Properties.Add("ServiceTag",[System.Management.CimType]::String, $false)
    $NewClass.Properties.Add("ServiceLevelDescription",[System.Management.CimType]::String, $false)
    $NewClass.Properties.Add("ServiceProvider",[System.Management.CimType]::String, $false)
    $NewClass.Properties.Add("StartDate",[System.Management.CimType]::String, $false)
    $NewClass.Properties.Add("EndDate",[System.Management.CimType]::String, $false)
    $NewClass.Properties.Add("ItemNumber",[System.Management.CimType]::String, $false)

# Write Class Attributes
$Warranties | ForEach{
    $wmipath = 'root\'+$Namespace+':'+$class
    $WMIInstance = ([wmiclass]$wmipath).CreateInstance()
    $WMIInstance.ComputerName = $env:COMPUTERNAME
    $WMIInstance.Model = "Dell " + ($AssetDetails.MachineDescription)
    $WMIInstance.ServiceTag = $AssetDetails.ServiceTag
    $WMIInstance.ServiceLevelDescription = $PSItem.ServiceLevelDescription
    $WMIInstance.ServiceProvider = $PSItem.ServiceProvider
    $WMIInstance.StartDate = ($PSItem.StartDate).Replace("T00:00:00","")
    $WMIInstance.EndDate = ($PSItem.EndDate).Replace("T23:59:59","")
    $WMIInstance.ItemNumber = $PSItem.ItemNumber
    Clear-Variable -Name WMIInstance

Syntax: WriteDellWarranty2WMI.ps1 -APIKey Y0UR@P1K3Y  (Get your APIKey from Dell)

Make a Package & Program and push it out to your dell Computers. (remember to have Windows Manage Framework 5 already installed on your workstations).


We also added this to OSD, like so:


Here is a capture of the info in WMI after the Script has been run: (Using Coretech WMI Browser)

Once in WMI, we have to add this to our Hardware Inventory:

Go into the Default Client Settings, Hardware Inventory -> Set Classes -> Add... -> Connect to WMI namespace root\ITLOCAL

Once Connected, you should see the Warranty_Info


After you check the box, and click OK, it should show up in your classes list:

I unchecked everything here, because I only want to apply this to my Dell Workstations.
I opened our Dell Client Workstation Settings (We have one that applies only to Dell Workstations, which I borrowed the idea from Mike Terrill after reading this Post about inventory bios settings.


Ok, now wait for your Hardware Inventory cycles to run and the data to populate in your ConfigMgr DB.

Ok, Building reports... Fun with SQL Report Builder!
Mark & I have created two quick and easy reports for now, just as proof of concept, but will probably find ways to pull this data into other reports as well.

  1. Dell Warranty Expired Report - This report shows all of the Computers in ConfigMgr that have expired Warranties:
    You can click on the + next to the computer name to expand if has more than 1 warranty associated with it.
  2. Dell Warranty Expires between dates - This report will let you pick dates and show you the computers that will expire. (If computer has more than 1 warranty, it will only use the warranty with the latest end date)
  3. Dell Warranty Info for specific Computer: Super simple report that lets you put in a computer name and get the info:


We created a new folder called Hardware - Warranty, created our reports there.  I've added those 3 reports to the ZIP file you can download with the Script.

Just import them into your system, as long as you kept the namespace the same as the one in our script, it should work fine.  Update your Data source in each report, and you should be set.

In the 2 reports, I have it so if you click on the computer name, it links to a hardware report with more info about that specific computer.  I think it's a built in ConfigMgr report, so it should still work, if not, just delete that action:


I really hope I didn't miss anything, there was a lot of parts to this.  Mark will also be blogging this, since it was a joint project.  He'll probably have more info about the Powershell stuff itself.

Couple of things to remember... ConfigMgr DB is NOT the same as a Configuration Management Database.  When you delete the computer from ConfigMgr, there goes the data along with it.  I make sure to tell our management, this data is ONLY useful for computers currently active in our system, we do NOT keep historical data.

As always, if you run into any problems, please feel free to contact me, I'll update the Blog to correct anything found.  Sometimes its hard to get the proper screen captures after you've already set it up and been using it.

Also, I highly recommend checking out Jason's OSDInfo Script & Mike Terrill's Dell Posts, those might help shed some light on what we've done.

Say Goodbye to Dell Driver Management - Use Dell Command Update in OSD

If you're using Dell machines, you might be able to forget how to import drivers moving forward.  I've tested this new method with several Dell Models, and so far, It's been working well.

My Basic Solution:

  • Using DISM, import the Dell Driver WinPE pack into the Base WIM
    • Now our Windows 7 or 10 WIM Image has all of the Storage & Network Drivers needed
  • During OSD, run the Dell Command Update utility to install rest of the drivers needed


  • Pros
    • No more large driver pack imports
    • Works Great in Windows 10
    • No more updating driver packs
      • As long as Command Update supports the model, you're already set
      • Always uses the latest available drivers from dell
  • Cons
    • Installs the "Extra Bloat" software along with the driver (sometimes handy, sometimes not) - I've submit feedback requesting they add a switch to install drivers only, skipping the add-on software.
    • Works So/So in Windows 7
    • Requires Internet Connection during OSD if using Dell's Internet Repo
      • You can setup your own Repo, but then you're managing a Repo
      • Downloads can be Quite Large!  (I've seen 755MB download between several driver updates), could take awhile over slow connection.

Lets Start by downloading the latest WinPE CAB from Dell's Site

If you're going to do this in MDT during your Build and Capture, place the files in a folder in the "Application" folder and then reference it during the TS. (I named the folder Drivers Win10x64 - WinPE)
Command: cmd /c dism.exe /image:C:\ /Add-Driver /driver:"z:\Applications\Drivers Win10x64 - WinPE" /recurse

Place the Step after the TS reboots back into PE, but before it's captured:

Here is my folder of the drivers it injects:
I've added an additional driver (Security Folder) that Dell Command Update didn't get, it was for the fingerprint sensor on the E5470.  I grabbed the security folder out of the CAB for the E5470. (Probably fixed the issue on some other models before I tested them)


If you don't want to add it to your Build & Capture, you can create a normal Package with the contents of the folder, then reference that during your ConfigMgr OSD TS:

Command: cmd /c dism.exe /image:C:\ /Add-Driver /driver:.\ /recurse

Either way will work, I've just chosen to add it to my Build & Capture since I'm 99% Dell Shop, and then it saves even more time when deploying a Dell. (However I'm testing on HP, and it seems to be working... I'll Post later if I can get the HP Updater Software to work right)


Then towards the end of my TS, I have 4 Steps that Installs the Command Update Software, Applies Settings, and Runs it, then reboots. - Will get into more details later.


You'll need to Create your Settings XML Settings File, install the software on a Dell machine, launch it, configure the settings, then export it.  VERY IMPORTANT.  YOU MUST CHANGE THE PATH otherwise it will FAIL during OSD.

Preparing the Dell Command Update software:

  1. Download the Dell Command Update utility from Dell
  2. Install on Dell Unit and launch software, go to Settings and set them how you'd like:
    1. General:  Make sure you set the location to c:\ProgramData\Dell\CommandUpdate (Otherwise it WILL fail during OSD) - You might have to manually edit the XML document after the fact, I had trouble manually setting this since it's a hidden folder.
    2. Schedule: I've set this to Manual, as I don't want it to auto run
    3. Update Filter: I've left defaults but unchecked Bios (since I have a password, this will not work, I used the Application Model to update my BIOS via Script).   I also uncheck Input, as it had installed a few things I didn't really want.  I'd recommend installing this on a machine and running it to see what updates come through, then you can change your settings accordingly.
    4. Export the xml file. - You can DOWNLOAD MINE HERE
  3. Create your Package Source (Dell Updater & xml file)
  4. Create the ConfigMgr Package (No Programs)

Now that you have your Package w/ your Dell XML File, you can add the steps to OSD.

  1. Command Line: Install Dell Command Update Package - cmd /c Systems-Management_Application_4DP6N_WN32_2.1.1_A00.EXE /s /f
  2. Command Line: Modify Dell Command Update - "C:\Program Files (x86)\Dell\CommandUpdate\dcu-cli.exe" /import /policy OSDSettings.xml
    Make sure you set this step to "Continue on Error".  I've reported the Bug to Dell, while the import is successful, the program throws an error and will kill your TS if you don't check that box.
  3. Command Line: Run Dell Command Update - "C:\Program Files (x86)\Dell\CommandUpdate\dcu-cli.exe" /log c:\cabs\installlogs /silent
  4. Restart Computer.

Now when you image your computer, it will only have the bare driver installed until it runs the Dell Command Update, where it will check for the latest Dell supported drivers and apply them to your system.

Systems Tested:

  1. Windows 10 1511 x64
    1. Latitude E6540
    2. Latitude E5470 - missing fingerprint scanner driver (As noted earlier)
    3. Latitude E7275
    4. Latitude E7250
    5. Latitude E7270
    6. Latitude E7240
  2. Windows 7 x64 (kind of works - but I wouldn't use this to replace Driver Packages, just supplement it)
    1. Latitude E6540 - Missing Drivers after OSD:
      1. Resolved by running Command Update Manually after OSD and changing Setting -> Update Filter to "All updates for system model" and choosing the drivers to install.
        1. STMicroelectonics 3-Axis Digital Accelerometer
        2. Realtek HD Audio (Used Default HD Audio drivers, it did work
        3. BayHubTech /O2Micro Integrated SD Controller (used default driver, did work)
        4. Intel Smart Connect Technology
      2. Resolved by running MS Updates (wuapp) pointed to the Internet
        1. Intel Active Management Technology - SOL
        2. Intel Management Engine Interface
      3. After running both:
    2. Latitude E7250 - Missing Drivers after OSD:
      1. Resolved by running Command Update Manually after OSD and changing Setting -> Update Filter to "All updates for system model" and choosing the drivers to install.
        1. Intel Wireless
        2. Intel Dynamic Platform & Thermal Framework
        3. Realtek HD Audio (Used Default HD Audio drivers, it did work)
        4. O2Micro Integrated SD Controller (used default driver, did work)
        5. Broadcom USH (Dell ControlVault w/o Fingerprint Sensor
      2. Missing after running Dell Command Update - NONE !
    3. Latitude E5550 - Same Results as the E7250, just missing a few more drivers, but found them all when running manual update from Command Update:
      1. Right after OSD:
      2. After running the Updater:image


Takeaways.  For New Windows 10 Machines, we've switched to this model.  No more downloading Dell Driver Packs and applying drivers.  Just Injecting the Core Drivers into the WIM, then running Dell Command Update to get the rest and Update to the latest Dell Supported Drivers.  On Windows 7, we still use the Dell Supplied Driver Packs, but run Dell Command Update at the end of OSD to update NIC / Video and whatever else it can find.

This is great for testing new Models, instead of taking time to import the drivers, just image it and Dell Command Update will do it's part to get you far enough along. 

There are still quite a few bugs in Dell Command Update 2.1.1 that I've been reporting, and I expect with each new version, it will be better and better.

HP Bios Update Application - HP Revolve 810 G1/G2/G3

I've recently taken a little time to automate the Updates of our HP Laptops. I've found that HP Has different Bios Update programs based on the age of the machine.  Documentation was a bit lacking as well.  I'm assuming that other HP machines will fall into one of these two methods I'm using. I'm creating this using the Application Model instead of a package, however you can easily change this into a package with minimal changes.

AppModel Pros: Application Catalog, Detection Methods, Works in a TS
AppModel Cons: Can't use in WinPE

Package Pros: Simple, less time to setup, works in WinPE in a TS.
Package Cons: Simple, no detection, can't make available via Catalog.

Here is a run down of things we'll cover

  • Create your Content Folder Structure. (or download mine HERE)
  • Download & Extract Bios from HP
  • Create Bios Password File
  • Create Bios Update batch File
    • Suspend Bitlocker
    • Add runonce regkey to enable bitlocker after reboot
    • Apply Bios Update
    • Restart Machine with 2 Minute User Notification Popup.
  • Deploy
  • Add to TS Info


  1. Create your Package Content Structure.
  2. HP Revolve 810 G1\G2\G3- Get the Bios HERE
    1. Save it to your 810G1 folder and Extract with 7zip
    2. It should now look like this:
    3. Repeat for the G2 and G3 Models, your folders should now look like: image
  3. Time To create the Password File.
    1. from the 810G2 folder, launch HpqPswd64.exe
    2. Type in your Bios Password and Save the BIN file to your Password File Folder
    3. Copy that file from the Password File folder into each Bios Folder like so:
      Always keep a copy on hand, if you ever run the process manually, the bios update will delete the password file from the folder. A security feature I'm sure.
  4. Lets write a simple batch file that will repair the bitlocker mof, suspend bit locker, add a Run once key to turn it back on after restart, update the bios and give a two minute warning for reboot.


    1. REM Fix Bitlocker MOF if needed
      mofcomp.exe c:\windows\system32\wbem\win32_encryptablevolume.mof

      REM Suspend Bitlocker
      Manage-bde.exe -protectors -disable c:

      REM Add RunOnce key to Enable Bitlocker after Restart if it doesn't automatically via GPO / MBAM
      reg.exe ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v EnableBitlocker /T REG_SZ /D "Manage-bde.exe -protectors -enable c:" /F

      REM Update Bios
      hpqFlash64.exe -s -pHPBiosPassword.bin -lc:\Cabs\InstallLogs\HPBiosUpdate.log

      REM Reboot Computer (Does not affect WinPE, as it can't use shutdown.exe)
      shutdown.exe /r /f /t 120 /c "Updating Bios, please save your work, Computer will reboot in 2 minutes"



      1. -s = Silent
      2. -p = Calls Password File
      3. -l = Log File (You can remove this or add your own logfile path)
    2. Ok, lets do one for the 810 G2\G3, as it's a little different, as they've added some features and changed syntax.
    3. REM Fix Bitlocker MOF if needed
      mofcomp.exe c:\windows\system32\wbem\win32_encryptablevolume.mof

      REM Suspend Bitlocker (Not needed on the G2 / G3 Models, they have the "-b" option to disable bitlocker)
      REM Manage-bde.exe -protectors -disable c:

      REM Add RunOnce key to Enable Bitlocker after Restart if it doesn't automatically via GPO / MBAM
      reg.exe ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v EnableBitlocker /T REG_SZ /D "Manage-bde.exe -protectors -enable c:" /F

      REM Update Bios
      HPBIOSUPDREC64.exe -s -r -b -pHPBiosPassword.bin -lc:\Cabs\InstallLogs\HPBiosUpdate.log

      REM Reboot Computer (Does not affect WinPE, as it can't use shutdown.exe)
      shutdown.exe /r /f /t 120 /c "Updating Bios, please save your work, Computer will reboot in 2 minutes"

      1. -s = Silent
      2. -r = NO Reboot
      3. -b = Suspend Bitlocker
      4. -p = Password file
      5. -l = logfile
    4. Time to Create an Application to deploy the Bios
      1. image
      2. image
      3. image
    5. Deployment Types
      1. image
        Name your Deployment, I do Model & Bios Version
      2. image
        Point to your Source Content
      3. image
        Program = your Script File
      4. image
        Detection = Registry Setting for the Bios Version
      5. image
        Set to Install for System - Whether or not
      6. image
        Set your Requirements to Computer Model (Blogged here)
      7. image
        Set 0 to Hard Reboot, so it will reboot, then run detection.
        If you want to add more return codes, you can find a list here... I have not tested them.
      8. It's pretty much identical for the other two systems, just change the content to the correct folder, and the detection to the bios version. - Tip: Update one, then point to that when you're getting your detection method.
  5. Deploy, seeing it in action.  I've deployed mine to "all users" so it shows up in the Catalog
    1. Installing from the Application Catalog:
    2. Once it finishes the process, it give the 2 minute reboot warning. The software center will say "Requires restart"
  6. You can also deploy to a Computer collection you've created.  This is how I typically do pushes, send out communications, then push to a collection.  But for awhile during testing, I like to make it available so I can run it from the catalog.
  7. Adding to Task Sequence.  So I was excited that HP bios support being updated in WinPE... but yet I was having it fail, saying it needed a full OS.  I thought "LAIR", I've tested the script in PE and it worked fine!  Then I realized, I was running it as an application, not a package... and that's what wouldn't work in PE.  So... I had to add this Bios Update Step later in my TS, after it was in Windows, just like I do with my Dell Bios Updates. - I've tried to leave some steps around it for Context as to where I've added the HP Bios Update Step.
    1. Note, in the script I call shudown.exe, which gives a two minute delay.  In the TS, there is a restart right after it the Application Runs, which will restart the system right away instead of waiting for the two minute timeout.  If you do decide to make this into a package, remove the shutdown.exe part of out if, as that is not available in WinPE.


As always, I welcome comments and feedback.  I only set this up a few days ago, and tested on a couple machines, so there might be scenarios that need tweaking.  I'll update this if I find anything.  - @gwblok

Enforce UEFI during OSD or Nicely Fail with remediation.

UPDATE: 6/14 - A few days after I wrote this, Nickolaj posted a nice way to automate this for Dell Systems.  Check it out HERE.  Great post, I look forward to trying out.

I wanted to make sure that during Windows 10 OSD, machines were getting set to UEFI and Secure Boot.  I did not want to leave this up to the tech who was imaging the PC, while they catch it most of the time, there is still the chance they miss it, and I get a Windows 10 machine with Legacy Bios.

I added a group with a few steps to my TS that will trigger if _SMSTSBootUEFI is not True
, if _SMSTSinWinPE is True, and if it's one of my hardware manufactures.

  1. _SMSTSBootUEFI - This is the main variable, as it will say if the Machine is booted to UEFI or not
  2. _SMSTSinWinPE - This is so that these steps only run if in PE, If I'm doing an in place upgrade, I don't want it to check and fail.
  3. WMI Query for Hardware Manufacture - I have Dell & HP machines, which I want it to check on, but I don't want it to check on Virtual Machines.  At this point in the TS, the isVM variable isn't yet available, so this method works to exclude my VMs.


This will NOT completely automate the process from going from LEGACY to UEFI.  The TS will Fail if the Bios are set to LEGACY, but it's right in the beginning, and then you can start the Windows 10 TS again and it will install properly using UEFI & Secure Boot.

For a FULL solution, look to 1e's Bios to UEFI

This was as a failsafe to make sure our machines were set correctly right away instead of finding out after the fact that we imaged a machine to Windows 10 that was still using Legacy Mode.
Package Contents:

  1. MessageBox Script get HERE (Deployment Guys Technet Blog)
    You'll need to modify the MDTMessageBox.wsf script so it will automatically close the TS Progress bar.  Info found HERE (Niehaus's blog)
    You'll need to add this snipit into the script near the top:
    Set oTSProgressUI = CreateObject("Microsoft.SMS.TSProgressUI")
    Set oTSProgressUI = Nothing

  2. ZTIUtility.vbs (From MDT scripts folder) - Just copy this file from your MDT Script Deployment Share, and paste it into your package content.
  3. Shutdown.exe, copied from c:\Windows\system32

TS Steps:

  1. Notify UEFI Status (Step 1) image
      1. Write your message here using syntax from the blog link, example:
        cscript.exe "MessageBox\MDTMessageBox.wsf" /text:"WARNING - This Machine is not set to UEFI in the BIOS - Please Shutdown, fix the Setting and Start again - The Next Step will Automatically try to FIX it for you if you're deploying to a DELL or HP machine and reboot. Please confirm it's Booting UEFI with Secure Boot Enabled" /type:64 /title:"UEFI
      2. in the Options, check the box for "Continue on Error"
  2. Dell Bios - SecureBoot - UEFI (Step 2) - Note, this step works on DELL, you'd have to modify for another Vendor - I have it skip this step if it is NOT a dell PC.

    1. This is just a script I'm using that calls the CCTK (Dell Command Configure) and sets bios to UEFI & Secure Boot.  Mike Terrill wrote a great blog post about how to do this, so I will not repeat it.
  3. HP Bios - SecureBoot - UEFI (Step 3) - This looks basically the same as Step 2, but it for our HP Machines
    1. You can get the HP Bios Configuration Software HERE
      The Documentation is located HERE
      Brenton wrote up a How To HERE
  4. Shutdown Machine (Step 3)
    MessageBox\Shutdown.exe -s -t 00


So lets see it in Action (Dell E6540) - Tested also on HP Revolve 810 G2

  1. First Picture: Booting while in Legacy Mode w/ Secure Boot Disabled (Dell)
  2. Starting Windows 10 TS
  3. Starts that Step
  4. TS runs the Message because it's not UEFI (while hiding the Installation Progress bar)
  5. Computer then runs the Bios Settings to Change to UEFI
  6. Computer then Shuts down.
  7. It now shows the correct Boot options and you can start your Windows 10 OSD again ensuring UEFI & Secure Boot.

Other things you could add.. Email Service Desk or Admin if UEFI not enabled using a method like THIS.