In this guide, I am going to demonstrate how to use System Center Configuration Manager (SCCM) to deploy, update, and lockdown the BIOS on Dell systems using Dell Command | Configure.

Updating the BIOS on multiple laptops and desktops can be a tiresome task that may just seem easier to do without. However, securing the BIOS can prevent attackers from overwriting or tampering with the OS and ensures your data stays safe.

Please note that this guide only applies to Dell systems. I tested these steps on a Dell OptiPlex 780 SFF (Small Form Factor), Dell OptiPlex 790 SFF, and Dell OptiPlex 3040 MT (Mini-Tower). All systems were running Windows 7 Professional x64 and Windows 10 Pro x64. I cannot guarantee this guide will work with Windows Vista or Windows XP.

Before we get started, you are going to need the following tools installed on your workstation:

  • System Center Configuration Manager 2012 R2 Admin Console
  • Dell Command | Configure Toolkit (Download)

First, download the latest BIOS revisions for each of the models deployed throughout your organization from Dell's support website. Create a new folder in which you will place the downloaded revisions. For this guide, I will be saving all necessary files to the following location:


BIOS repository

BIOS repository

I have created separate folders for each model. If you download multiple revisions for one model, I suggest you come up with a naming convention so you don't have multiple separate directories to hold one revision. For this guide, I will be using the following naming convention:

O780-A15 | O = OptiPlex (Family), 780 = (Model), - A15 = (BIOS Revision)

Next, launch the Dell Command | Configure Toolkit Wizard. Although you can configure separate packages for each model in your organization, I recommend creating a multiplatform package that will work with all models. I have never had any issues creating a multiplatform package that works with different Dell models, even those manufactured as late as 2010. With that in mind, select the Create Multiplatform Package tab and configure the package options.

Dell Command | Configure Toolkit

Dell Command | Configure Toolkit

For this guide, I have configured the following options:

My configuration

My configuration

When you are satisfied with your configuration, export your package as a .CCTK (Client Configuration Toolkit) file using the EXPORT CONFIG button and save it to a location SCCM can access. For this guide, I will be saving my configuration to the following location:


Once you save your configuration, navigate to "C:\Program Files (x86)\Dell\Command Configure" and copy the contents of the folder "X86_64" to a location SCCM can access. You will be importing the directory to which you copy these files as a package in SCCM. For this guide, I will be copying these files to the following location:


Note your configuration file and the contents from the "X86_64" folder must be accessible through the same package in SCCM. This is because you need Dell's CCTK executable to apply your configuration.

CCTK folder structure

CCTK folder structure

Now we are ready to create the task sequence that will push the BIOS configuration. The toolkit will deploy this task sequence as a required advertisement and will also flash any BIOS updates needed using the revisions you downloaded earlier.

Open the Configuration Manager Admin Console and navigate to the Software Library applet. Expand the Application Management node and click on the Packages applet. Create a new package using the Dell CCTK folder you just created, but do not create a program or add any requirements.

Dell Command | Configure Toolkit package

Dell Command | Configure Toolkit package

When you are finished creating the package, distribute it to the necessary distribution points. Now we need to import the BIOS revisions downloaded earlier into SCCM. Create a package for each model you wish to deploy BIOS updates to, but do not create a program or add any requirements.

Dell OptiPlex 3040 BIOS revisions

Dell OptiPlex 3040 BIOS revisions

After creating your packages, you can distribute them to the necessary distribution points. When you add a new revision to the source folder, you will need to update your distribution points to push the revision out to clients.

All BIOS revision packages

All BIOS revision packages

Finally, we are going to create the task sequence that will push your BIOS configuration and any needed updates.

Expand the Operating Systems node and click on the Task Sequences applet. Create a new custom task sequence, and specify a name and boot image to use.

Create task sequence wizard

Create task sequence wizard

When you are done, click Close to exit the New Custom Task Sequence Wizard. Open your newly created task sequence and create a new group called "Apply BIOS Updates." Add a new step to Run Command Line and configure the step as shown below:

Install HAPI driver properties

Install HAPI driver properties

Install HAPI driver options

Install HAPI driver options

Note you do not need to specify the BIOS password to install the HAPI driver. The next step in the task sequence will clear the password before applying any updates or configurations. Add another step to Run Command Line and configure the step as shown below:

Clear BIOS password properties

Clear BIOS password properties

Clear BIOS password options

Clear BIOS password options

Note that this is the only step where we will tell the task sequence to continue on error, as new machines will not have a password set in the BIOS. Make sure the value you set for "‑valsetuppwd" is your current administrator password and that you've typed it correctly, otherwise your task sequence will fail. Add another step to Run Command Line and configure the step as shown below:

Flash BIOS OptiPlex 780 properties

Flash BIOS OptiPlex 780 properties

Take note of the following parameters:

  • O780-A15.exe – Name of the executable located in the package source folder.
  • /s – Switch to run the executable silently.
  • /r – Switch to force a system restart. If this switch is not present, the flash with fail and generate error code 2.
  • /l=C:\Temp\O780_A15.log – Switch to generate a log file from the executable.
Flash BIOS Dell OptiPlex 780 options

Flash BIOS Dell OptiPlex 780 options

Make sure to point the step to the package that contains the executable you wish to run. Repeat this process for every model to which you wish to deploy BIOS updates. If you add a new revision, you will need to update the executable name and WMI queries as needed. It seems that newer Dell models such as the OptiPlex 3040 do not use A01, A02, etc. as their BIOS revisions but just numbers instead (1, 1.4.2, etc.). Pay close attention when entering your WMI query for the "SMBIOSBIOSVersion" property. When you are done, add a new group called "Apply BIOS Configuration" and add another step to Run Command Line. Configure the step as shown below:

Lockdown BIOS all systems properties

Lockdown BIOS all systems properties

Lockdown BIOS all systems options

Lockdown BIOS all systems options

Unlike the previous steps in the task sequence, this step will run if any of the conditions are true. In this case, if any models match the model on which this task sequence is running, the step will apply the BIOS configuration. You will need to add a WMI query for each model in your organization. Finally, add one more step to Run Command Line and configure the step as shown below:

Set BIOS password properties

Set BIOS password properties

Set BIOS password options

Set BIOS password options

Close the task sequence when you've finished configuring the last step. Finally, we are going to deploy the task sequence to a device collection. Right-click on the task sequence and click Deploy. Choose a collection to deploy the task sequence to and click Next. Choose Required as the purpose and make the advertisement available only to Configuration Manager clients. When specifying the deployment schedule, keep in mind the task sequence will force a reboot on the machine. For this reason, I have chosen to deploy the task sequence at 11:00 PM.

Run at 11:00 PM

Run at 11:00 PM

Since we do not need to modify any other settings past this point, keep clicking Next until you finish the Deploy Software Wizard. Depending on the time at which you specified your deployment to become available, you will be able to see the task sequence start to run.

Install HAPI driver action

Install HAPI driver action

Flash BIOS Dell OptiPlex 780 action

Flash BIOS Dell OptiPlex 780 action

Lockdown BIOS all systems

Lockdown BIOS all systems

To confirm the task sequence successfully applied your BIOS configuration, check the directory you specified for the CCTK log file to see the changes that took place. If an option is not applicable to a certain model, the CCTK executable will flag it accordingly.

Subscribe to 4sysops newsletter!

CCTK log

CCTK log

  1. seb 6 years ago

    Hi, why don’t you just specify the bios password during the update bios with the /p  instead of clearing / re specifying it?

    also those password will appear in clear text in the logs files, which I find annoying, I’ve ended up creating a SCE.exe from the dell command| configure with just the new bios password parameter, that will hide it.

    • If you run the task sequence on a new computer that has an outdated BIOS revision and does not have a BIOS password set, and you specify the /p switch for the BIOS update the update will fail because an incorrect password was specified. If you choose the option to continue on error, the BIOS will not update which defeats the purpose of the step.

      As for the password being stored in clear text in log files, this is not true. Dell was smart enough to configure their utility to omit the specified password when writing log files (see the CCTK log file image). Even though the password will be stored in clear text in the task sequence step, only users with access to SCCM will be able to see the password.

      • Steve 4 years ago

        Just a note about that. If you provide a password on a BIOS update for a system without a password, the update just ignores the password. That way, you can provide the password to a system with or without a password and the update will succeed. The only time this will fail is if you provide the wrong password or no password to a system with a password.

  2. seb 6 years ago

    make sense:) thanks for your reply.

    the smsts.log will display the password in clear text (sorry I was not clear) and yes user need to access the sccm log location and I think by default they can’t but, having the bios password hidden in a sce.exe is, I think, worth mentioning 🙂 (I guess I just don’t like passwords in clear text)

  3. Joe 6 years ago

    Some updates have prerequisites (eg. to install A17 you must first install A12). Do you/How do you handle those cases?

    • Hi Joe– That was actually one of my concerns when I tested the deployment process for this article. The oldest model I tested this on was a Dell OptiPlex 780 which was released in 2009. I managed to upgrade from A02 to A16 without having to do a step-ladder upgrade process. This may be an issue with models previous to 2009, and if that is the case than those workstations will most likely be upgraded if they haven’t been already– thus eliminating the problem.

      I cannot say if this problem affects laptops or not, but if that is the case then I would create a model-specific device collection for all the workstations with an outdated BIOS revision. I would then deploy a custom task sequence that goes through and updates the BIOS one revision after the other until the workstation has the most current revision. This can be accomplished by having each task sequence step run depending on the result of a WMI query to detect the BIOS revision. If you can think of a cleaner / more efficient way to accomplish this I encourage you to comment it below!

      • Kory 6 years ago


        I’ve followed your guide, and it works pretty well, however, I am hitting one minor issue.  I’m able to clear the bios password (if it is there, if not it skips as it should) however, the next step is to flash the bios, once that happens, the computer reboots, the bios is flashed successfully, however the task sequence doesn’t actually finish because the bios update is prompting a reboot before it gets to the last step in the task sequence, which is to set the BIOS password back.  Basically, SCCM thinks the task sequence has “failed” so I go back into the catalog and just rerun it a second time, this time since the bios has already been flashed, it doesn’t actually flash the BIOS, and it goes all the way through and sets the password.

        Is there a way around this?  I initially thought that the task sequence would resume after the BIOS flash, but that has not been the case, at least not for me.

        I just wanted to see if anyone else has reported this issue, or if there is a way to solve it without having to run the task sequence twice.

        Thank you!!


  4. What does the log file say? And what mode reiviosion BIOS are you using? The restart must not be registering the SCCM client therefore the task sequence is not resuming. Have you checked the agent logs, too?

    • Kory 6 years ago


      Not sure what may have changed overnight, but moments after posting my problem to this forum this morning, things seem to be working fine.  The task sequence does not re-launch after the BIOS update, but it does process the “Set Bios Password” command, and it is working properly.  I will note that I had to add a success code of 6 to each of my Flash BIOS  run command line steps in order for it to succeed, I am running SCCM 1702, installed on a Windows Server 2016 box, supporting a Windows 10 Enterprise Environment, where Bitlocker is enabled.  Thank you for your reply!

      • You’re welcome– I am glad it is working for you! I looked up error code 6 and it seems that the error code translates to something about not being able to return the number of requested data bytes. I’m not actually sure what that means, so for stability and the sake of knowledge, I would suggest you investigate the error code further.

  5. Alan 6 years ago


    Similar to Alex I have followed the blog and clears BIOS password, Flashes the BIOS for an Optx 7020 reboots but does not continue the TS after reboot and get a failed status. When I rerun the TS manually it will complete the TS & reset the BIOS password.
    I have it set to run as domain admin in TS

    TS Is- Install HAPIx64 Driver – Clear BIOS Pwd – Flash BIOS (/r restarts device)
    The following does not run after reboot unless I manually run the TS again
    Lockdown BIOS All Systems – Set BIOS Pwd-Restart

    Any ideas

  6. Alan 6 years ago

    from smsts.log

    Failed to locate the local data path. The files needed to resume the task sequence are missing.  This could be because the task sequence finished while in Windows PE.  Please check the largest available partition for SMSTSLog\smsts.log file for more information.
    The system cannot find the file specified. (Error: 80070002; Source: Windows)

    Cant find anything online

    • Hi Alan — By running as a domain admin, do you mean that the task sequence step runs as a domain administrator or that you log in as a domain administrator and run the task sequence?

  7. Elad Cohen (Rank 1) 6 years ago


    my Purpose is to apply Password for all dell computers and disable any boot options Except hdd.

    Windows 10 ENT 1607
    Dell OptiPlex 9020

    I’ve followed your guide, and it not working for me,  i need help SAP !!

    i will upload the smsts.log and photos of the TS and program i created.

    the only thing that is not slimier to the post is the folder “~Configs”

    i didn’t see it at all, so i created empty one .

    sorry for the poor language.

    i will very appreciate all the help i can get !

    all the files uploaded to my google drive

    Thnks Elad.

    • Hi Elad — First of all you are going to want to move the files excluding OptiPlex9020-A19.exe from Dell\OptiPlex 9020\BIOS to App$\Dell CCTK\~Configs. Update/Redistribute the package in SCCM. For the step Lockdown BIOS – All Systems, change the file “FamilyWKS_BIOS_Config.cctk” to “multiplatform_201705251920.cctk. It should now run without any problems (hopefully). You never know with SCCM!

      • David (Rank 1) 5 years ago

        Alex, I am running into an issue. I final task set just like yours for the cctk file. but when the task runs, it errors out and log says it cannot find the file ~Configs\multiplatform_WOL.cctk but in the CCTK folder, we have the cctk files in the folder ~Configs.

        This is our command line: cctk.exe -i “~Configs\multiplatform_WOL.cctk” -l=C:\Dell\CCTK.log

  8. Elad Cohen (Rank 1) 6 years ago

    Hi Alex

    First i want to say thank you very much !!

    so i did exactly what you told my to to and the TS is steel field .

    im uploading you photos of all the changes .

    Thank you very much for your help!


  9. From what I gathered from the screen grabs you provided, it seems the TS is failing not on the actual BIOS lockdown phase of the task sequence, but the Flash BIOS step. Make sure that the package referenced in that step points to the Dell OptiPlex-9020-All Revisions package. The 80070002 error means that ConfigMgr can’t find one or more of the referenced files. Also, ensure that the folder C:\Temp exists on the HD of the machine you are running the task sequence on, so the application actually has a folder to write to.

  10. Curtis 6 years ago

    Great work on this!  I did need to make some tweaks though..

    I also was having issues with the task sequence resuming after the BIOS update restart.  I believe this was due to the PC not being able to save the TS state fast enough before the machine restarted (I have pretty new Dell’s here with SSD drives).  Once it restarted there were errors in the logs re: not being able to find content.

    My solution was to remove the /r (force restart) on the BIOS steps and add a TS “restart computer” step at the end of all the BIOS steps.

    You will need to add success code “2” to all the BIOS steps as well.

    I also added the Task Sequence variable condition “_SMSTSLastActionRetCode” equals “2” to the restart computer step so that the PC would only restart if one of the BIOS steps actually ran.

    Last note is to also make sure your PC’s have a C:\temp folder (or just pick a different folder, i used C:\Windows\CCM\Logs\” as I have a few which didn’t for some reason which will error out when CCTK tries to write a log file.

    Hope that helps some people

    • Hi Curtis– thanks for the tips!

    • Tariq 5 years ago

      Hi Curtis

      Where do you put this info do you have a screen shot

      You will need to add success code “2” to all the BIOS steps as well.

      Thank you


  11. Michael S 6 years ago


    Did you mean to say you were adding the TS Restart step after the last “Flash BIOS….” step, or after the ‘Set BIOS Password’ step? I just wanted clarification. Thanks.

    • Curtis Kutzan 6 years ago

      Add the ts restart after the last flash bios step.

  12. Anthony 6 years ago

    Has anyone figured out how to query the new BIOS update versions from Dell?

    i.e. with the comparison test above 1.17.5 is actually a lower version than 1.5.3

    I’ve tried to look at other unique increasing fields that could be used, but cannot find any.

    The major version/minor version fields can’t be used, as they are sometimes the same (e.g. 1.16.4 and 1.17.5 are both major 3 minor 0)

  13. Hi Anthony– could you tell me which model this would be applicable to? I might have it in my inventory and could test some queries to try and get the task sequence to correctly distribute BIOS updates.

    • Anthony 6 years ago

      Thanks Alex.

      The one causing us problems at the moment is the Latitude E7470. It’s current BIOS is 1.5.3, and the latest one is 1.17.5

      When running the query, (1.5.3 < 1.17.5) == FALSE, when it should be TRUE

      I’m hoping that it is just something stupid I’m doing

  14. Jim R 6 years ago

    From a mathematical perspective, 1.5.3 is less than 1.17.5. This is an issue that been around for a long time.

  15. Jim R 6 years ago

    bah ! that should say 1.5.3 is GREATER THAN 1.17.5 hence the failure.

  16. Anthony 6 years ago

    Hi Jim,

    Yes, I do realise the reason the check is failing.

    What I am looking for a is a way to get SCCM to compare the “numbers” correctly.

    I can change the check to do a greater than check instead of a less than check, but then it will not work for 1.16.5

    I was just hoping that someone may have figured out a method of doing these checks vs the new Dell revision numbers.

    I’m getting increasingly more frustrated, as Dell tell me I need to talk to Microsoft for a solution, while Microsoft tell me I need to talk to Dell.

    • Johann 5 years ago

      Can’t you just use a “not equal” operator? So if the query is not equal to the version you are currently installing it will install? Mind you this will only work if you’re pushing the latest available BIOS version, if you’re trying to push BIOS versions lower than the latest available this query will not work.

  17. Trond 6 years ago

    Just compare the systembiosminorversion and systembiosmajorversion variables instead. SMBIOSBIOSVersion is a string so it doesn’t process numbers correctly (it compares left to right, meaning if 1.4.6 gets compared to 1.17.3, it will split 17 into 1 and 7, so when comparing it will compare 1 with 1, then 4 with 1 and so on. Basically it does single digit comparrisons).

  18. Oliver 6 years ago

    Hi, can I also use a custom export and use the BIOS Flash update instead of win package service?



  19. Andrew 5 years ago

    Great stuff, thanks. One thing that would be an added bonus is if you had the text which you enter in each Task Sequence step typed out so that it could be copied and pasted.

  20. Shane 5 years ago

    Hello all,

    Thank you for this post.  I would like to use this process to update firmware in my enterprise.  We have 800+ PCs.  How could you guarantee that PC’s don’t restart during the firmware update?  Wouldn’t a premature restart brick a PC?  If a user takes their laptop home or if it loses power, they could be screwed, correct?

    How do other organizations handle this?



  21. Steve 5 years ago


    I found this procedure very useful!

    Could you also indicate how to suspend and resume the Bitlocker ?

    I read somewhere that it’s only a question of adding a task (or two) but I would like to know which package to use.


  22. Anthony 5 years ago

    Sorry for delay in replying.

    It has been several months, and still no proper resolution to this.

    I’ve worked with both MS and Dell, and they both say the other needs to help.

    The only solution that will work is to create a lengthy script file and deploy that, rather than to use a Task Sequence.

    As I am not a programmer or scripter, I was unable to write anything that would work.

    We are still using Task Sequences, and are using the <> (not equals) operator. This will work, unless a newer revision is installed (which we have run into a few times when we purchase new computers with updated BIOS revisions.)

    As mentioned previously, the BiosMinor and BiosMajor versions cannot be used, as they are sometimes identical for different BIOS versions (e.g. 1.16.4 and 1.17.5 are both major 3 minor 0)

    So, the only two options I can see are:

    Use the <> comparison, and make sure you keep it up to date with latest BIOS versions
    Create a script to do the comparison and installation and deploy it via Package instead.

  23. Dario 5 years ago

    Hi guys,

    I am actually trying to updated the BIOS on a E7450 machine. I downloaded the latest BIOS version which is A17 and did follow all the steps proposed in this forum.
    I keep getting error 0x800700d8 and have not been able to figure this out. I tried to install a different BIOS such as A06 and A12 but I get the same error.

    Any ideas?

    Thank you!

  24. Dario (Rank 1) 5 years ago


    I have been trying to deploy Win10 on E7450 machines. In order to achieve this, I have created a sequence which involves updating the BIOS to A17.

    However, it errors when completing the task: 0X800700D8

    “0x800700D8 = This version of %1 is not compatible with the version of Windows you’re running. Check your computer’s system information and then contact the software publisher.”

    After reading and following the steps proposed in this blog, I also have attempted to install a different BIOS version to see if that is a prerequisite of the latest BIOS version – I have tried to install A06 and A12 without any luck – same error.

    Any ideas?


  25. Anthony 5 years ago

    Hi Dario,

    Is that a SCCM error or a BIOS error?

    I google’d for the error code, and it could be this:

    0x800700D8 = “This version of %1 is not compatible with the version of Windows you’re running. Check your computer’s system information and then contact the software publisher.”

    I would try running the BIOS manually, and see if you get the same error.

    • Dario (Rank 1) 5 years ago

      Hi Anthony,

      This is a SCCM error. I am able to update the BIOS manually but it errors when doing it through SCCM. I could send the screenshot of my task sequences if you like but they are pretty similar to the ones proposed here.


Leave a reply

Please enclose code in pre tags

Your email address will not be published.


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account