Updating HP BIOS Versions Using Configuration Manager Task Sequences

Posted: May 25, 2016 in MDT, Windows 7

Lately I’ve been thinking about BIOS updates. More specifically the fact that I’ve needed to apply them to some of my older HP Desktops and Laptops so we could deploy Windows 10 1511 reliably. Moving forwards this was going to be an issue as we are looking to upgrade our entire business to Windows 10 CBB later in the year. I definitely did not want to be in a position where we were manually updating BIOS versions.

Here is a solution to update your BIOS versions using a Configuration Manager task sequence. I’ve focused on HP however the solution I have implemented would work for any vendor, just adjust to suit the utility they offer.

And yes to all those SSM fans out there, I know that you can add a step to update the BIOS using that HP utility against a SSM downloaded management source with all the HP updates, however I’m not a fan and have chosen not to use it for various reasons specific to my environment.

So the requirements. Well that depends on what your already doing. If you are enabling BitLocker as part of your Task Sequence then you should already been using the HP Bios Config Utility to enable your TPM and set your BIOS settings using something like BiosConfigUtility.exe /Set:TPMEnable.REPSET /nspwdfile:”password.bin” as part of Run Command Line step with a package. You will need to use your password.bin file as part of our BIOS update command as you can’t update a BIOS automatically unless you pass the password through as part of the command. Also note that if you try to update a HP BIOS and you have bitlocker enabled there is a suspend bitlocker switch which I haven’t needed to use. But its nice to know its there. Here is a link to the HP BIOS Configuration Utility Guide which also explains how you can you generate a password.bin file if required.


I have my enable TPM / Import REPSET file steps before my Update BIOS steps in my task sequence. This is to ensure that the devices BIOS settings are always configured with a password before my BIOS update step runs. This avoids the scenario where a BIOS update is attempted using a password switch where that device doesn’t have a password set. Clear as mud?

Having said all of this, if you don’t set passwords for your BIOS or don’t enable BitLocker then ignore the last few paragraphs!

The next step you will need to do is to download all the latest BIOS versions from the HP website for your models. Create a source folder in your Configuration Manager source share and then create sub-folders for each model like this:


Extract and copy each BIOS update to the relevant folder. For older models that use HpqFlash.exe the contents should look like this:


And for newer models that use HPBIOSUPDREC.exe the contents should look like this:


Once this has been completed, create a package for each BIOS update without a program and distribute them to your DP’s.


Now add some update BIOS steps to your Task Sequence. As mentioned before I have my update steps after my BIOS REPSET import settings step (which enables the TPM etc). This occurs after the PC has rebooted following the Setup Windows and ConfigMgr step.


Create a folder for the model of PC relevant to the BIOS update, then set a WMI Query so it will only run against that model. This is what you would most likely be doing for driver packages. You don’t need to worry about using anything sneaky to query the SMSBIOSVersion against the Win32_BIOS class. If the BIOS version is up to date, the utility just exits and the task sequence continues.


Next add a Run Command Line step and reference the BIOS update package you created earlier for that model. In the Command line for older BIOS updates that use hpqFlash.exe specify the command hpqFlash.exe -s. If you have a password set on your BIOS use hpqFlash.exe -ppassword.bin -s


For newer models that use HPBIOSUPDREC.exe specify the command HPBIOSUPDREC.exe -s -r. Again if you have a password set use  HPBIOSUPDREC.exe -s -ppassword.bin -r.


The last step is to add a Restart Computer step which is an absolute must for obvious reasons.

That’s pretty much it, Happy BIOS Updating!






  1. Antoine says:

    Great info! Will be doing just that. Just one thing though: wouldn’t it be more efficient to put only one Restart Computer at the end of the Update BIOS step instead of one for each machine (and less bloating, too)?

    • Damon Johns says:

      Hi Antoine,

      Yes you could definatley do it that way, I’ve structured my Task Sequence that way to make it easier for me as a personal preference to see each model and understand what the sequence is doing.


  2. drieswillems says:


    I receive the following message when making changes to the hp bios config.
    How do you automate this message?

    Kind regards,

  3. Hoi Damon
    Thanks for that info so far. We do this allready a couple of years for HP Devices during OS Deployment. Now we want to do it for Machines running with OS without resetup the OS.
    How would you do this? With a task sequence? Required or availlable? I tried it with a TS, but the problem is, that there are several reboots necessairy and the TS needs more than 5 minutes to restart after a reboot. Meanwhile the user starts working and his work will be interruppted several times.
    My steps:
    1. disable bitlocker
    2. clear bios password
    3. reboot
    4. bios update
    5. reboot
    6. set bios password
    7. set bios settings
    8. reboot
    9. enable bit locker
    10. reboot
    Any suggestions? How would you do it?


    • Damon Johns says:

      Hi Christof,

      Apologies for taking so long to reply as I’ve been on holidays. I have’t looked into the requirements around updating BIOS versions for machines already running an OS. You could look into suppressing the reboot using a package in Configuration Manager? Other than that, the only other thing I can think of would be the leverage Wake On Lan to wake up the PC’s overnight and apply the BIOS update.


  4. Aeremis says:

    Damon, I just wanted to say Thank you for this article. This seriously saved me a lot of time.

  5. Stuart says:

    Great detail Damon, cheers

  6. Hello,

    Thanks for this article, it’s exactly what I’m doing to update HP BIOS 🙂

    But, I’ve got a problem to correctly update the HP X2 1012 G1.

    After the HPBIOSUPDREC command, I’m trying to restart into WinPE (restart computer – assigned boot image), because I have to apply BIOS configuration.
    During WinPE restart command, it’s directly crash ; WinPE seems not to be staged for the next boot (general error code 0x8007000F).
    When I read the smsts.log, there is no error ; the smsboot.exe /target:WinPE is executed, with result 0.

    I can successfully update 840 G1/G2/G3, X2 612 G1, 800 G2 DM, Z240 ; but not this s*** of X2 1012 G1…

    The problems seems to be due to the BIOS method update for this model, maybe it recreates partitions or something that break WinPE staging ?

    Has somebody got this issue ???


    • Damon Johns says:

      Is the X2 1012 G1 and enterprise class device? If it is you should be able to contact HP and get assistance from your local rep. If it isn’t then I’m afraid there may not be a way to automate the BIOS update without intervention. There is big difference with HP enterprise and non enterprise class devices unfortunately.

      It could also be an issue with that BIOS – so either way you should report it to your HP rep. They are pretty good at providing assistance.


  7. John says:

    How did you get your task sequence to proceed if the BIOS version was already up to date? I tried running this task on a Folio 1040 G3 that already had the latest BIOS version and the task sequence failed. I’m thinking I could either set the task to proceed on failure or set up a WMI query to check the BIOS version first.

    • Damon Johns says:


      I just have the continue on error box checked – you can control if the step applies or not as you have already mentioned using wmi queries, I just don’t bother. Deployment Bunny (website) has a good article and script.


  8. Phil says:

    Hi Damon,

    This is much easier to manage by configuring and using the database option in MDT – especially given the number of different models you are supporting. Utilizing the database, you can assign the BIOS upgrades as a model specific applications instead of hacking additional steps into the Task Sequence. It also makes automating a raft of other model specific settings a breeze.

    Additionally, have a look at http://techgenix.com/Deploying-Windows-7-Part26/ for an alternative way of installing the correct drivers for each model as well with only two minor changes to the default Task Sequence.

    Not trying to say the way you’ve presented is wrong (it was the way I was doing it), but it got so unmanageably out of hand, I had to find a better way. YMMV.

    Please take these suggestions in the spirit intended – getting useful information out there.


    • Damon Johns says:

      No worries Phil, always different ways to achieve a result 🙂 And its good for those who visit the blog and want to implement something in a different way. I’ve used the MDT database in the past. We lease our equipment so we always have a fairly static list of models.


  9. Erik N says:


    I am having some issues getting this to work and I hope you can help me out. I am using SCCM 1610 and I am trying to configure the BIOS in the task sequence using the “Run Command Line” step.

    Everything is configured as you described, but the step fails on this command:
    BiosConfigUtility64.exe /setconfig:”EnableUEFI.txt” /nspwdfile:”securebios.bin”

    Checkingt the SMSts.log I was able to trace the problem to that this commandline is not able to find “enableUEFI.txt”. I have checked the package and the local copy of the package (C:\_SMSTaskSequence\Packages\\), every file inculding the .txt file is there.

    Then I noticed that SCCM run the command line as follows:
    “C:\_SMSTaskSequence\Packages\\BiosConfigUtility64.exe” /setconfig:”EnableUEFI.txt” /nspwdfile:”securebios.bin”

    So it adds the entire path where the executable is, but it tries to find the “EnableUEFI.txt” where the commandline is actually executed and that is not equal to “C:\_SMSTaskSequence\Packages\\”. I could just add the path to the Command Line, but I would rather not. What if the packageID for whatever reason changes? Then the path is incorrect.

    How can I make this work:
    BiosConfigUtility64.exe /setconfig:”EnableUEFI.txt” /nspwdfile:”securebios.bin”

    In the commandline TS?

    Without (!!) changing it to
    BiosConfigUtility64.exe /setconfig:”C:\_SMSTaskSequence\Packages\\EnableUEFI.txt” /nspwdfile:”C:\_SMSTaskSequence\Packages\\securebios.bin”

    I want to keep the path flexible and not hardcode in the TS.

    • Damon Johns says:

      When are you trying to run this command? Inside Windows PE? If so try using just BiosConfigUtility.exe not the x64 version. My command line for importing BIOS settings during WinPE is:

      BiosConfigUtility.exe /Set:YOURFILENAME.REPSET /nspwdfile:”password.bin”

      I do not reference txt files and I user the /set switch not /setconfig.

      Currently I’m using version of the HP BIOS Configuration Utility – probably not the latest, but I haven’t had a reason to update it.

  10. Mike C says:

    Thanks you so much for this site. Sorry if this has been answered above and I missed it. Is there a way to include\apply custom BIOS settings (i.e. boot order, etc.)? I think I have the concept of updating the BIOS to the latest version with SCCM. Is this something I should be trying with PE? We are an all HP shop. Thank you for your willingness to share your knowledge with us.

    • Damon Johns says:

      Yes you can apply a combination of settings using the tool. Check out the documentation that comes with the BIOS Config Utility for the relevant switches that you can use to export and create a settings file for each of your models. I already do this in some cases to disable usb device booting.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s