How can I enable the diagnostic prompt for Windows 10 upgrades in Windows 10 v1703 and later

[anyweb]

Introduction

On Windows 10 version 1607 and earlier during Windows 10 upgrades from one version to another, after the computer reboots to upgrade the operating system you'll see a screen similar to the below

At this point you could press Shift and F10 to bring up a command prompt, which is extremely useful if you need to check a log file, verify driver installation or to do troubleshooting. The screenshot below is from Windows 10 version 1607 which was being upgraded from Windows 10 version 1511.

Security changes everything

However there's a downside to this, having the ability to open a command prompt in the wrong hands could mean elevation of privileges or data theft.

We all know that security is a big focus with Microsoft and as a direct result of the concerns above, the diagnostic prompt ability was disabled by default in Windows 10 version 1703 and later. That's all well and good for Joe public, but what about the  SCCM admin who is trying to debug a task sequence ? Fear not, help is at hand.

To re-enable the Diagnostic command prompt (Shift F10 during Windows setup in an upgrade scenario) you need to modify your task sequence to set a variable, and that variable is called OSDSetupAdditionalUpgradeOptions which is described here. This variable allows us to pass command line options to Windows setup during the upgrade and that's how we'll re-enable the diagnostic command prompt, however we don't want it available to everyone, except those 'in the know', aka the SCCM admins who need more info while troubleshooting.

Step 1. Set a task sequence variable

To make this work you need to add a Set Task Sequence Variable step before the Upgrade Operating system step in the Upgrade Task Sequence, like so.

Task Sequence Variable: OSDSetupAdditionalUpgradeOptions

Value: /DiagnosticPrompt enable

Step 2. Add Options to limit exposure (optional)

To limit the exposure of this diagnostic command prompt to only you (or your admins), you can add an option on the step to check for a file, reg key, variable or something that works for you, in this example, you'll look for the presence of a file on C:\ called windowsnoob.txt.

Note: As stated, you can use whatever method you wish to limit exposure, Mike Terril has a nice blogpost on using collection variables to achieve something similar here.

Step 3. Test it !

That's it, apply the changes and optionally create a file called windowsnoob.txt on C:\ on a computer you intend to test this on.

Here's the file, created by the SCCM admin who plans on troubleshooting an Upgrade.

Starting the upgrade...

Before the reboot you can see the check for the file presence step is here, and as the file was present, the set task sequence variable step will run

and here you can see the option has been appended to the Setup.exe command line by opening C:\Windows\CCM\Logs\SMSTSLOG\smsts.log in CMTrace

After rebooting into the Windows Setup portion, try pressing Shift and F10 together, if everything went ok you'll see this.

So that's it, now you know how to re-enable the Diagnostic command prompt during Windows 10 1703 or later upgrades and to do it in a reasonably limited way.

Related reading

• https://docs.microsoft.com/en-us/sccm/osd/understand/task-sequence-action-variables
• https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-setup-command-line-options

[CamRodMC]

Hi Anyweb.

First of all, thanks for all your guides and help.  You've gotten me out of many issues.

Second, signing up to post on this site was quite a pain.  I've logged into bank accounts easier than this.

Back to the topic at hand.  Do you know if there is some sort of fix like this for a brand new image, not an OS upgrade?  We have an autopilot task sequence that for part of our process, we would use Shift F10 after the image has completed and is at the OOBE screen in order to change the computer name before initial login.  If we login before we change the computer name, it will never get the proper policy from Endpoint (InTune).  Now that we can no longer use Shift F10, the computer never gets the proper policy and we are stuck.

I looked to see if I could find any other Task Sequence variables such as OSDSetupAdditionalOptions and I also tested with OSDSetupAdditionalUpgradeOptions but it does not work.

I'm currently testing a PowerShell script towards the end of the task sequence to change the name but if you have any suggestions or methods to enable Shift F10 or cmd prompt at OOBE screen, please let me know.

[anyweb]

hi, what was difficult about signing up to this site, please explain (in detail) so we can look into it,

secondly, I assume you are talking about Autopilot for existing devices for your task sequence ? what version of Windows 10 are you testing with ?

[CamRodMC]

Hi.  Well it wasn't all on your end, but the Google authenticator requirement kind of threw me off.  I didn't have the app and had to install it in order to post.  There were issues with getting the app installed... just seemed like overkill as I have no sensitive data on this site.

I kind of inherited this task sequence and process so I'll try to explain to the best of my ability. 

First let me describe what we are using these computers for, maybe you or someone else has a better suggestion of what to do, even if it is a completely different process.  Basically we have these computers setup for end users to access the internet during their breaks or off time.  They only need to access the internet and print.

The task sequence we have in a co-managed environment is for Autopilot so at the end of the task sequence we run these two steps to sysprep/set the PC in OOBE mode.  "Prepare Configuration Manager Client" and "Prepare Windows for Capture" are the last two steps.

The in house documentation we have states that when the task sequence is finished, we should end up at the OOBE screen, but instead of selecting a country and clicking next, the documentation states to use the Shift + F10 key to open CMD.  From CMD we are supposed to type explorer and hit enter which will open Windows Explorer, from which we can right click on This PC, go to properties and change the computer name, then reboot and login.  The reason for this step is we have a policy deployed to a group in Intune (Endpoint).  The group is based off of computer name, so if we don't rename the computer at this point and just login, it will not get the policy from Intune (Endpoint) due to the computer name being generic, something like DESKTOP-MININT.

I've tested with W10 20H2, W10 1909, W11 21H2 and also W10 1607 (I tried 1607 since that is the last version of Windows 10 that Shift + F10 should work according to my searches).  I'm not able to Shift + F10 on any of these versions.

I tried your fix from this thread, using the task sequence variable OSDSetupAdditionalUpgradeOptions.  I put this step after "Apply Network Settings" and "Setup Windows and Configuration Manager".  It did not work.

I also tried putting this PowerShell script at the end of the task sequence to prompt for a computer name change but this did not work either.

$Input = Read-Host “Type the computer name for this computer.”
Rename-Computer -NewName $Input -PassThru -Force

Also, to answer your question, these are not existing devices on our domain or tenant.  It is a brand new computer with a new image from this task sequence.

Hopefully that all makes sense.  Thank you for your time.

Edited November 30, 2021 by CamRodMC
Add data.