Switch from BIOS to UEFI on Dell Systems during Windows 10 deployment with ConfigMgr


When deploying Windows 10 with ConfigMgr, you should really consider making the move to UEFI and Secure Boot. There are tons of articles and posts around the net explaining why you should, so I’ll not cover that here. In this post we’ll focus on how you can make the switch from BIOS to UEFI during the deployment of Windows 10 on Dell systems, all in a single task sequence.

NOTE! This process have been developed for Dell systems, and contains Dell specific tools that is used to accomplish the end goal, transition from BIOS to UEFI. The same approach could probably be applied to other vendors, however this post does only cover Dell systems.


Switching from BIOS to UEFI on Dell systems is required to take place before the format and partition of the system drive (during WinPE). Another thing to keep in mind, is that you need to restart the system after it has been configured for UEFI. Basically, to overcome the required restart there are two ways (or probably more that I’m not aware of) that you can approach this. One is to simply just restart the same task sequence once the UEFI configuration is applied, and to set proper conditions on the steps/groups used to configure the system for UEFI so that they won’t be executed again. Another approach would be to configure UEFI, then stage WinPE (boot image) and boot from that again. In this post, I’ve chosen the first method and will show you how it can be implemented.

I’m also not a fan of using the infamous ‘Continue on error’ option on task sequence steps. Therefor, I’ve written a script that leverages the Dell Command PowerShell Provider to validate if certain conditions are met, in order to process the task sequence steps/groups properly in this scenario. An example would be that you don’t want to re-run the step that sets the Admin Password, if it’s already set. When we’re on the subject, this post assumes that you’re configuring an Admin Password for your systems. If this is not a requirement in your environment, simply skip the steps outlined in this post regarding the Admin Password. However, I’d strongly recommend that you do that, since you don’t want your end users changing anything. I’ll let you know what can be skipped in this post, if you don’t want to set an Admin Password.

Let me give you a scenario for why you may want to perform this switch. In situations where you receive new systems from Dell, they may have been shipped with the following configuration:

  • Boot Configuration is set to Legacy mode (meaning BIOS)
  • Legacy Options ROM is enabled
  • Secure Boot is disabled

In this scenario, in order to switch to UEFI (and also leverage Secure Boot at the same time to protect the operating system) you’d need to enable the settings mentioned above and finally set the Boot Configuration to UEFI instead of Legacy. Basically, what we want to achieve is the following high level steps:

  • Boot from PXE or Boot Media in Legacy mode and detect that we need to switch to UEFI
  • Check if an Admin Password is configured and if not, set one
  • Configure the system for UEFI and if we’re booting from Boot Media, prompt and advice that we need to boot from the same Boot Media
  • Restart the system and re-run the same task sequence
  • Skip UEFI configuration and start formatting the system drive

That’s the high level steps that we want to accomplish, making the switch from BIOS (Legacy mode) to UEFI on our Dell systems. I should also mention, the screenshots in this post are taken from a MDT integrated task sequence in ConfigMgr, but you could also use a native task sequence. This solution will also take into account if you’re booting from PXE or Boot Media and take different actions. This process have been developed for Bare Metal deployment (NEWCOMPUTER for MDT).

Before we start, I just want to mention that 1E has a great solution that can help you switching from BIOS to UEFI and for both Dell, Lenovo and HP. So if you are looking for an automated zero-touch BIOS to UEFI (for the refresh scenario), app-mapping and peer based USMT, then definitely take a look at what 1E has to offer. More information can be found below:

Automate BIOS to UEFI for secure Windows 10

Let’s get started.

Prepare required packages

This whole process will consist of several packages in ConfigMgr that we’ll reference during different steps in our Task Sequence.

Dell Command Configure package

We need to create a package for Dell Command Configure (formerly known as CCTK). In Dell Command Configure, you can still leverage the cctk.exe file to configure individual settings in addition to apply a complete ini file with your configuration. The process of creating a Dell Command Configure package in ConfigMgr has already been very well described by Mike Terrill, so I’ll not copy his excellent work. Instead, follow Mike’s instructions from the following blog post:

How to create a Dell Command-Configure Package in ConfigMgr

In my environment, I’ve named my Dell Configure Command package as ‘Dell Command Configure’. I suggest that you do the same when following along in this post. Distribute the package to your Distribution Points.

This package will be used to configure the settings on the Dell systems so that we can make the actual configuration switch from BIOS to UEFI.

Dell Command PowerShell Provider package

With this package, we’ll perform the check whether to set an Admin Password or not depending on the presence, by using the Dell Command PowerShell Provider. If you want to know more about the module, you can read about it here.

NOTE: This step is not required if you don’t want to configure an Admin Password, however, it shows how you can leverage the Dell Command PowerShell Provider to validate certain conditions in your deployment process.

We need to grab the Dell Command PowerShell Provider from Dell’s support page. But first off, we need to create a content source folder for the package itself. In order to support the Dell Command PowerShell Provider module in WinPE, we need to add a couple of files into the mix. Make sure that you have a system with Visual C++ 2010 Redistributable (and 2012) available.

1. Create a folder called e.g. CommandPSProvider with a subfolder called Modules in your Content Library (where you keep source files for packages, applications etc for ConfigMgr).
2. Browse to support.dell.com and select a model and go to Drivers (e.g. the Latitude E7450 has the download for Dell Command PowerShell Provider). Expand the System Management section and locate Dell Command PowerShell Provider.
3. Download and extract the contents of the DellBIOSProvider folder from the downloaded .zip file into the Modules folder. If your Boot Image that you’ll use to deploy Windows 10 is 32-bit, extract the contents of DellBIOSProviderX86 instead.
4. Grab the ServiceUI.exe files for both x64 and x86 from the MDT installation location and copy them to the CommandPSProvider folder. The files can be found in the following location on a machine with MDT installed:

C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\x64

5. Either copy the files below from the Dell Command PowerShell Provider zip-file that you recently downloaded, or locate the them on a system with Visual C++ 2010 Redistributable (and 2012) installed (located in C:\Windows\System32) and copy them to the Modules folder:

  • msvcp110.dll
  • msvcr110.dll
  • vccorlib110.dll
  • msvcp100.dll
  • msvcr100.dll

6. Save the following PowerShell code as Get-DellBIOSAdminPassword.ps1 in the CommandPSProvider folder:

# Stage DellBIOSProvider module
try {
    $DellBIOSProviderModulePath = Join-Path -Path $env:WINDIR -ChildPath "System32\WindowsPowerShell\v1.0\Modules\DellBIOSProvider"
    if (-not(Test-Path -Path $DellBIOSProviderModulePath -PathType Container)) {
        New-Item -Path $DellBIOSProviderModulePath -ItemType Directory -Force | Out-Null
        Copy-Item -Path (Join-Path -Path $PSScriptRoot -ChildPath "Modules\*") -Destination $DellBIOSProviderModulePath -Recurse -ErrorAction Stop
catch [System.Exception] {
    Write-Output "Unable to stage required PowerShell module: DellBIOSProvider" ; exit 1

# Import DellBIOSProvider module
try {
    Import-Module -Name (Join-Path -Path $DellBIOSProviderModulePath -ChildPath "DellBIOSProvider.dll") -ErrorAction Stop
catch [System.Exception] {
    Write-Output "Unable to import required PowerShell module: DellBIOSProvider" ; exit 1

# Read Admin Password property from DellSMBIOS provider
$DellAdminPasswordPresence = (Get-Item -Path DellSMBIOS:\Security\IsAdminPasswordSet).CurrentValue
if ($DellAdminPasswordPresence -ne $null) {
    # Construct TSEnvironment object
    try {
        $TSEnvironment = New-Object -ComObject Microsoft.SMS.TSEnvironment -ErrorAction Stop
    catch [System.Exception] {
        Write-Output "Unable to construct Microsoft.SMS.TSEnvironment object" ; exit 1

    # Set TSEnvironment variable for Admin Password existence
    $TSEnvironment.Value("DellAdminPasswordPresence") = "$($DellAdminPasswordPresence)"

7. Save the following PowerShell code as Invoke-DellBIOSUEFIPrompt.ps1 in the CommandPSProvider folder:

# Functions
function Show-MessageBox {
	return [System.Windows.Forms.MessageBox]::Show($Message, $WindowTitle, $Buttons, $Icon)

# Load assemblies
Add-Type -AssemblyName "System.Windows.Forms"

# Temporarily close the TSProgressUI dialog box
$TSProgressUI = New-Object -ComObject Microsoft.SMS.TSProgressUI

# Show message box
$Message = Show-MessageBox -Message "UEFI has been enabled and a restart is required.`nPlease select to boot from USB." -WindowTitle "UEFI Configuration" -Buttons OK -Icon Information

8. You should now have a folder structure that looks like the following:
9. Create a package in ConfigMgr and name it Dell Command PowerShell Provider 1.0 and use the ComandPSProvider folder in your Content Library as the data source for the package.

With the Dell Command PowerShell Provider 1.0 package created, remember to distribute the package to your Distribution Points.

Task Sequence configuration

With both the Dell Command Configure and Dell Command PowerShell Provider packages created, it’s time to configure the task sequence. In this post, I’m using a MDT integrated task sequence that I’ve created earlier. Like I said earlier, this process to switch from BIOS to UEFI should work just as well for any native ConfigMgr task sequence. What’s important is that what we’re going to configure shortly, will be put in the very beginning of your task sequence and before the formatting of the system drive.

In the tables below, there are certain parts marked with red. This is where you should enter the Admin Password that you would like to set on the system(s). If you don’t want to set an Admin Password, simply skip the steps and make sure that you don’t specify the ‘–valsetuppwd’ parameter when the ‘cctk.cmd’ script is referenced.

What we want to accomplish here are something like the following:


As you can see in the picture above, I’ve placed the steps required to switch from BIOS to UEFI right in the beginning of the task sequence. This is crucial, like I’ve already stated, and if you miss this you might end up with unexpected results.

Instead of going through and outlining all the steps in a detailed manner, I’ve converted the picture from my task sequence above into a series of tables that corresponds to each step that needs to be configured. Be aware that not all steps reference the Dell Command Configure package that we’ve created by following Mike’s post, so before you test this out, make sure that you’ve configured this properly.

NOTE! Since WordPress converts a double dash (- -, had to add a space character here) into a single dash, all steps below that reference the cctk.cmd file in the Command line should contain a double dash for each parameter passed along.

Dell Command Configuration
Type Group
Condition WMI Query:
SELECT * FROM Win32_ComputerSystem WHERE Manufacturer like ‘%DELL%’
Install Dell HAPI Drivers
Type Run Command Line
Command line InstallHAPI.cmd
Package Dell Command Configure
Condition <none>
Detect Admin Password Presence
Type Run PowerShell Script
Script name Get-DellBIOSAdminPassword.ps1
Package Dell Command PowerShell Provider 1.0
Condition <none>
Admin Password
Type Group
Condition Task Sequence Variable:
DellAdminPasswordPresence equals False
Set Admin Password
Type Run Command Line
Command line cctk.cmd –setuppwd=<YOUR PASSWORD>
Package Dell Command Configure
Condition <none>
UEFI Configuration
Type Group
Condition Task Sequence Variable:
_SMSTSBootUEFI equals False
Enable UEFI
Type Run Command Line
Command line cctk.cmd bootorder –activebootlist=uefi –valsetuppwd=<YOUR PASSWORD>
Package Dell Command Configure
Condition <none>
Disable Legacy ROMs
Type Run Command Line
Command line cctk.cmd –legacyorom=disable –valsetuppwd=<YOUR PASSWORD>
Package Dell Command Configure
Condition <none>
Enable Secure Boot
Type Run Command Line
Command line cctk.cmd –secureboot=enable –valsetuppwd=<YOUR PASSWORD>
Package Dell Command Configure
Condition <none>
Enable UEFI Network Stack
Type Run Command Line
Command line cctk.cmd –uefinwstack=enable –valsetuppwd=<YOUR PASSWORD>
Package Dell Command Configure
Condition <none>
Force PXE Boot (PXE only)
Type Run Command Line
Command line cctk.cmd –forcepxeonnextboot=enable –valsetuppwd=<YOUR PASSWORD>
Package Dell Command Configure
Condition Task Sequence Variable:
_SMSTSMediaType equals PXE
Prompt Administrator (Boot Media only)
Type Run Command Line
Command line ServiceUIx64.exe -process:TSProgressUI.exe %SYSTEMROOT%\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File Invoke-DellBIOSUEFIPrompt.ps1
Package Dell Command PowerShell Provider 1.0
Condition Task Sequence Variable:
_SMSTSMediaType equals BootMedia
Restart Computer
Type Run Command Line
Command line wpeutil.exe reboot
Package <none>
Condition <none>


When you’ve made the above configuration to your task sequence, you’re ready to give this a shot.

Clear Last PXE Advertisements

For those of you that are not deploying your task sequences as Available but as Required, you would need to handle the Clear Last PXE Advertisement for the system. Maik Koster has made a great webservice that we could leverage in this case with a PowerShell one-liner. I’ve not yet had time to verify this process, but what you could do is to add a Run Command Line step just below the Dell Command Configuration group with the following command line:

powershell.exe -Command "(New-WebServiceProxy -Uri 'http://cm01.contoso.com/MKWS/sccm.asmx?WSDL').ClearLastPXEAdvertisementForCollection('P010005D', 'P01')"

Amend the above command line to suite your environment, like changing the URI parameter including the CollectionID and SiteCode.


Remember, in this scenario you’re going to get different results depending on if you’re booting from PXE or Boot Media. Since we’re not changing any boot list order, when you’re using Boot Media you’ll get a prompt informing that UEFI has been enabled on the system, and you’re required to boot from the same Boot Media again in order to proceed with the deployment process. What really happens is that we start the same task sequence again from the beginning, but this time around when UEFI is already enabled and configured, the task sequence will detect this and not execute those steps again.

This might not be the most optimal solution in order to switch from BIOS to UEFI in a semi-automatic manner (automatic for PXE), but it works flawlessly. I’m sure that other methods will surface within the future. If you have any suggestions to improvements, please let me know. If you’re thinking about TPM and BitLocker, you could easily just copy the Get-DellBIOSAdminPassword.ps1 script, amend it to check for TPM Security and run that as well in addition to creating a group that includes the steps to enable the TPM chip (don’t forget the condition on the group). See the picture below for an example:


  1. seb

    not tested it yet but this is huge and I’ll definitively use it! thanks a lot!

  2. Enable Hapi

    looks great, any tips for clearing tpm ownership without PPI ? seems dell have not included this option in cctk which is killing our zero touch

  3. Josh


    But I am getting this error when trying the script:
    Unable to import required PowerShell module: DellBIOSProvider

    Pretty sure everything is setup correctly.
    attached are some screenshots of my folder structure.

    1. George

      I got this same error. I had to extract the Dell Provider zip and then copy the contents of the x64 folder to the modules folder. I didn’t copy the x86 files over. Redistributed the package and the script then works. (only if the model is supported doh!)

      Also make sure that the cctk commands to configure the UEFI settings are using “–” and not “-” like in the tables.

      Now if I can only get forcepxe to work on the latitiude 3340. It tries to pxe boot but sits on the screen before timing out. If you shut it off and turn it back on then it pxe boots with no issues.

      Good luck!

  4. NickolajNickolaj (Post author)

    I’ve updated the blog with a notice about the double dash issue, hopefully that’s clear enough. In addition I’ve made some clarifications to the part where you extract the Dell Command PowerShell Provider files.

    I hope this helps!


    1. Josh

      Thanks! Got it working after correctly extracting the folder into the proper place.


      Might be good to note to some older systems need to have the Bios upgraded to support Powershell provider.

  5. Korbinian

    the step “Force PXE Boot” ist not working. System reboots to currently installed OS. Any idea?

  6. Pingback: UEFI check in task sequence |

  7. Pingback: Dave’s SCCM Current Branch Packing List | Skatterbrainz Blog

  8. The 10th Doctor

    Hi Nickolaj,

    Great writeup – well done on figuring all this stuff out.

    I’m having issues during the admin password detection phase of the task sequence. If I disable this part then it works fine. smsts.log gives me an error of “Unable to import required PowerShell module: DellBIOSProvider” so I assume it’s unable to load the powershell module.

    I’ve followed your instructions to the T – folder structure looks the same. Using a 64-bit boot image and the 64-bit Dell Powershell addons retrieved from here (http://en.community.dell.com/techcenter/enterprise-client/w/wiki/6901.dell-command-powershell-provider) as it doesn’t seem like they provide it via model pages anymore.

    Any suggestions?

    1. Alby

      Hi Doctor,

      I have the same problem, with importing module. I’ve tried both arch. but with the same error.

      I’ve tried run command line with powershell.exe -execut…..etc. but it types Failed tu run the action: Detect Admin Password Presence cmd. Incorrect function. (Error: 00000001; Source: Windows)

      Any ideas, please?

      1. NickolajNickolaj (Post author)

        I’ve experiences issues when import the module on some models, but an update to the latest BIOS solved it. Have you tried that?


        1. Alby

          Hi NIckolaj,

          I have the latest BIOS, but it not works 🙁 I tried almost everything including manual module importing. Again error 0000001 with incorrect function.

          In fact PowerShell script running and staged properly, but import-module ends with exit code 1. Then it can’t be proceed with next step Read Admin Password property from DellSMBIOS provider.

          Anyone with the same experince?

          Thank you very much for any suggestion

  9. Mike

    Awesome job Nickolaj. This has been a huge help. Is there any way we can get this to work completely zero-touch? We have thousands of Win 7 PCs with BIOS that need to be re-imaged to Win 10 with UEFI and obviously zero-touch would make this happen a lot quicker.


  10. Evyatar

    Hi , This is a excellent guide 10x.
    I have one question , I didn’t use all the steps but i succeed to configure all the bios setting i need but after the computer restart he wont continue the task sequences , what step am i missing?

  11. Magnus

    Great guide!

    I have run into a problem during the Disable Legacy Rom TS part. Im gettting the error “The system tried to delete the JOIN of a drive that is not joined. (Error: 00000088). Any idea how to solve it?

  12. Jerry

    Do you need to enable Windows Powershell (WinPE-Pwershell) in your boot image to get this to work?

    My task sequence fails at “Detect Admin Password Presence” and “Prompt Administrator (Boot Media only)” with file not found errors. If I disable both these steps, the task sequence will complete without errors.

    1. NickolajNickolaj (Post author)

      Hi Jerry,

      Yes, that’d be required for running the PowerShell scripts. You could also omit those steps, and simply just put a Continue on error for the Set Admin Password step if you wish not to use the PowerShell scripts. However, if you require to clear the last PXE advertisement, you’ll need PowerShell support, unless you want to write your own VB script.



Leave a Comment

Your email address will not be published. Required fields are marked *