BIOS-to-UEFI group – this group will only run if the machine has booted from BIOS rather than UEFI

I’ve then added a message specific for a certain model of laptops that require a BIOS downgrade for reasons I’ll not go into.  The selection criteria as a WMI query and the message box is displayed underneath.

This is quite a useful way to abandon a task sequence, reboot and display a message to the user.

powershell.exe -command (new-object -ComObject Microsoft.SMS.TsProgressUI).CloseProgressDialog() ; (new-object -ComObject‘Your message.’,0,’Your message title’,0x0 + 0x30) ; Exit 1

Next, if the task sequence wasn’t launched from PXE, reboot to WinPE

Prepare the disk

The next group runs only if it’s a Dell machine

The next step checks that it’s a 64bit machine.  As I haven’t yet come across any x86 machines in this environment, they will just display a message box saying they’re not supported.  If required, the x64 group can be duplicated and modified for x86 machnes.  The WMI filters are as follows:

(64 Bit) select * from Win32_Processor where DeviceID=”CPU0″ and AddressWidth=”64″

(32 Bit) select * from Win32_Processor where DeviceID=”CPU0″ and AddressWidth=”32″

You will notice each of the following steps use a naming convention such as “x64 > Legacy > UEFI – Enable UEFI” to show the location of the given step.  This just makes troubleshooting the task sequence easier.

It’s necessary to use the Dell CCTK tool to change BIOS settings on these laptops.  Unfortunately there are a number of different CCTK tools, each of which is restricted to certain hardware types:

x86 – Standard

x86 – Legacy

x64 – Standard

x64 – Legacy

As all our machines are x64 we don’t need to worry about the x86 version.  But I’ve split my task sequence here into Legacy and Non-Legacy, based on the outcome of the CCTK test.  Thanks to the guys at whose steps and script I used as a basis for my script.

The script will create a TS Variable “IsLegacy” which will take a Boolean value from the script.  This will determine whether the legacy or non-legacy group runs in the next step.

In the next step a short script runs, utilising the IsLegacy variable to determine which version of the WinPE HAPI Driver to install (which is necessary to execute cctk.exe).

The next group will run is IsLegacy is set to “True” (if it’s false, the Non-Legacy group will run later, which is exactly the same, except it runs the cctk.exe at the root, not the one at legacycctk.exe)

The next step sets the BIOS password.  This step is set to ‘Continue on error’ which is what would happen if the BIOS password is already set (in this environment, I know that if there is a password set it will be set to this value).

The next step disables the UEFI network stack which is necessary in order to allow the laptop to boot from HDD after the restart.  We will re-enable the network stack later.

The group runs only if we haven’t booted from UEFI.

Now we change the bootorder

Disable legacy ROMs

Enable secure boot

Format as GPT (necessary for Windows 10)


The next group only runs if the TPM is NOT activated and enabled

Next I run a quick powershell script to identify if this is a VM and add it to a TS variable called “PSisVM” (all my VMs are Hyper-V so this would need amending to support VMware).  This variable helps later on.

Next I run the Dell CCTK check again (we rebooted since the last time) and filter my legacy/non-legacy groups as before.

Next we enable UEFI PXE option (only if PSisVM is False… I’ve also filtered out a certain laptop model here).

Enable TPM (again – there is a WMI query filter where PSisVM = False)

Activate TPM (PSisVM = False)


Next we create our final partitions with following conditions

Pre-provision BitLocker

Next I use a script to name my computers as I want them named.  This script is documented here so I’m not going to repeat the detail.

Apply the OS image (the unattend.xml just contains regional settings – happy to share if anyone needs it).

Apply Windows settings

Apply Network settings

Finally install the configmgr client

…and enable BitLocker with the following options

Filtered to ensure it isn’t a Windows To Go Device or a VM

Finally I install my packaged applications and carry out some post installation tasks such as copying some install info using a powershell script as follows