Lately I’ve been thinking about BIOS updates. More specifically the fact that I’ve needed to apply them to some of my older HP Desktops and Laptops so we could deploy Windows 10 1511 reliably. Moving forwards this was going to be an issue as we are looking to upgrade our entire business to Windows 10 CBB later in the year. I definitely did not want to be in a position where we were manually updating BIOS versions.
Here is a solution to update your BIOS versions using a Configuration Manager task sequence. I’ve focused on HP however the solution I have implemented would work for any vendor, just adjust to suit the utility they offer.
And yes to all those SSM fans out there, I know that you can add a step to update the BIOS using that HP utility against a SSM downloaded management source with all the HP updates, however I’m not a fan and have chosen not to use it for various reasons specific to my environment.
So the requirements. Well that depends on what your already doing. If you are enabling BitLocker as part of your Task Sequence then you should already been using the HP Bios Config Utility to enable your TPM and set your BIOS settings using something like BiosConfigUtility.exe /Set:TPMEnable.REPSET /nspwdfile:”password.bin” as part of Run Command Line step with a package. You will need to use your password.bin file as part of our BIOS update command as you can’t update a BIOS automatically unless you pass the password through as part of the command. Also note that if you try to update a HP BIOS and you have bitlocker enabled there is a suspend bitlocker switch which I haven’t needed to use. But its nice to know its there. Here is a link to the HP BIOS Configuration Utility Guide which also explains how you can you generate a password.bin file if required.
I have my enable TPM / Import REPSET file steps before my Update BIOS steps in my task sequence. This is to ensure that the devices BIOS settings are always configured with a password before my BIOS update step runs. This avoids the scenario where a BIOS update is attempted using a password switch where that device doesn’t have a password set. Clear as mud?
Having said all of this, if you don’t set passwords for your BIOS or don’t enable BitLocker then ignore the last few paragraphs!
The next step you will need to do is to download all the latest BIOS versions from the HP website for your models. Create a source folder in your Configuration Manager source share and then create sub-folders for each model like this:
Extract and copy each BIOS update to the relevant folder. For older models that use HpqFlash.exe the contents should look like this:
And for newer models that use HPBIOSUPDREC.exe the contents should look like this:
Once this has been completed, create a package for each BIOS update without a program and distribute them to your DP’s.
Now add some update BIOS steps to your Task Sequence. As mentioned before I have my update steps after my BIOS REPSET import settings step (which enables the TPM etc). This occurs after the PC has rebooted following the Setup Windows and ConfigMgr step.
Create a folder for the model of PC relevant to the BIOS update, then set a WMI Query so it will only run against that model. This is what you would most likely be doing for driver packages. You don’t need to worry about using anything sneaky to query the SMSBIOSVersion against the Win32_BIOS class. If the BIOS version is up to date, the utility just exits and the task sequence continues.
Next add a Run Command Line step and reference the BIOS update package you created earlier for that model. In the Command line for older BIOS updates that use hpqFlash.exe specify the command hpqFlash.exe -s. If you have a password set on your BIOS use hpqFlash.exe -ppassword.bin -s
For newer models that use HPBIOSUPDREC.exe specify the command HPBIOSUPDREC.exe -s -r. Again if you have a password set use HPBIOSUPDREC.exe -s -ppassword.bin -r.
The last step is to add a Restart Computer step which is an absolute must for obvious reasons.
That’s pretty much it, Happy BIOS Updating!