Dell Bios Updates - ConfigMgr App Model - Post OSD

I’m pretty good about keeping our Dell machines at the current BIOS level, usually a couple models get updates every month… then there was that Intel AMT vulnerablity, and they released updates for nearly all of our models, so that was fun.  I tweeted about my exploits and had requests to share how I’m doing it… so here it is…

App Model & Power Shell

I blogged a 3 part post back in Dec 2015, I’m not going to redo everything, but send you there if you need to build your collections yet:

https://garytown.com/updating-dell-bios-with-configmgrpost-1creating-model-based-collections

Another Pre-Req is having a global condition for “Model”, which I cover here: https://garytown.com/updating-dell-bios-with-configmgrpost-3the-application-deployment

Once you have that out of the way, it’s just building your App.

 

It’s really simple, we have a PowerShell script that will:

  1. Suspend Bitlocker (Works for Win 7-10)
  2. Stop the MBAM Service (So MBAM doesn’t start Bitlocker again before rebooting)
  3. Grab Dell Bios info from the Bios EXE file in same directory
  4. Create Log File name based on that EXE
  5. Confirm Bitlocker is Suspended
  6. Update Bios, creating Log File
  7. Reboot Machine
    1. Reboots right away if no one is logged on
    2. Give 5 Minute & 2 Minute warnings if someone is logged on

The nice thing about this method, it’s one script, that never changes. You just add it to your Model Folder. Every time a new BIOS comes out, replace the BIOS.EXE in the source, update the Application Detection Method, and update the content for that deployment.  All Set!

Now the Script:

There are 2 parameters, you tell it where you want your log file, and what your BIOS password is.  That’s it:

The Application
image

Deployment Types, One Per Model, this will make the download quick, as it only downloads the one for that model, and gives you the ability to do easy detection rules.

image

Programs: powershell –executionpolicy bypass –file "BiosUpdate.ps1" –Biospassword P@ssw0rd -LogPath C:\Cabs\InstallLogs
- Change your Bios Password & where you want to save the log files.
image

Detection is just a Registry Key:
image

image

Requirements: Model = the Model (see previous post for more details)

image

Return Code, Change 0 = Hard Reboot

image

My Source Folder Structure:
image

Actual Content for Deployment Type:
Contains the PowerShell File (Which you don’t need to change, works for every model & every version of the Bios)
image

 

There you have it, for your deployments

Download AppExport & Script HERE. If you choose to import the App, you’ll want to build your own Folder Structure and update the Content Tab for each deployment.

Leave a comment if you have a question, or hit me up on Twitter – @gwblok

4 thoughts on “Dell Bios Updates - ConfigMgr App Model - Post OSD

  • June 6, 2017 at 11:51 am
    Permalink

    Gary -- How do you handle different BIOS passwords? We have many Dell models and they could have any one of 3 different passwords we have used to secure the BIOS over the years. I'd like to be able to update the BIOS AND change the password to a standard password for all systems at the same time. Can the script do that?

    Reply
    • June 8, 2017 at 7:03 am
      Permalink

      Bios Passwords: You'd create as many steps as needed (set continue on error), but basically 1 step to set password if not set, then each additional step to set the password to your new password, using the list of old passwords
      Set Bios Password if Blank: cctk --setuppwd=BiosP@ssWord
      Update Bios Password: cctk --setuppwd=BiosP@ssWord --valsetuppwd=OldBiosPassWord
      BiosPass1
      BiosPass2
      Or you can use a script to push to all Machines Post OSD.
      BiosPass3

      Reply
  • Pingback: MMS 2017 Retrospective – Part 2 – DEPLOY ALL THE THINGS.

  • September 13, 2017 at 12:46 pm
    Permalink

    good stuff! I've been asked many times to do the same. we have over 10K endpoints of over 170 different models. would need a FTE to manage. question, I have issues with the detection method biosversion equals 1.4.1 (as an example). some newer bios versions use a different format (i.e. 1.04.01). so obviously we know that 1.4.1 is greater than 1.04.01, but sccm doesn't think so. ever encountered this?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *