Dell Bios Updates - ConfigMgr App Model - Post OSD

I’m pretty good about keeping our Dell machines at the current BIOS level, usually a couple models get updates every month… then there was that Intel AMT vulnerablity, and they released updates for nearly all of our models, so that was fun.  I tweeted about my exploits and had requests to share how I’m doing it… so here it is…

App Model & Power Shell

I blogged a 3 part post back in Dec 2015, I’m not going to redo everything, but send you there if you need to build your collections yet:

https://garytown.com/updating-dell-bios-with-configmgrpost-1creating-model-based-collections

Another Pre-Req is having a global condition for “Model”, which I cover here: https://garytown.com/updating-dell-bios-with-configmgrpost-3the-application-deployment

Once you have that out of the way, it’s just building your App.

 

It’s really simple, we have a PowerShell script that will:

  1. Suspend Bitlocker (Works for Win 7-10)
  2. Stop the MBAM Service (So MBAM doesn’t start Bitlocker again before rebooting)
  3. Grab Dell Bios info from the Bios EXE file in same directory
  4. Create Log File name based on that EXE
  5. Confirm Bitlocker is Suspended
  6. Update Bios, creating Log File
  7. Reboot Machine
    1. Reboots right away if no one is logged on
    2. Give 5 Minute & 2 Minute warnings if someone is logged on

The nice thing about this method, it’s one script, that never changes. You just add it to your Model Folder. Every time a new BIOS comes out, replace the BIOS.EXE in the source, update the Application Detection Method, and update the content for that deployment.  All Set!

Now the Script:

There are 2 parameters, you tell it where you want your log file, and what your BIOS password is.  That’s it:

The Application
image

Deployment Types, One Per Model, this will make the download quick, as it only downloads the one for that model, and gives you the ability to do easy detection rules.

image

Programs: powershell –executionpolicy bypass –file "BiosUpdate.ps1" –Biospassword P@ssw0rd -LogPath C:\Cabs\InstallLogs
- Change your Bios Password & where you want to save the log files.
image

Detection is just a Registry Key:
image

image

Requirements: Model = the Model (see previous post for more details)

image

Return Code, Change 0 = Hard Reboot

image

My Source Folder Structure:
image

Actual Content for Deployment Type:
Contains the PowerShell File (Which you don’t need to change, works for every model & every version of the Bios)
image

 

There you have it, for your deployments

Download AppExport & Script HERE. If you choose to import the App, you’ll want to build your own Folder Structure and update the Content Tab for each deployment.

Leave a comment if you have a question, or hit me up on Twitter – @gwblok

Dell BIOS update–WinPE–Model Independent–From Internet

Update 5/26 - Updated Script to use Dell's Enterprise Cab XML data, instead of the ever changing Support Site.  This now truly does work for all Dell Models that I know of. 🙂  Thanks Mark - POST HERE Mark gives some back story as to how we came up with this idea, and why we wanted to switch from our old method.

Updated Script: (Mark Updated to fix some model name changes 2/26/2018) - Please grab the updated Script from Below and replace the one in the download.  I have not updated the Download.
For any questions regarding the download portion, check Mark's GitHub

The new Package contents:

 

 

 

The Task Sequence:

Just an FYI... you might notice that it's not updating the BIOS to the latest BIOS update for that model.  Example, yesterday several bios updates were released for several models to their WebSite. Those will not install using this method.  The Enterprise CAB data has extra layers of Change Management / Testing, so you can feel even better about applying the BIOS updates automatically. Once those extra layers have completed, then they become available.

 

Until Then, I’ve updated scripts and added a script for the TPM update.

2 scripts now, based on Dell Driver Cab, instead of HTML scraping.

  1. DellTPMDownloadUpdatePE – Downloads and install the TPM 2.0 x64 Update for that model (if available)
  2. DellCabBiosUpdate.ps1

----------------

Original Post:

Ok, so you’re thinking, Gary, you just posted about this, and you’d be right, I did, see.. https://garytown.com/dell-bios-upgrade-in-osd-winpe-x64, but in the past week or so, I’ve come up with an idea, after looking at Maurice Daly’s download utilities, thinking, why can’t I just do something like that, and not have to have any content (beside the script and utility) to update the bios, and have it work on any dell model?  So that’s what I did, with the help of @modaly_IT & @geodesicz (my personal powershell guy), we came up with this solution.

DOWNLOAD HERE

Goal of Script:  Update Dell Bios on Any Model without having to maintain and update packages.

What it does:

  1. Gets Model info from WMI
  2. Downloads latest Bios directly from Dell
    1. No testing with Proxy server done, you can probably add this into the script, just don’t ask me how. (I don’t know, ask Maurice, he has it figured out in his cool GUI version)
    2. Mark (@Geodesicz) was able to make the changes to have this work in PE.
  3. Applies Bios to system during WinPE
  4. Create variables to do extra steps based on exit codes

Pros:

  1. Never manually download a BIOS update and build a BIOS package again
  2. Always install the latest Dell BIOS on the system you’re imaging
  3. Works on all dell models, no tracking down a bios per model
  4. See Number 1

Cons:

  1. Giving up control of the Bios Version you’re installing
    1. This doesn’t bother me personally, I haven’t ever had a BIOS update brick a machine, and if the BIOS is coming directly from Dell, it’s supported by them, and they will assist if anything did happen.
  2. Uses the Internet to pull content, while only 8-12MB per Computer, if you’re imaging large numbers, and you don’t plan ahead, this could be potential issue.
  3. Uses HTML scraping, so if Dell ever changes their website, we’d have to update the script.

 

The Script… while very similar to my last one, it has some key differences.

  1. The Bios Password is now parametrized, no longer requiring the text file to pull password (Thanks Mark)
  2. Has large download section in which it has the logic to get the right Bios file (from Maurice) & the Actual download step, (from Mark).
  3. Validating the Bios downloaded.

This script is quite simple still, feel free to add additional logic to it for error handling.

image

image

 

in the TS:

image

Package Content:
image

As before, it will create logs in the SMSTSLog folder in %temp%.
The only difference now, I added a group that will only run if the Download Fails based on lines 86-90 of the script.

For more details on how to setup the rest, check out the old Post:
https://garytown.com/dell-bios-upgrade-in-osd-winpe-x64

Maurice’s new GUI version: http://www.scconfigmgr.com/2017/03/01/driver-automation-tool/

Maurice’s older version, where I stole the code from: https://gallery.technet.microsoft.com/scriptcenter/SCCM-Dell-Client-Bios-ee577b04

Dell Bios Upgrade in OSD WinPE x64

Update 3/17 – Update a couple sections to fix Bug in Script with assistance from the Dell BIOS Dev team. Uploaded the TS Export of this section.

Download Here:  3/24 – Removed all of the Bios Files and Update Utility to comply with Dell’s EULA.

Task Sequence Export HERE – You can import this into your system and it will have all the steps., Then copy the steps into your working TS.  No Content is included in this export.  Create your own Package with the “Full Folder Structure Download” and link to that in your TS

image_thumb3

Original Post:

Ok, So for a long time, You couldn’t upgrade Dell’s Bios in WinPE x64 because they didn’t have native x64 bios installer, this has recently changed. – Download HERE
Mike wrote up a nice intro to the new utility HERE

I do all of our bios updates using the “Application Model” after the OS is laid down, so it has the 32bit subsystem, it works fine. But I know many people like to do it during PE.  So I thought I’d play with it this morning and write up a script.

PreReqs for my script: Enabled PowerShell.  Here are the things we’ve enabled: (Win10 1607 Boot Media)
image_thumb21

Benefits of doing it how I’ve setup.

  1. One Script works for all models, you just have to setup your folder structure to match the Computer Model in WMI.
  2. Grabs Bios Password from File, you only have to update one File if you change your Bios Password
  3. Creates TS Variables to avoid Rebooting if already on same bios version.
  4. Creates Log file based on the Bios Update in the %temp%\SMSTSLog Folder (X:\windows\temp\SMSTSLog\BiosFileName.log)
  5. New Bios version release? No Problem, delete the old one, add the new one, update Package, done, no script change required.
  6. It’s Fun

Package Folder Structure.  Make sure the subfolders exactly match the WMI Model Name
Get-WmiObject -Class Win32_computersystem | Select-Object -ExpandProperty Model
image_thumb23

image_thumb31

Once you’ve created your Folder Structure, populate it with the latest Bios files for each model. (Just download and place in the folder, no renaming required)
Also, create a txt file in the package root called Bios.txt and put your Dell Bios password in that file.
image_thumb6

Now, the PowerShell script will query WMI for the Model, look for the bios file inside of the corresponding folder and apply it to the system using the Flash64w.exe utility. (It will pull the password from the bios.txt file in the root of your package)

Updated Script from 3/17 Shown HERE:
image_thumb1

Based on the Exit Code of the Bios Update, it will create a TS Variable you can use to reboot, retry if low battery or continue on with your TS. – More info about Dell Exit Codes here… I noticed it didn’t have them all though: http://en.community.dell.com/techcenter/enterprise-client/w/wiki/3462.dup-bios-updates.  I trigger events based on Exit Code 2 (Successful but requires Reboot) and Exit Code 10 (Battery too Low).  You can easily add additional Exit Codes and create custom variables to have your TS do other thing based on those Exit codes.

Now in your TS:
Create Dell Upgrade Bios Group, and set to only run if a Dell Computer:
select * from Win32_ComputerSystem where Manufacturer like "%Dell%"
image_thumb56
Create Run Command Line Step:
powershell.exe -NoProfile -ExecutionPolicy ByPass -file .\DellBiosUpgradePackage-2.0.ps1
image_thumb57

Create another Group, This will run if the battery was too low to update the Bios.  It will wait 10 minutes and try again.  If the Battery is still too low after that Point, it will continue on without updating Bios. – You can easily put a step here that will popup a message box about how the Bios Didn’t update, etc.
SMSTS_BiosUpdateBatteryCharge = True
image_thumb58
Command Line Step: powershell.exe -NoProfile -ExecutionPolicy ByPass -Command "Start-Sleep -s 600"
image_thumb59
image_thumb41

It will then wait 10 minutes and try again, if successful, it will set variable SMSTS_BiosUpdateRebootRequired = true and continue onto the next group to reboot.  If it fails due to battery again, it will set SMSTS_BiosUpdateBatteryCharge = True and show a Message that it probably has faulty battery.  At this Point, you can click “OK” and let it continue, or turn it off and replace battery.

image_thumb60

Create another Group which will reboot the computer and any other steps needed to get back to where you were before the reboot. (TS Variable = SMSTS_BiosUpdateRebootRequired equals true)
I added a “Format” step, just to ensure there was a place for the Boot Image to download too, this might not be needed in your environment depending on placement of the Bios Upgrade.
image_thumb61

Ok, that should be it.

Note, I was running into some issues with the flashw64.exe utility from Dell, getting this error:
image_thumb19

Once I added another line into the script to launch the software once with minimal arguments, it worked fine. I’ve contacted Dell Support to see if they have any ideas on that.

This is the line I added to fix that error:
start-process "$PSScriptRoot\Flash64W.exe" /"p=$BiosPassword /s"
image_thumb1[1]

However, changing the Argument Line & Update Bios lines fixed the issue, and I haven’t needed that.  I’ve heard from commenters that people are still getting that message, so hopefully this will help. If you do get that message, Open a support issue with Dell, they will help address it.  FYI, I’m also using WinPE 1607, not sure if the Build has anything to do with that error.

Update: 2/27/17 – Response from Dell:
Hello, Gary: I heard back from the BIOS engineering group. They said that they have not tested the utility using Powershell scripts. They do not support Powershell scripts. They only support use of the utility within a command prompt in Windows… It is also supported within WinPE (in a command prompt).

Update 2/28/17 – Call From Dell, they are escalating the issue to the BIOS engineering group and will be looking into the problem to see if they can resolve the issue when using it in PowerShell.

Update 3/17/17 – After working will BIOS Dev team, was able to rework the script to resolve the error I was seeing.  Updated Script in Download and in this Blog Post.

If you run into any problems, let me know and I’ll test that model if I have it.
Tested on so Far:

  1. Laptops
    1. Latitude E5550
    2. Latitude E5470
    3. Latitude E6540
    4. Latitude E6530
    5. Latitude E6430
    6. Latitude E7250
    7. Latitude E7240
    8. Precision 7510
  2. Desktops
    1. OptiPlex 7010

HP Bios Update Application - HP Revolve 810 G1/G2/G3

I've recently taken a little time to automate the Updates of our HP Laptops. I've found that HP Has different Bios Update programs based on the age of the machine.  Documentation was a bit lacking as well.  I'm assuming that other HP machines will fall into one of these two methods I'm using. I'm creating this using the Application Model instead of a package, however you can easily change this into a package with minimal changes.

AppModel Pros: Application Catalog, Detection Methods, Works in a TS
AppModel Cons: Can't use in WinPE

Package Pros: Simple, less time to setup, works in WinPE in a TS.
Package Cons: Simple, no detection, can't make available via Catalog.

Here is a run down of things we'll cover

  • Create your Content Folder Structure. (or download mine HERE)
  • Download & Extract Bios from HP
  • Create Bios Password File
  • Create Bios Update batch File
    • Suspend Bitlocker
    • Add runonce regkey to enable bitlocker after reboot
    • Apply Bios Update
    • Restart Machine with 2 Minute User Notification Popup.
  • Deploy
  • Add to TS Info

 

  1. Create your Package Content Structure.
    image
  2. HP Revolve 810 G1\G2\G3- Get the Bios HERE
    1. Save it to your 810G1 folder and Extract with 7zip
      image
    2. It should now look like this:
      image
    3. Repeat for the G2 and G3 Models, your folders should now look like: image
  3. Time To create the Password File.
    1. from the 810G2 folder, launch HpqPswd64.exe
      image
    2. Type in your Bios Password and Save the BIN file to your Password File Folder
    3. Copy that file from the Password File folder into each Bios Folder like so:
      image
      Always keep a copy on hand, if you ever run the process manually, the bios update will delete the password file from the folder. A security feature I'm sure.
  4. Lets write a simple batch file that will repair the bitlocker mof, suspend bit locker, add a Run once key to turn it back on after restart, update the bios and give a two minute warning for reboot.

    ----------

    1. REM Fix Bitlocker MOF if needed
      mofcomp.exe c:\windows\system32\wbem\win32_encryptablevolume.mof

      REM Suspend Bitlocker
      Manage-bde.exe -protectors -disable c:

      REM Add RunOnce key to Enable Bitlocker after Restart if it doesn't automatically via GPO / MBAM
      reg.exe ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v EnableBitlocker /T REG_SZ /D "Manage-bde.exe -protectors -enable c:" /F

      REM Update Bios
      hpqFlash64.exe -s -pHPBiosPassword.bin -lc:\Cabs\InstallLogs\HPBiosUpdate.log

      REM Reboot Computer (Does not affect WinPE, as it can't use shutdown.exe)
      shutdown.exe /r /f /t 120 /c "Updating Bios, please save your work, Computer will reboot in 2 minutes"

      ----------

      image

      1. -s = Silent
      2. -p = Calls Password File
      3. -l = Log File (You can remove this or add your own logfile path)
    2. Ok, lets do one for the 810 G2\G3, as it's a little different, as they've added some features and changed syntax.
    3. REM Fix Bitlocker MOF if needed
      mofcomp.exe c:\windows\system32\wbem\win32_encryptablevolume.mof

      REM Suspend Bitlocker (Not needed on the G2 / G3 Models, they have the "-b" option to disable bitlocker)
      REM Manage-bde.exe -protectors -disable c:

      REM Add RunOnce key to Enable Bitlocker after Restart if it doesn't automatically via GPO / MBAM
      reg.exe ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v EnableBitlocker /T REG_SZ /D "Manage-bde.exe -protectors -enable c:" /F

      REM Update Bios
      HPBIOSUPDREC64.exe -s -r -b -pHPBiosPassword.bin -lc:\Cabs\InstallLogs\HPBiosUpdate.log

      REM Reboot Computer (Does not affect WinPE, as it can't use shutdown.exe)
      shutdown.exe /r /f /t 120 /c "Updating Bios, please save your work, Computer will reboot in 2 minutes"
      ----------------
      image

      1. -s = Silent
      2. -r = NO Reboot
      3. -b = Suspend Bitlocker
      4. -p = Password file
      5. -l = logfile
    4. Time to Create an Application to deploy the Bios
      1. image
      2. image
      3. image
    5. Deployment Types
      1. image
        Name your Deployment, I do Model & Bios Version
      2. image
        Point to your Source Content
      3. image
        Program = your Script File
      4. image
        Detection = Registry Setting for the Bios Version
      5. image
        Set to Install for System - Whether or not
      6. image
        Set your Requirements to Computer Model (Blogged here)
      7. image
        Set 0 to Hard Reboot, so it will reboot, then run detection.
        If you want to add more return codes, you can find a list here... I have not tested them.
      8. It's pretty much identical for the other two systems, just change the content to the correct folder, and the detection to the bios version. - Tip: Update one, then point to that when you're getting your detection method.
  5. Deploy, seeing it in action.  I've deployed mine to "all users" so it shows up in the Catalog
    1. Installing from the Application Catalog:
      image
    2. Once it finishes the process, it give the 2 minute reboot warning. The software center will say "Requires restart"
      image
  6. You can also deploy to a Computer collection you've created.  This is how I typically do pushes, send out communications, then push to a collection.  But for awhile during testing, I like to make it available so I can run it from the catalog.
  7. Adding to Task Sequence.  So I was excited that HP bios support being updated in WinPE... but yet I was having it fail, saying it needed a full OS.  I thought "LAIR", I've tested the script in PE and it worked fine!  Then I realized, I was running it as an application, not a package... and that's what wouldn't work in PE.  So... I had to add this Bios Update Step later in my TS, after it was in Windows, just like I do with my Dell Bios Updates. - I've tried to leave some steps around it for Context as to where I've added the HP Bios Update Step.
    1. Note, in the script I call shudown.exe, which gives a two minute delay.  In the TS, there is a restart right after it the Application Runs, which will restart the system right away instead of waiting for the two minute timeout.  If you do decide to make this into a package, remove the shutdown.exe part of out if, as that is not available in WinPE.

      image

As always, I welcome comments and feedback.  I only set this up a few days ago, and tested on a couple machines, so there might be scenarios that need tweaking.  I'll update this if I find anything.  - @gwblok

Enforce UEFI during OSD or Nicely Fail with remediation.

UPDATE: 6/14 - A few days after I wrote this, Nickolaj posted a nice way to automate this for Dell Systems.  Check it out HERE.  Great post, I look forward to trying out.

I wanted to make sure that during Windows 10 OSD, machines were getting set to UEFI and Secure Boot.  I did not want to leave this up to the tech who was imaging the PC, while they catch it most of the time, there is still the chance they miss it, and I get a Windows 10 machine with Legacy Bios.

I added a group with a few steps to my TS that will trigger if _SMSTSBootUEFI is not True
, if _SMSTSinWinPE is True, and if it's one of my hardware manufactures.

  1. _SMSTSBootUEFI - This is the main variable, as it will say if the Machine is booted to UEFI or not
  2. _SMSTSinWinPE - This is so that these steps only run if in PE, If I'm doing an in place upgrade, I don't want it to check and fail.
  3. WMI Query for Hardware Manufacture - I have Dell & HP machines, which I want it to check on, but I don't want it to check on Virtual Machines.  At this point in the TS, the isVM variable isn't yet available, so this method works to exclude my VMs.

image

This will NOT completely automate the process from going from LEGACY to UEFI.  The TS will Fail if the Bios are set to LEGACY, but it's right in the beginning, and then you can start the Windows 10 TS again and it will install properly using UEFI & Secure Boot.

For a FULL solution, look to 1e's Bios to UEFI

This was as a failsafe to make sure our machines were set correctly right away instead of finding out after the fact that we imaged a machine to Windows 10 that was still using Legacy Mode.
Package Contents:
image

  1. MessageBox Script get HERE (Deployment Guys Technet Blog)
    You'll need to modify the MDTMessageBox.wsf script so it will automatically close the TS Progress bar.  Info found HERE (Niehaus's blog)
    You'll need to add this snipit into the script near the top:
    Set oTSProgressUI = CreateObject("Microsoft.SMS.TSProgressUI")
    oTSProgressUI.CloseProgressDialog
    Set oTSProgressUI = Nothing

    image
  2. ZTIUtility.vbs (From MDT scripts folder) - Just copy this file from your MDT Script Deployment Share, and paste it into your package content.
  3. Shutdown.exe, copied from c:\Windows\system32

TS Steps:

  1. Notify UEFI Status (Step 1) image
      1. Write your message here using syntax from the blog link, example:
        cscript.exe "MessageBox\MDTMessageBox.wsf" /text:"WARNING - This Machine is not set to UEFI in the BIOS - Please Shutdown, fix the Setting and Start again - The Next Step will Automatically try to FIX it for you if you're deploying to a DELL or HP machine and reboot. Please confirm it's Booting UEFI with Secure Boot Enabled" /type:64 /title:"UEFI
      2. in the Options, check the box for "Continue on Error"
  2. Dell Bios - SecureBoot - UEFI (Step 2) - Note, this step works on DELL, you'd have to modify for another Vendor - I have it skip this step if it is NOT a dell PC.
    image
    image

    1. This is just a script I'm using that calls the CCTK (Dell Command Configure) and sets bios to UEFI & Secure Boot.  Mike Terrill wrote a great blog post about how to do this, so I will not repeat it.
  3. HP Bios - SecureBoot - UEFI (Step 3) - This looks basically the same as Step 2, but it for our HP Machines
    image
    image
    1. You can get the HP Bios Configuration Software HERE
      The Documentation is located HERE
      Brenton wrote up a How To HERE
  4. Shutdown Machine (Step 3)
    image
    MessageBox\Shutdown.exe -s -t 00

 

So lets see it in Action (Dell E6540) - Tested also on HP Revolve 810 G2

  1. First Picture: Booting while in Legacy Mode w/ Secure Boot Disabled (Dell)
    image
  2. Starting Windows 10 TS
    image
  3. Starts that Step
    image
  4. TS runs the Message because it's not UEFI (while hiding the Installation Progress bar)
    image
  5. Computer then runs the Bios Settings to Change to UEFI
    image
  6. Computer then Shuts down.
  7. It now shows the correct Boot options and you can start your Windows 10 OSD again ensuring UEFI & Secure Boot.
    image

Other things you could add.. Email Service Desk or Admin if UEFI not enabled using a method like THIS.