Archive for the ‘Windows 7’ Category

Lately I’ve been thinking about BIOS updates. More specifically the fact that I’ve needed to apply them to some of my older HP Desktops and Laptops so we could deploy Windows 10 1511 reliably. Moving forwards this was going to be an issue as we are looking to upgrade our entire business to Windows 10 CBB later in the year. I definitely did not want to be in a position where we were manually updating BIOS versions.

Here is a solution to update your BIOS versions using a Configuration Manager task sequence. I’ve focused on HP however the solution I have implemented would work for any vendor, just adjust to suit the utility they offer.

And yes to all those SSM fans out there, I know that you can add a step to update the BIOS using that HP utility against a SSM downloaded management source with all the HP updates, however I’m not a fan and have chosen not to use it for various reasons specific to my environment.

So the requirements. Well that depends on what your already doing. If you are enabling BitLocker as part of your Task Sequence then you should already been using the HP Bios Config Utility to enable your TPM and set your BIOS settings using something like BiosConfigUtility.exe /Set:TPMEnable.REPSET /nspwdfile:”password.bin” as part of Run Command Line step with a package. You will need to use your password.bin file as part of our BIOS update command as you can’t update a BIOS automatically unless you pass the password through as part of the command. Also note that if you try to update a HP BIOS and you have bitlocker enabled there is a suspend bitlocker switch which I haven’t needed to use. But its nice to know its there. Here is a link to the HP BIOS Configuration Utility Guide which also explains how you can you generate a password.bin file if required.


I have my enable TPM / Import REPSET file steps before my Update BIOS steps in my task sequence. This is to ensure that the devices BIOS settings are always configured with a password before my BIOS update step runs. This avoids the scenario where a BIOS update is attempted using a password switch where that device doesn’t have a password set. Clear as mud?

Having said all of this, if you don’t set passwords for your BIOS or don’t enable BitLocker then ignore the last few paragraphs!

The next step you will need to do is to download all the latest BIOS versions from the HP website for your models. Create a source folder in your Configuration Manager source share and then create sub-folders for each model like this:


Extract and copy each BIOS update to the relevant folder. For older models that use HpqFlash.exe the contents should look like this:


And for newer models that use HPBIOSUPDREC.exe the contents should look like this:


Once this has been completed, create a package for each BIOS update without a program and distribute them to your DP’s.


Now add some update BIOS steps to your Task Sequence. As mentioned before I have my update steps after my BIOS REPSET import settings step (which enables the TPM etc). This occurs after the PC has rebooted following the Setup Windows and ConfigMgr step.


Create a folder for the model of PC relevant to the BIOS update, then set a WMI Query so it will only run against that model. This is what you would most likely be doing for driver packages. You don’t need to worry about using anything sneaky to query the SMSBIOSVersion against the Win32_BIOS class. If the BIOS version is up to date, the utility just exits and the task sequence continues.


Next add a Run Command Line step and reference the BIOS update package you created earlier for that model. In the Command line for older BIOS updates that use hpqFlash.exe specify the command hpqFlash.exe -s. If you have a password set on your BIOS use hpqFlash.exe -ppassword.bin -s


For newer models that use HPBIOSUPDREC.exe specify the command HPBIOSUPDREC.exe -s -r. Again if you have a password set use  HPBIOSUPDREC.exe -s -ppassword.bin -r.


The last step is to add a Restart Computer step which is an absolute must for obvious reasons.

That’s pretty much it, Happy BIOS Updating!







Lets assume that your using MDT 2013, WSUS and HyperV to build and capture your Windows 7 SP1 reference image.

Due to the large number of updates now required for Windows 7 SP1 (Over 200!) you may run into an issue where your VM runs out of memory. Specifically, the problem is caused by the process TrustedInstaller.exe. To avoid this, make sure you allocate at least 4GB of memory. In addition to this its worth adding an additional processor to improve performance.




Even with these settings it takes a very long time for the process to complete. Hopefully Microsoft will release a new ISO this year with updates included.




Recently we noticed some performance issues in laptops with shared graphics when the Windows 7 Basic Theme was being used (particularly with external monitors using display port cables) These issues were resolved when selecting the Windows 7 Aero Theme. We were even able to reproduce the problems on the manufacturers image.

I have asked on a few international Configuration Manager forums and apparently the Windows 7 Basic theme being used as a default is a well known issue / problem for people when you capture an image using a virtual platform such as Hyper V or VMWare. Some are deploying custom branded themes (which utilizes the aero technology) and others are setting the default Windows 7 Aero theme with Group Policy as we have done with this solution. Others are aware of the setting but have elected to do nothing and leave it as is with Windows 7 using the Basic Theme as the default.

We have applied two distinct actions.

1. Apply an additional step at the end of our build Task Sequences to run winsat.exe dwm which assesses the ability of a system to display the Aero desktop effects.


2. Created a new Group Policy which targets the Windows 7 OS version via a WMI query to set the Windows 7 Aero theme (Settings located at User Configuration \ Administrative Templates\ Control Panel \Personalization: Force a specific visual style or force Windows Classic & Load a specific theme file)



Our builds are now using Windows 7 Aero theme as the default upon login.



This is an interesting one with a useful fix to know about.

A few months ago I did a new MDT Build and Capture, the process was largely automated with the use of LTISuspend.wsf to check a few things before resuming.

Recently I noticed that the Windows 7 Firewall Service wasn’t running on some computers. Not all, but still quite a few. I traced the problem back to this particular build.

Digging a bit more into the error – I could see Event 7024 ID’s being logged – The Windows Firewall Service terminated with service-specific error Access is denied..



The following Microsoft KB article was useful in diagnosing the fault and confirmed that the problem was related to the “NT Authority\MpsSvc” account not having the correct permissions to some registry keys.

It would seem that somewhere during the build and capture process, the service account permissions were stripped out or not applied correctly, possibly during the WSUS patching phase of the build.

The following Blog discusses the specific, correct permissions required for the Windows Firewall Service to start under Windows 7.

There seems to be quite a few articles that describe the cause and how to fix the problem, however I was unable to find a script or automated solution to address the issue. To automatically set the correct registry permissions I wrote a simply batch file using SubinACL, then created a program with Configuration Manager 2012 and deployed it to all my affected Windows 7 instances. Here is the syntax of the script:

Please be aware that when copying and pasting from this blog, the inverted commas may need to be re-typed.

SUBINACL /verbose=1 /keyreg “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Defaults\FirewallPolicy” /grant=”NT Service\MpsSvc”=QSCEYDA
SUBINACL /verbose=1 /keyreg “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch” /grant=”NT Service\MpsSvc”=QS
SUBINACL /verbose=1 /keyreg “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2” /grant=”NT Service\MpsSvc”=QS
SUBINACL /verbose=1 /keyreg “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy” /grant=”NT Service\MpsSvc”=QSCEYDA
net start mpssvc


SUBINACL can be downloaded from here.

The script sets the correct permissions for the respective registry keys discussed in KB article 943996 and the Microsoft Technet Blog. Then starts the Windows Firewall Service and exits. Of course you can also simply just run the bat file from an elevated command prompt manually. The below screen shot show the keys that are changed.


Applying this change has resolved the problem and performing a new MDT Build and Capture and then deploying that WIM file with Configuration Manager 2012 R2 CU1 has not resulted in the problem re-occurring.

Use this script at your own risk, whilst it only restores permissions that should already be present, it should still be tested in a Lab environment before use.