Dell Bios Updates - ConfigMgr App Model - Post OSD

I’m pretty good about keeping our Dell machines at the current BIOS level, usually a couple models get updates every month… then there was that Intel AMT vulnerablity, and they released updates for nearly all of our models, so that was fun.  I tweeted about my exploits and had requests to share how I’m doing it… so here it is…

App Model & Power Shell

I blogged a 3 part post back in Dec 2015, I’m not going to redo everything, but send you there if you need to build your collections yet:

Another Pre-Req is having a global condition for “Model”, which I cover here:

Once you have that out of the way, it’s just building your App.


It’s really simple, we have a PowerShell script that will:

  1. Suspend Bitlocker (Works for Win 7-10)
  2. Stop the MBAM Service (So MBAM doesn’t start Bitlocker again before rebooting)
  3. Grab Dell Bios info from the Bios EXE file in same directory
  4. Create Log File name based on that EXE
  5. Confirm Bitlocker is Suspended
  6. Update Bios, creating Log File
  7. Reboot Machine
    1. Reboots right away if no one is logged on
    2. Give 5 Minute & 2 Minute warnings if someone is logged on

The nice thing about this method, it’s one script, that never changes. You just add it to your Model Folder. Every time a new BIOS comes out, replace the BIOS.EXE in the source, update the Application Detection Method, and update the content for that deployment.  All Set!

Now the Script:

There are 2 parameters, you tell it where you want your log file, and what your BIOS password is.  That’s it:

The Application

Deployment Types, One Per Model, this will make the download quick, as it only downloads the one for that model, and gives you the ability to do easy detection rules.


Programs: powershell –executionpolicy bypass –file "BiosUpdate.ps1" –Biospassword P@ssw0rd -LogPath C:\Cabs\InstallLogs
- Change your Bios Password & where you want to save the log files.

Detection is just a Registry Key:


Requirements: Model = the Model (see previous post for more details)


Return Code, Change 0 = Hard Reboot


My Source Folder Structure:

Actual Content for Deployment Type:
Contains the PowerShell File (Which you don’t need to change, works for every model & every version of the Bios)


There you have it, for your deployments

Download AppExport & Script HERE. If you choose to import the App, you’ll want to build your own Folder Structure and update the Content Tab for each deployment.

Leave a comment if you have a question, or hit me up on Twitter – @gwblok

Windows 10 Customizations–MMS2017 Demos

Hey everyone, MMS has come and gone for another year, and I will say, it was my favorite MMS yet.  This conference keeps getting better and better, but what’s not to like, right?  Mall of America, 4 days with amazingly smart people, who are just people. There are no pedestals here, everyone is approachable, and you can ask questions of people with deep knowledge of the System Center Suite, and Windows!  What MMS does, it brings huge talent from around the world in a friendly and open environment for learning and building relationships, to help equip you for your current job and open doors to conquer new challenges you thought were unsurmountable. The downside.. um.. its only 4 days.

So I had the privilege of presenting 3 topics, over 7 sessions, I’ll be going over the customizing Windows 10 in this post.

The Task Sequence Export is available for download on github. -

Please remember, work with your business to determine what you want to customize, and have good business reasons.  The more you customize, the more you’re on the hook for to keep consistent through in-place upgrades.  This list is NOT best practice, or even necessary recommended, just showing what you can do.

Lets take a look:  (Please also look at the slide deck for more info about each of these and how it all works)


  • Tweak – Uninstall Windows 10 Default Apps PS – Script written by Mark Godfrey to remove some apps (Slides 43 & 44)
  • SetOSDinfo PS  - Creates ITLocal WMI Namespace and populates it with handy info, taken from Jason Sandy’s Blog
  • Set Default Apps & Associations – Sides 12 – 15.  Note, this isn’t 100% in 10.  They seem to get reset frequently by Windows.  Recommend GPO if you need to force something.
  • IE Icons, just copying it once to Desktop and once to Accessories Folder, then I can PIN it to Taskbar and StartMenu in future steps.
  • Change “This PC” icon to Machine Name – This does exactly that.
  • PinItems on TaskBar.  This is a script that is adding Office to the TaskBar.
  • Disable Edge default Prompt – I thought there was a GPO for this in 1703, but I can’t find it, must have imagined that.  Here are two examples, the top one is the one in the export.
  • One Drive Disable – 3 “Run Command Line” Steps – Note, if you keep OneDrive, make sure you update it first. (Slide 28)
    • Remove Shell Folder  - REG ADD "HKCR\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder" /V Attributes /T REG_DWORD /D 4035969101 /F
    • Remove App - %SystemRoot%\SysWOW64\OneDriveSetup.exe /uninstall
    • Disable (GPP Key – Windows Components\One Drive) - REG ADD "HKLM\Software\Policies\Microsoft\Windows\OneDrive" /V DisableFileSyncNGSC /T REG_DWORD /D 1 /F

Explorer Tweaks

  • Explorer Tweaks, these will change the look in the Shell Folder, make it look more like:

    • Remove Pictures Folder: (2 steps, one for x64 & x86)
      • REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0ddd015d-b06c-45d5-8c4c-f59713854639}\PropertyBag" /V ThisPCPolicy /T REG_SZ /D Hide /F
      • REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0ddd015d-b06c-45d5-8c4c-f59713854639}\PropertyBag" /V ThisPCPolicy /T REG_SZ /D Hide /F
    • Remove Video Folder: (2 steps, one for x64 & x86)
      • REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\PropertyBag" /V ThisPCPolicy /T REG_SZ /D Hide /F
      • REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\PropertyBag" /V ThisPCPolicy /T REG_SZ /D Hide /F
    • Remove Music Folder: (2 steps, one for x64 & x86)
      • REG ADD "REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{a0c69a99-21c8-4671-8703-7934162fcf1d}\PropertyBag" /V ThisPCPolicy /T REG_SZ /D Hide /F
      • REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{a0c69a99-21c8-4671-8703-7934162fcf1d}\PropertyBag" /V ThisPCPolicy /T REG_SZ /D Hide /F
    • Set Explorer to launch “This PC” (Slide 30)
      • REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /V LaunchTo /T REG_DWORD /D 1 /F
    • MyComputer Desktop Icon (Adds “This PC” icon to desktop)
      • REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel" /V {20D04FE0-3AEA-1069-A2D8-08002B30309D} /T REG_DWORD /D 0 /F
    • Add Run as different user – Adds “run as different user” when you right click on an application in the start menu. – Slide 36
      • REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer" /V ShowRunasDifferentuserinStart /T REG_DWORD /D 1 /F

OEMInformation section (slide 40-41)


  • Tweak - OEMInfo Logo (Copy your logo into place, has to be bitmap file) – Requires you specify your Package. I  keep the logo in a subfolder called UserLogo
    • cmd.exe /c copy UserLogo\logo.bmp C:\Windows\system32\logo.bmp /Y
  • Tweak - Set OEM Information 1 – Logo
    • REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation" /V Logo /T REG_SZ /D "C:\Windows\System32\logo.bmp" /F
  • Tweak - Set OEM Information 2 – Manufacturer
    • REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation" /V Manufacturer /T REG_SZ /D "Dell" /F
  • Tweak - Set OEM Information 3 - SupportHours
    • REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation" /V SupportHours /T REG_SZ /D "10AM - 2PM" /F
  • Tweak - Set OEM Information 4 – SupportPhone
    • REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation" /V SupportPhone /T REG_SZ /D "860-5309" /F
  • Tweak - Set OEM Information 5 – SupportURL
  • There is also a script that will do this and automatically set Model & Manufacturer of the computer.  Script is here:

Default User Profile Tweaks
Note, I’m not going to cover Pinning IE to the TaskBar, so I’m going to skip that step.

  • Tweak - Mount ntuser.dat as defuser FIRST STEP (Required to make changes)
    • reg.exe load HKEY_LOCAL_MACHINE\defuser c:\users\default\ntuser.dat
  • Tweak - Change CMD to PowerShell in WinX (Not required in 1703, it defaults to this now)
    • REG ADD "HKEY_LOCAL_MACHINE\defuser\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /V DontUsePowerShellOnWinX /T REG_DWORD /D 0 /F
  • Tweak - Delete OneDriveSetup registry Key
    • reg.exe delete HKEY_LOCAL_MACHINE\defuser\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v OneDriveSetup /f
  • Tweak - Set Cortana / Search Icon – Slide 38
    • REG ADD "HKEY_LOCAL_MACHINE\defuser\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /V SearchboxTaskbarMode /T REG_DWORD /D 1 /F
  • Tweak - Disable LockScreen Tool Tips
    • REG ADD "HKEY_LOCAL_MACHINE\defuser\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /V RotatingLockScreenOverlayEnabled /T REG_DWORD /D 00000000 /F
  • Tweak - Disable Windows Defender First Run (Slide 27)
    • REG ADD "HKEY_LOCAL_MACHINE\defuser\SOFTWARE\Microsoft\Windows Defender" /V UIFirstRun /T REG_DWORD /D 00000000 /F
  • Tweak - Unmount ntuser.dat as defuser LAST STEP
    • reg.exe unload HKEY_LOCAL_MACHINE\defuser

Corporate / Business Branding (Lock Screen / User Profile Pictures / Background / Start Menu)

  • Tweak - Default Corporate User Icons – PNGs (Slides 34-35)
    • xcopy UserLogo\* "%SystemDrive%\ProgramData\Microsoft\User Account Pictures" /Q /Y /I
  • Tweak - Default Corporate User Icons – regkey (or use GPO)
    • REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /V UseDefaultTile /T REG_DWORD /D 1 /F
  • Tweak - Replace Default LockScreen Step 1 (Slide 31 - 33)
    takeown /f C:\Windows\Web\Screen\*.*
  • Tweak - Replace Default LockScreen Step 2
    icacls C:\Windows\Web\Screen\*.* /Grant System:(F)
  • Tweak - Replace Default LockScreen Step 3
    cmd.exe /c copy WallPapersLockScreens\DM_LockScreen.jpg C:\Windows\Web\Screen\img100.jpg /Y
  • Tweak - Replace Default LockScreen Step 4
    cmd.exe /c copy WallPapersLockScreens\DM_LockScreen.jpg C:\Windows\Web\Screen\img105.jpg /Y
  • Tweak - Delete Default Wallpaper 4k folder Step 1 (Slide 31 - 33)
    takeown /f C:\Windows\Web\4K\Wallpaper\Windows\*.*
  • Tweak - Delete Default Wallpaper 4k folder Step 2
    icacls C:\Windows\Web\4K\Wallpaper\Windows\*.* /Grant System:(F)
  • Tweak - Delete Default Wallpaper 4k folder Step 3
    cmd.exe /c del /q C:\Windows\Web\4K\Wallpaper\Windows\*.*
  • Tweak - Default Corporate Wallpaper – img0 (Slide 31 - 33)
    cmd.exe /c copy WallPapersLockScreens\DM_Corp.jpg C:\Windows\Web\Wallpaper\Windows\img0.jpg /Y
  • Tweak - Add additional Corporate Wallpapers – img1 (1-5 are same, just using different files)
    cmd.exe /c copy WallPapersLockScreens\DM_Corp.jpg C:\Windows\Web\Wallpaper\Theme1\img1.jpg /Y
  • Tweak - Default Corporate Start Menu (Note, the previous two steps copy in fake programs that I have in the start menu, so when it mounts the start menu, those icons / programs are already “installed” – This is just for Demo) –
    powershell.exe Import-StartLayout -LayoutPath DMStartMenu\DM-Default.xml -MountPath C:\
    See Slides 17 – 23 for more details about the Start Menu

I hope this is helpful, each topic could have it’s own post (and most already do, either here on GaryTown, or

Dell BIOS update–WinPE–Model Independent–From Internet

Update 5/26 - Updated Script to use Dell's Enterprise Cab XML data, instead of the ever changing Support Site.  This now truly does work for all Dell Models that I know of. 🙂  Thanks Mark - POST HERE Mark gives some back story as to how we came up with this idea, and why we wanted to switch from our old method.

Updated Script:

The new Package contents:




The Task Sequence:

Just an FYI... you might notice that it's not updating the BIOS to the latest BIOS update for that model.  Example, yesterday several bios updates were released for several models to their WebSite. Those will not install using this method.  The Enterprise CAB data has extra layers of Change Management / Testing, so you can feel even better about applying the BIOS updates automatically. Once those extra layers have completed, then they become available.


Updated 3/24 – I received new Try & Buy units from Dell this morning, this process did not work due to inconsistencies with Dell’s website.  I’ve contacted Dell Support with detailed information about how they changed their website for the new models and how they categorized the Bios updates.  Hopefully this will be resolved soon.

Also, updated Download, removed the utility and replaced flash utility file with link. (To be compliance with Dell’s Rules of not redistributing their files)

Until Then, I’ve updated scripts and added a script for the TPM update.

3 scripts now: (Odds are good the “NewModels” one will work on everything, just haven’t tested.

  1. DellBiosDownloadUpdatePE – Original Script
  2. DellBiosDownloadUpdatePE_NewModels – Works on the new Latitude 5x5x Models (5480 / 5289, probably more
  3. DellTPMDownloadUpdatePE – Downloads and install the TPM 2.0 x64 Update for that model (if available)


Original Post:

Ok, so you’re thinking, Gary, you just posted about this, and you’d be right, I did, see.., but in the past week or so, I’ve come up with an idea, after looking at Maurice Daly’s download utilities, thinking, why can’t I just do something like that, and not have to have any content (beside the script and utility) to update the bios, and have it work on any dell model?  So that’s what I did, with the help of @modaly_IT & @geodesicz (my personal powershell guy), we came up with this solution.


Goal of Script:  Update Dell Bios on Any Model without having to maintain and update packages.

What it does:

  1. Gets Model info from WMI
  2. Downloads latest Bios directly from Dell
    1. No testing with Proxy server done, you can probably add this into the script, just don’t ask me how. (I don’t know, ask Maurice, he has it figured out in his cool GUI version)
    2. Mark (@Geodesicz) was able to make the changes to have this work in PE.
  3. Applies Bios to system during WinPE
  4. Create variables to do extra steps based on exit codes


  1. Never manually download a BIOS update and build a BIOS package again
  2. Always install the latest Dell BIOS on the system you’re imaging
  3. Works on all dell models, no tracking down a bios per model
  4. See Number 1


  1. Giving up control of the Bios Version you’re installing
    1. This doesn’t bother me personally, I haven’t ever had a BIOS update brick a machine, and if the BIOS is coming directly from Dell, it’s supported by them, and they will assist if anything did happen.
  2. Uses the Internet to pull content, while only 8-12MB per Computer, if you’re imaging large numbers, and you don’t plan ahead, this could be potential issue.
  3. Uses HTML scraping, so if Dell ever changes their website, we’d have to update the script.


The Script… while very similar to my last one, it has some key differences.

  1. The Bios Password is now parametrized, no longer requiring the text file to pull password (Thanks Mark)
  2. Has large download section in which it has the logic to get the right Bios file (from Maurice) & the Actual download step, (from Mark).
  3. Validating the Bios downloaded.

This script is quite simple still, feel free to add additional logic to it for error handling.




in the TS:


Package Content:

As before, it will create logs in the SMSTSLog folder in %temp%.
The only difference now, I added a group that will only run if the Download Fails based on lines 86-90 of the script.

For more details on how to setup the rest, check out the old Post:

Maurice’s new GUI version:

Maurice’s older version, where I stole the code from:

Task Sequence Message / Pause with No Package

I’ve created messages and pauses a couple of ways, a “fancy” way with content, based on Niehaus’s blog, and a simple way just using notepad with no content, which is really handy during times you don’t want (or not able) to pull down content yet.  Nash (@kidmystic) would say to use PowerShell (example at bottom), as he has a nifty one line code that will do it for you. However, if you don’t have PowerShell in WinPE, and want to keep it super simple, just do it this way… with notepad.

In the Task Sequence, where you want to create a pause, or message, create two “Run Command line” Steps.

  1. Run Command Line Step 1 = “Create Pause - Step 1”
    1. cmd.exe /c echo "Pausing Task Sequence for Testing, Close this Box to continue the Task Sequence" >> Pause.txt
  2. Run Command Line Step 2 = “Run Pause - Step 2”
    1. cmd.exe /c notepad.exe Pause.txt

This will work even if the HDD is not formatted, as it does not require content.  To Confirm, I Diskpart –> Clean the HDD so nothing was on it, then ran these steps in WinPE.  Worked perfect.  This is great for if you want to pause / blow up your TS early if it it fails any validations, like Bios Password Missing, or UEFI not enabled, etc.

When you close the Notepad Application, the TS will Resume.



powershell.exe -command (new-object -ComObject Microsoft.SMS.TsProgressUI).CloseProgressDialog() ; (new-object -ComObject'Message Box Text Content goes Here, you can make this as detailed as you want.',0,'Message Box Title in Upper Left',0x0 + 0x30) ; Exit 1

- Set your Exit code to what make sense.  Exit 1 will “Fail” your TS and make it quit, which might be good in times that you want it to fail so something manually can be done. Exit 0 will be success and continue on.

Dell Bios Upgrade in OSD WinPE x64

Update 3/17 – Update a couple sections to fix Bug in Script with assistance from the Dell BIOS Dev team. Uploaded the TS Export of this section.

Download Here:  3/24 – Removed all of the Bios Files and Update Utility to comply with Dell’s EULA.

Task Sequence Export HERE – You can import this into your system and it will have all the steps., Then copy the steps into your working TS.  No Content is included in this export.  Create your own Package with the “Full Folder Structure Download” and link to that in your TS




Original Post:

Ok, So for a long time, You couldn’t upgrade Dell’s Bios in WinPE x64 because they didn’t have native x64 bios installer, this has recently changed. – Download HERE
Mike wrote up a nice intro to the new utility HERE

I do all of our bios updates using the “Application Model” after the OS is laid down, so it has the 32bit subsystem, it works fine. But I know many people like to do it during PE.  So I thought I’d play with it this morning and write up a script.

PreReqs for my script: Enabled PowerShell.  Here are the things we’ve enabled: (Win10 1607 Boot Media)

Benefits of doing it how I’ve setup.

  1. One Script works for all models, you just have to setup your folder structure to match the Computer Model in WMI.
  2. Grabs Bios Password from File, you only have to update one File if you change your Bios Password
  3. Creates TS Variables to avoid Rebooting if already on same bios version.
  4. Creates Log file based on the Bios Update in the %temp%\SMSTSLog Folder (X:\windows\temp\SMSTSLog\BiosFileName.log)
  5. New Bios version release? No Problem, delete the old one, add the new one, update Package, done, no script change required.
  6. It’s Fun

Package Folder Structure.  Make sure the subfolders exactly match the WMI Model Name
Get-WmiObject -Class Win32_computersystem | Select-Object -ExpandProperty Model


Once you’ve created your Folder Structure, populate it with the latest Bios files for each model. (Just download and place in the folder, no renaming required)
Also, create a txt file in the package root called Bios.txt and put your Dell Bios password in that file.

Now, the PowerShell script will query WMI for the Model, look for the bios file inside of the corresponding folder and apply it to the system using the Flash64w.exe utility. (It will pull the password from the bios.txt file in the root of your package)


Updated Script from 3/17 Shown HERE:

Based on the Exit Code of the Bios Update, it will create a TS Variable you can use to reboot, retry if low battery or continue on with your TS. – More info about Dell Exit Codes here… I noticed it didn’t have them all though:  I trigger events based on Exit Code 2 (Successful but requires Reboot) and Exit Code 10 (Battery too Low).  You can easily add additional Exit Codes and create custom variables to have your TS do other thing based on those Exit codes.

Now in your TS:
Create Dell Upgrade Bios Group, and set to only run if a Dell Computer:
select * from Win32_ComputerSystem where Manufacturer like "%Dell%"
Create Run Command Line Step:
powershell.exe -NoProfile -ExecutionPolicy ByPass -file .\DellBiosUpgradePackage-2.0.ps1

Create another Group, This will run if the battery was too low to update the Bios.  It will wait 10 minutes and try again.  If the Battery is still too low after that Point, it will continue on without updating Bios. – You can easily put a step here that will popup a message box about how the Bios Didn’t update, etc.
SMSTS_BiosUpdateBatteryCharge = True
Command Line Step: powershell.exe -NoProfile -ExecutionPolicy ByPass -Command "Start-Sleep -s 600"

It will then wait 10 minutes and try again, if successful, it will set variable SMSTS_BiosUpdateRebootRequired = true and continue onto the next group to reboot.  If it fails due to battery again, it will set SMSTS_BiosUpdateBatteryCharge = True and show a Message that it probably has faulty battery.  At this Point, you can click “OK” and let it continue, or turn it off and replace battery.


Create another Group which will reboot the computer and any other steps needed to get back to where you were before the reboot. (TS Variable = SMSTS_BiosUpdateRebootRequired equals true)
I added a “Format” step, just to ensure there was a place for the Boot Image to download too, this might not be needed in your environment depending on placement of the Bios Upgrade.

Ok, that should be it.

Note, I was running into some issues with the flashw64.exe utility from Dell, getting this error:

Once I added another line into the script to launch the software once with minimal arguments, it worked fine. I’ve contacted Dell Support to see if they have any ideas on that.

Update: 2/27/17 – Response from Dell:
Hello, Gary: I heard back from the BIOS engineering group. They said that they have not tested the utility using Powershell scripts. They do not support Powershell scripts. They only support use of the utility within a command prompt in Windows… It is also supported within WinPE (in a command prompt).

Update 2/28/17 – Call From Dell, they are escalating the issue to the BIOS engineering group and will be looking into the problem to see if they can resolve the issue when using it in PowerShell.

Update 3/17/17 – After working will BIOS Dev team, was able to rework the script to resolve the error I was seeing.  Updated Script in Download and in this Blog Post.


If you run into any problems, let me know and I’ll test that model if I have it.
Tested on so Far:

  1. Laptops
    1. Latitude E5550
    2. Latitude E5470
    3. Latitude E6540
    4. Latitude E6530
    5. Latitude E6430
    6. Latitude E7250
    7. Latitude E7240
    8. Precision 7510
  2. Desktops
    1. OptiPlex 7010