Updating Dell Bios with ConfigMgr–Post 2–The Scripts

In Post 1, we created the collections, now we’ll create the Scripts used to Deploy the Bios Updates

All of the scripts, along with cctk tools needed are located here: http://garytown.com/Downloads/DellBiosUpdateScripts.zip

Note: CCTK – Recommend brushing up on it here: http://www.dell.com/support/article/us/en/19/SLN294541/en
Dell Bios Command Line syntax: http://en.community.dell.com/techcenter/enterprise-client/w/wiki/3461.legacy-bios-updates

In our environment, we use Bitlocker, so I had to first suspend bitlocker before applying the update.  I started down the road of PowerShell, as PowerShell is King, however, my tests would fail on Windows 7 machines.  So I went back to Batch Files. Sad smile   I’ve provided both in the download, so if you’re on Windows 8.1 + you can use the PS scripts.

 

Batch File Example E6440 (E6440Reboot.cmd)
---------------------------------------------

REM - Use Find / Replace to Replace YOURNEWPASSWORD with your Actual Bios Password
REM - Replace c:\InstallLogs with a location you'd like to Save the Log to.  This is REQUIRED to have, as we use the log as the detection Method.

REM Fix Bitlocker MOF if needed (Several machines failed to suspend bitlocker via Manage-bde, this fixed it)
mofcomp.exe c:\windows\system32\wbem\win32_encryptablevolume.mof

REM Suspend Bitlocker
Manage-bde.exe -protectors -disable c:

REM Set Bios Password / Update Bios Password - Remove this section if you don't want to use this time to set or update your Bios Password
REM Try both methods to set password using the two known passwords we have. (Blank and Old)
cctk --setuppwd=YOURNEWPASSWORD
cctk --setuppwd=YOURNEWPASSWORD --valsetuppwd=YOUROLDPASSWORD
cctk --setuppwd=YOURNEWPASSWORD --valsetuppwd=YOUROLDERPASSWORD

REM Throwing in WOL Enable, just because we want to make sure it's enabled on everything.
cctk --wakeonlan=enable  --valsetuppwd=YOURNEWPASSWORD

REM Update Bios (Adding /r to force reboot machine after loading Bios Update)
E6430A16.exe /s /r /p=YOURNEWPASSWORD /FORCEIT /l=c:\InstallLogs\E6430A16.log

----------------------------------------------------

 

There is a lot of stuff in that which you can remove, in our environment we had a few lingering old Bios Passwords, I added into this script the ability to add a password if blank, or updated it if it found some of the older passwords.

I’ve noted most things in the script itself, so it should be somewhat self explanatory.  Basically it suspends bitlocker using the Manage-BDE command, then sets the Bios Password, then updates the bios using your bios password and creates a log.  I use the log as a detection method.

I’ve also added a line that registers the bitlocker mof file, I was getting several machines that had issues using the MANAGE-BDE commands until I ran that command.

Using the Log file as a detection method is not 100% effective, as you’ll get a log file even if the bios fails to upgrade.  However after you’ve applied the Updates to a collection for awhile, and you’ve noticed a few that never removed themselves from the collection (because they didn’t update), you can dig into those further, as they might require manual intervention.

To break it down..
BiosUpdate.exe /s = Silent /r = Reboot /p = Bios Password /FORCEIT (forces bios to upgrade even when battery dead or on battery power) /l = Log file

 

Yes, using the /r will force the machine to reboot, so make sure you plan accordingly with your deployments.

Powershell: E6440.ps1 ---------------------------------

# - Use Find / Replace to Replace YOURPASSWORD with your Actual Bios Password
# - Replace c:\InstallLogs with a location you'd like to Save the Log to.  This is REQUIRED to have, as we use the log as the detection Method.

Suspend-BitLocker -MountPoint "C:"
.\E6440A13.exe /s /r /p=YOURPASSWORD /FORCEIT /l=c:\InstallLogs\E6440A13.log

----------------------------------------------

 

This script is a bit more simple, I didn’t include the steps to set the bios password, it assumes you already have the bios password set how you want it.
Also, since you’re not using Manage-BDE, the command just works (assuming you’re on 8 or above)

 

In the Next Post, we’ll tie this together with the Application Model to show how to create Deployment Types so you can send a Single Application Deployment to several models and let the Application apply the correct Bios based on Model.

9 thoughts on “Updating Dell Bios with ConfigMgr–Post 2–The Scripts

  • March 22, 2016 at 10:27 am
    Permalink

    Gary- Great Article. Just starting to learn SCCM and haven't used the Dell tools before. When you are calling the CCTK in your batch scripts, do you already have that installed on all machines? Or how are you adding that to your application with SCCm? Haven't been able to find documentation that the CCTK can be run from network share? Thanks!

    Reply
    • March 22, 2016 at 10:36 am
      Permalink

      Good question. I keep the cctk.exe and required files in the same package as the Bios. That way it doesn't need to be installed on the machine.
      You can download it here: http://en.community.dell.com/techcenter/enterprise-client/w/wiki/7532.dell-command-configure
      Install the software on a test machine, After you're done.. grab the contents of this folder: C:\Program Files (x86)\Dell\Command Configure\X86_64 and add that to your package. (you don't need to copy the bat files).

      Reply
  • August 15, 2016 at 10:39 am
    Permalink

    Great work Gary. I just applied this to some test machines and it worked great. I plan on rolling it out to the enterprise soon. How are you handling enabling Bitlocker again afterwards?

    Reply
    • August 18, 2016 at 7:46 am
      Permalink

      Bitlocker auto enables for us after each reboot. However I have added a line to my script as a fall back:
      reg.exe ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v EnableBitlocker /T REG_SZ /D "Manage-bde.exe -protectors -enable c:" /F
      That will add the command to enable Bitlocker after restart using the "RunOnce" key. Let me know if that helps

      Reply
  • August 19, 2016 at 12:00 pm
    Permalink

    Thanks Gary. It makes sense that bitlocker would be enabled after reboot.

    Reply
  • January 23, 2017 at 4:31 pm
    Permalink

    If you don't have a BIOS password set, which do you use? Do you still put in the command with nothing or leave out the password syntax all together?

    E6430A16.exe /s /r /p= /FORCEIT /l=c:\InstallLogs\E6430A16.log
    or
    E6430A16.exe /s /r /FORCEIT /l=c:\InstallLogs\E6430A16.log

    and

    cctk --wakeonlan=enable  --valsetuppwd=
    or
    cctk --wakeonlan=enable

    Reply
    • January 23, 2017 at 5:05 pm
      Permalink

      You leave it off completely, it would be your second example.
      Ive recent moved everything over to a PowerShell script which also gives a two minute reboot warning, I'll be posting those within the next month or so.

      You do plan to add a bios password though, right?

      Reply
  • February 23, 2017 at 3:21 pm
    Permalink

    I've gone through this tutorial and have successfully gotten it to work. Thank you very much, you don't know how helpful this is for me. Is it possible to also include BIOS changes such as disalbing legacy rom options, enabling UEFI, and UEFI Network Stack? There are other changes that I'd like to include so that when the BIOS update is complete, all of my desired settings will be included.

    Thanks

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *