Updating HP BIOS Versions Using Configuration Manager Task Sequences

Posted: May 25, 2016 in MDT, Windows 7

Lately I’ve been thinking about BIOS updates. More specifically the fact that I’ve needed to apply them to some of my older HP Desktops and Laptops so we could deploy Windows 10 1511 reliably. Moving forwards this was going to be an issue as we are looking to upgrade our entire business to Windows 10 CBB later in the year. I definitely did not want to be in a position where we were manually updating BIOS versions.

Here is a solution to update your BIOS versions using a Configuration Manager task sequence. I’ve focused on HP however the solution I have implemented would work for any vendor, just adjust to suit the utility they offer.

And yes to all those SSM fans out there, I know that you can add a step to update the BIOS using that HP utility against a SSM downloaded management source with all the HP updates, however I’m not a fan and have chosen not to use it for various reasons specific to my environment.

So the requirements. Well that depends on what your already doing. If you are enabling BitLocker as part of your Task Sequence then you should already been using the HP Bios Config Utility to enable your TPM and set your BIOS settings using something like BiosConfigUtility.exe /Set:TPMEnable.REPSET /nspwdfile:”password.bin” as part of Run Command Line step with a package. You will need to use your password.bin file as part of our BIOS update command as you can’t update a BIOS automatically unless you pass the password through as part of the command. Also note that if you try to update a HP BIOS and you have bitlocker enabled there is a suspend bitlocker switch which I haven’t needed to use. But its nice to know its there. Here is a link to the HP BIOS Configuration Utility Guide which also explains how you can you generate a password.bin file if required.

2016-05-25_083206

I have my enable TPM / Import REPSET file steps before my Update BIOS steps in my task sequence. This is to ensure that the devices BIOS settings are always configured with a password before my BIOS update step runs. This avoids the scenario where a BIOS update is attempted using a password switch where that device doesn’t have a password set. Clear as mud?

Having said all of this, if you don’t set passwords for your BIOS or don’t enable BitLocker then ignore the last few paragraphs!

The next step you will need to do is to download all the latest BIOS versions from the HP website for your models. Create a source folder in your Configuration Manager source share and then create sub-folders for each model like this:

2016-05-25_084028

Extract and copy each BIOS update to the relevant folder. For older models that use HpqFlash.exe the contents should look like this:

2016-05-25_084259

And for newer models that use HPBIOSUPDREC.exe the contents should look like this:

2016-05-25_084334

Once this has been completed, create a package for each BIOS update without a program and distribute them to your DP’s.

2016-05-25_084604

Now add some update BIOS steps to your Task Sequence. As mentioned before I have my update steps after my BIOS REPSET import settings step (which enables the TPM etc). This occurs after the PC has rebooted following the Setup Windows and ConfigMgr step.

2016-05-25_085220

Create a folder for the model of PC relevant to the BIOS update, then set a WMI Query so it will only run against that model. This is what you would most likely be doing for driver packages. You don’t need to worry about using anything sneaky to query the SMSBIOSVersion against the Win32_BIOS class. If the BIOS version is up to date, the utility just exits and the task sequence continues.

2016-05-25_085509

Next add a Run Command Line step and reference the BIOS update package you created earlier for that model. In the Command line for older BIOS updates that use hpqFlash.exe specify the command hpqFlash.exe -s. If you have a password set on your BIOS use hpqFlash.exe -ppassword.bin -s

2016-05-25_090011

For newer models that use HPBIOSUPDREC.exe specify the command HPBIOSUPDREC.exe -s -r. Again if you have a password set use  HPBIOSUPDREC.exe -s -ppassword.bin -r.

2016-05-25_091654

The last step is to add a Restart Computer step which is an absolute must for obvious reasons.

That’s pretty much it, Happy BIOS Updating!

Cheers

Damon

 

 

 

Advertisements
Comments
  1. Antoine says:

    Great info! Will be doing just that. Just one thing though: wouldn’t it be more efficient to put only one Restart Computer at the end of the Update BIOS step instead of one for each machine (and less bloating, too)?

    • Damon Johns says:

      Hi Antoine,

      Yes you could definatley do it that way, I’ve structured my Task Sequence that way to make it easier for me as a personal preference to see each model and understand what the sequence is doing.

      Cheers
      Damon

  2. drieswillems says:

    Dear,

    I receive the following message when making changes to the hp bios config.
    How do you automate this message?
    h30434.www3.hp.com/t5/Desktop-Hardware-and-Upgrade-Questions/HP-Bios-Configuration-Utility-Accept-the-BIOS-System/td-p/5782164

    Kind regards,
    Dries

  3. Hoi Damon
    Thanks for that info so far. We do this allready a couple of years for HP Devices during OS Deployment. Now we want to do it for Machines running with OS without resetup the OS.
    How would you do this? With a task sequence? Required or availlable? I tried it with a TS, but the problem is, that there are several reboots necessairy and the TS needs more than 5 minutes to restart after a reboot. Meanwhile the user starts working and his work will be interruppted several times.
    My steps:
    1. disable bitlocker
    2. clear bios password
    3. reboot
    4. bios update
    5. reboot
    6. set bios password
    7. set bios settings
    8. reboot
    9. enable bit locker
    10. reboot
    Any suggestions? How would you do it?

    Chris

    • Damon Johns says:

      Hi Christof,

      Apologies for taking so long to reply as I’ve been on holidays. I have’t looked into the requirements around updating BIOS versions for machines already running an OS. You could look into suppressing the reboot using a package in Configuration Manager? Other than that, the only other thing I can think of would be the leverage Wake On Lan to wake up the PC’s overnight and apply the BIOS update.

      Cheers
      Damon

  4. Aeremis says:

    Damon, I just wanted to say Thank you for this article. This seriously saved me a lot of time.

  5. Stuart says:

    Great detail Damon, cheers

  6. Hello,

    Thanks for this article, it’s exactly what I’m doing to update HP BIOS 🙂

    But, I’ve got a problem to correctly update the HP X2 1012 G1.

    After the HPBIOSUPDREC command, I’m trying to restart into WinPE (restart computer – assigned boot image), because I have to apply BIOS configuration.
    During WinPE restart command, it’s directly crash ; WinPE seems not to be staged for the next boot (general error code 0x8007000F).
    When I read the smsts.log, there is no error ; the smsboot.exe /target:WinPE is executed, with result 0.

    I can successfully update 840 G1/G2/G3, X2 612 G1, 800 G2 DM, Z240 ; but not this s*** of X2 1012 G1…

    The problems seems to be due to the BIOS method update for this model, maybe it recreates partitions or something that break WinPE staging ?

    Has somebody got this issue ???

    Regards

    • Damon Johns says:

      Is the X2 1012 G1 and enterprise class device? If it is you should be able to contact HP and get assistance from your local rep. If it isn’t then I’m afraid there may not be a way to automate the BIOS update without intervention. There is big difference with HP enterprise and non enterprise class devices unfortunately.

      It could also be an issue with that BIOS – so either way you should report it to your HP rep. They are pretty good at providing assistance.

      Cheers
      Damon

  7. John says:

    How did you get your task sequence to proceed if the BIOS version was already up to date? I tried running this task on a Folio 1040 G3 that already had the latest BIOS version and the task sequence failed. I’m thinking I could either set the task to proceed on failure or set up a WMI query to check the BIOS version first.

    • Damon Johns says:

      Hi,

      I just have the continue on error box checked – you can control if the step applies or not as you have already mentioned using wmi queries, I just don’t bother. Deployment Bunny (website) has a good article and script.

      Cheers
      Damon

    • Erik N says:

      @John. I faced the exact same problem and I rather not use the “continue on error” option. IMHO the better solution is to add the exit codes to the “Success codes:” field on the options tab.

      – BIOS is already same version: 273
      – BIOS installed is newer than the one set to install: 282

      It will look like this after adding the above codes:
      “Success codes: 0 3010 273 282”

  8. Phil says:

    Hi Damon,

    This is much easier to manage by configuring and using the database option in MDT – especially given the number of different models you are supporting. Utilizing the database, you can assign the BIOS upgrades as a model specific applications instead of hacking additional steps into the Task Sequence. It also makes automating a raft of other model specific settings a breeze.

    Additionally, have a look at http://techgenix.com/Deploying-Windows-7-Part26/ for an alternative way of installing the correct drivers for each model as well with only two minor changes to the default Task Sequence.

    Not trying to say the way you’ve presented is wrong (it was the way I was doing it), but it got so unmanageably out of hand, I had to find a better way. YMMV.

    Please take these suggestions in the spirit intended – getting useful information out there.

    Regards,
    Phil.

    • Damon Johns says:

      No worries Phil, always different ways to achieve a result 🙂 And its good for those who visit the blog and want to implement something in a different way. I’ve used the MDT database in the past. We lease our equipment so we always have a fairly static list of models.

      Cheers
      Damon

  9. Erik N says:

    Hi,

    I am having some issues getting this to work and I hope you can help me out. I am using SCCM 1610 and I am trying to configure the BIOS in the task sequence using the “Run Command Line” step.

    Everything is configured as you described, but the step fails on this command:
    BiosConfigUtility64.exe /setconfig:”EnableUEFI.txt” /nspwdfile:”securebios.bin”

    Checkingt the SMSts.log I was able to trace the problem to that this commandline is not able to find “enableUEFI.txt”. I have checked the package and the local copy of the package (C:\_SMSTaskSequence\Packages\\), every file inculding the .txt file is there.

    Then I noticed that SCCM run the command line as follows:
    “C:\_SMSTaskSequence\Packages\\BiosConfigUtility64.exe” /setconfig:”EnableUEFI.txt” /nspwdfile:”securebios.bin”

    So it adds the entire path where the executable is, but it tries to find the “EnableUEFI.txt” where the commandline is actually executed and that is not equal to “C:\_SMSTaskSequence\Packages\\”. I could just add the path to the Command Line, but I would rather not. What if the packageID for whatever reason changes? Then the path is incorrect.

    How can I make this work:
    BiosConfigUtility64.exe /setconfig:”EnableUEFI.txt” /nspwdfile:”securebios.bin”

    In the commandline TS?

    Without (!!) changing it to
    BiosConfigUtility64.exe /setconfig:”C:\_SMSTaskSequence\Packages\\EnableUEFI.txt” /nspwdfile:”C:\_SMSTaskSequence\Packages\\securebios.bin”

    I want to keep the path flexible and not hardcode in the TS.

    • Damon Johns says:

      When are you trying to run this command? Inside Windows PE? If so try using just BiosConfigUtility.exe not the x64 version. My command line for importing BIOS settings during WinPE is:

      BiosConfigUtility.exe /Set:YOURFILENAME.REPSET /nspwdfile:”password.bin”

      I do not reference txt files and I user the /set switch not /setconfig.

      Currently I’m using version 4.0.15.1 of the HP BIOS Configuration Utility – probably not the latest, but I haven’t had a reason to update it.

      • Erik N says:

        I was not able to find the problem nor the solution, although it did started to work all of a sudden, without adding the path.

  10. Mike C says:

    Thanks you so much for this site. Sorry if this has been answered above and I missed it. Is there a way to include\apply custom BIOS settings (i.e. boot order, etc.)? I think I have the concept of updating the BIOS to the latest version with SCCM. Is this something I should be trying with PE? We are an all HP shop. Thank you for your willingness to share your knowledge with us.

    • Damon Johns says:

      Yes you can apply a combination of settings using the tool. Check out the documentation that comes with the BIOS Config Utility for the relevant switches that you can use to export and create a settings file for each of your models. I already do this in some cases to disable usb device booting.

  11. Steve says:

    Hi:
    Would you be willing to share the bios/firmware configuration files for the following models?
    They are hp 820 G3, hp folio 9470m and hp folio 9480m?
    I’m banging head on the wall with these three models.
    Thanks
    steve

    • Damon Johns says:

      Hi Steve,

      No worries. My config simply enables settings for bit-locker so keep this in mind.

      820 G3:

      BIOSConfig 1.0

      TPM Device
      Hidden
      *Available
      TPM State
      Disable
      *Enable
      Clear TPM
      *No
      On next boot
      TPM Activation Policy
      F1 to Boot
      Allow user to reject
      *No prompts

      Folio 9470m:

      BIOSConfig 1.0

      Activate TPM On Next Boot
      Disable
      *Enable
      TPM Activation Policy
      F1 to Boot
      Allow user to reject
      *No prompts
      OS Management of TPM
      *Enable
      Disable
      Reset of TPM from OS
      Disable
      *Enable
      TPM Device
      Hidden
      *Available

      9480m:

      BIOSConfig 1.0

      Reset of TPM from OS
      Disable
      *Enable
      OS Management of TPM
      Disable
      *Enable
      Activate TPM On Next Boot
      Disable
      *Enable
      TPM Device
      Hidden
      *Available
      TPM Activation Policy
      F1 to Boot
      Allow user to reject
      *No prompts
      OS Management of TPM Security Level
      Change
      *View
      Hide
      Reset of TPM from OS Security Level
      Change
      *View
      Hide

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s