In this guide, I am going to demonstrate how to use System Center Configuration Manager (SCCM) to deploy, update, and lockdown the BIOS on Dell systems using Dell Command | Configure.
Profile gravatar of Alex Pazik

Alex Pazik

Alexander specializes in Windows deployments and systems management applications such as System Center Configuration Manager and System Center Operations Manager.
Profile gravatar of Alex Pazik

Updating the BIOS on multiple laptops and desktops can be a tiresome task that may just seem easier to do without. However, securing the BIOS can prevent attackers from overwriting or tampering with the OS and ensures your data stays safe.

Please note that this guide only applies to Dell systems. I tested these steps on a Dell OptiPlex 780 SFF (Small Form Factor), Dell OptiPlex 790 SFF, and Dell OptiPlex 3040 MT (Mini-Tower). All systems were running Windows 7 Professional x64 and Windows 10 Pro x64. I cannot guarantee this guide will work with Windows Vista or Windows XP.

Before we get started, you are going to need the following tools installed on your workstation:

  • System Center Configuration Manager 2012 R2 Admin Console
  • Dell Command | Configure Toolkit (Download)

First, download the latest BIOS revisions for each of the models deployed throughout your organization from Dell's support website. Create a new folder in which you will place the downloaded revisions. For this guide, I will be saving all necessary files to the following location:

\\SCS-CFGMGR-MP\SWSTORE\BIOS

BIOS repository

BIOS repository

I have created separate folders for each model. If you download multiple revisions for one model, I suggest you come up with a naming convention so you don't have multiple separate directories to hold one revision. For this guide, I will be using the following naming convention:

O780-A15 | O = OptiPlex (Family), 780 = (Model), - A15 = (BIOS Revision)

Next, launch the Dell Command | Configure Toolkit Wizard. Although you can configure separate packages for each model in your organization, I recommend creating a multiplatform package that will work with all models. I have never had any issues creating a multiplatform package that works with different Dell models, even those manufactured as late as 2010. With that in mind, select the Create Multiplatform Package tab and configure the package options.

Dell Command | Configure Toolkit

Dell Command | Configure Toolkit

For this guide, I have configured the following options:

My configuration

My configuration

When you are satisfied with your configuration, export your package as a .CCTK (Client Configuration Toolkit) file using the EXPORT CONFIG button and save it to a location SCCM can access. For this guide, I will be saving my configuration to the following location:

\\SCS-CFGMGR-MP\SWSTORE\BIOS\Dell CCTK\~Configs

Once you save your configuration, navigate to "C:\Program Files (x86)\Dell\Command Configure" and copy the contents of the folder "X86_64" to a location SCCM can access. You will be importing the directory to which you copy these files as a package in SCCM. For this guide, I will be copying these files to the following location:

\\SCS-CFGMGR-MP\SWSTORE\BIOS\Dell CCTK

Note your configuration file and the contents from the "X86_64" folder must be accessible through the same package in SCCM. This is because you need Dell's CCTK executable to apply your configuration.

CCTK folder structure

CCTK folder structure

Now we are ready to create the task sequence that will push the BIOS configuration. The toolkit will deploy this task sequence as a required advertisement and will also flash any BIOS updates needed using the revisions you downloaded earlier.

Open the Configuration Manager Admin Console and navigate to the Software Library applet. Expand the Application Management node and click on the Packages applet. Create a new package using the Dell CCTK folder you just created, but do not create a program or add any requirements.

Dell Command | Configure Toolkit package

Dell Command | Configure Toolkit package

When you are finished creating the package, distribute it to the necessary distribution points. Now we need to import the BIOS revisions downloaded earlier into SCCM. Create a package for each model you wish to deploy BIOS updates to, but do not create a program or add any requirements.

Dell OptiPlex 3040 BIOS revisions

Dell OptiPlex 3040 BIOS revisions

After creating your packages, you can distribute them to the necessary distribution points. When you add a new revision to the source folder, you will need to update your distribution points to push the revision out to clients.

All BIOS revision packages

All BIOS revision packages

Finally, we are going to create the task sequence that will push your BIOS configuration and any needed updates.

Expand the Operating Systems node and click on the Task Sequences applet. Create a new custom task sequence, and specify a name and boot image to use.

Create task sequence wizard

Create task sequence wizard

When you are done, click Close to exit the New Custom Task Sequence Wizard. Open your newly created task sequence and create a new group called "Apply BIOS Updates." Add a new step to Run Command Line and configure the step as shown below:

Install HAPI driver properties

Install HAPI driver properties

Install HAPI driver options

Install HAPI driver options

Note you do not need to specify the BIOS password to install the HAPI driver. The next step in the task sequence will clear the password before applying any updates or configurations. Add another step to Run Command Line and configure the step as shown below:

Clear BIOS password properties

Clear BIOS password properties

Clear BIOS password options

Clear BIOS password options

Note that this is the only step where we will tell the task sequence to continue on error, as new machines will not have a password set in the BIOS. Make sure the value you set for "‑valsetuppwd" is your current administrator password and that you've typed it correctly, otherwise your task sequence will fail. Add another step to Run Command Line and configure the step as shown below:

Flash BIOS OptiPlex 780 properties

Flash BIOS OptiPlex 780 properties

Take note of the following parameters:

  • O780-A15.exe – Name of the executable located in the package source folder.
  • /s – Switch to run the executable silently.
  • /r – Switch to force a system restart. If this switch is not present, the flash with fail and generate error code 2.
  • /l=C:\Temp\O780_A15.log – Switch to generate a log file from the executable.
Flash BIOS Dell OptiPlex 780 options

Flash BIOS Dell OptiPlex 780 options

Make sure to point the step to the package that contains the executable you wish to run. Repeat this process for every model to which you wish to deploy BIOS updates. If you add a new revision, you will need to update the executable name and WMI queries as needed. It seems that newer Dell models such as the OptiPlex 3040 do not use A01, A02, etc. as their BIOS revisions but just numbers instead (1, 1.4.2, etc.). Pay close attention when entering your WMI query for the "SMBIOSBIOSVersion" property. When you are done, add a new group called "Apply BIOS Configuration" and add another step to Run Command Line. Configure the step as shown below:

Lockdown BIOS all systems properties

Lockdown BIOS all systems properties

Lockdown BIOS all systems options

Lockdown BIOS all systems options

Unlike the previous steps in the task sequence, this step will run if any of the conditions are true. In this case, if any models match the model on which this task sequence is running, the step will apply the BIOS configuration. You will need to add a WMI query for each model in your organization. Finally, add one more step to Run Command Line and configure the step as shown below:

Set BIOS password properties

Set BIOS password properties

Set BIOS password options

Set BIOS password options

Close the task sequence when you've finished configuring the last step. Finally, we are going to deploy the task sequence to a device collection. Right-click on the task sequence and click Deploy. Choose a collection to deploy the task sequence to and click Next. Choose Required as the purpose and make the advertisement available only to Configuration Manager clients. When specifying the deployment schedule, keep in mind the task sequence will force a reboot on the machine. For this reason, I have chosen to deploy the task sequence at 11:00 PM.

Run at 11:00 PM

Run at 11:00 PM

Since we do not need to modify any other settings past this point, keep clicking Next until you finish the Deploy Software Wizard. Depending on the time at which you specified your deployment to become available, you will be able to see the task sequence start to run.

Install HAPI driver action

Install HAPI driver action

Flash BIOS Dell OptiPlex 780 action

Flash BIOS Dell OptiPlex 780 action

Lockdown BIOS all systems

Lockdown BIOS all systems

To confirm the task sequence successfully applied your BIOS configuration, check the directory you specified for the CCTK log file to see the changes that took place. If an option is not applicable to a certain model, the CCTK executable will flag it accordingly.

CCTK log

CCTK log

Take part in our competition and win $100!

Share
1+

Users who have LIKED this post:

  • avatar

9 Comments
  1. avatar
    seb 4 months ago

    Hi, why don't you just specify the bios password during the update bios with the /p  instead of clearing / re specifying it?

    also those password will appear in clear text in the logs files, which I find annoying, I've ended up creating a SCE.exe from the dell command| configure with just the new bios password parameter, that will hide it.

    0
    • Profile gravatar of Alex Pazik Author
      Alex Pazik 4 months ago

      If you run the task sequence on a new computer that has an outdated BIOS revision and does not have a BIOS password set, and you specify the /p switch for the BIOS update the update will fail because an incorrect password was specified. If you choose the option to continue on error, the BIOS will not update which defeats the purpose of the step.

      As for the password being stored in clear text in log files, this is not true. Dell was smart enough to configure their utility to omit the specified password when writing log files (see the CCTK log file image). Even though the password will be stored in clear text in the task sequence step, only users with access to SCCM will be able to see the password.

      0
  2. avatar
    seb 4 months ago

    make sense:) thanks for your reply.

    the smsts.log will display the password in clear text (sorry I was not clear) and yes user need to access the sccm log location and I think by default they can't but, having the bios password hidden in a sce.exe is, I think, worth mentioning 🙂 (I guess I just don't like passwords in clear text)

    1+

    Users who have LIKED this comment:

    • avatar
  3. avatar
    Joe 3 months ago

    Some updates have prerequisites (eg. to install A17 you must first install A12). Do you/How do you handle those cases?

    0
    • Profile gravatar of Alex Pazik Author
      Alex Pazik 2 months ago

      Hi Joe-- That was actually one of my concerns when I tested the deployment process for this article. The oldest model I tested this on was a Dell OptiPlex 780 which was released in 2009. I managed to upgrade from A02 to A16 without having to do a step-ladder upgrade process. This may be an issue with models previous to 2009, and if that is the case than those workstations will most likely be upgraded if they haven't been already-- thus eliminating the problem.

      I cannot say if this problem affects laptops or not, but if that is the case then I would create a model-specific device collection for all the workstations with an outdated BIOS revision. I would then deploy a custom task sequence that goes through and updates the BIOS one revision after the other until the workstation has the most current revision. This can be accomplished by having each task sequence step run depending on the result of a WMI query to detect the BIOS revision. If you can think of a cleaner / more efficient way to accomplish this I encourage you to comment it below!

      0
      • avatar
        Kory 3 weeks ago

        Alex,

        I've followed your guide, and it works pretty well, however, I am hitting one minor issue.  I'm able to clear the bios password (if it is there, if not it skips as it should) however, the next step is to flash the bios, once that happens, the computer reboots, the bios is flashed successfully, however the task sequence doesn't actually finish because the bios update is prompting a reboot before it gets to the last step in the task sequence, which is to set the BIOS password back.  Basically, SCCM thinks the task sequence has "failed" so I go back into the catalog and just rerun it a second time, this time since the bios has already been flashed, it doesn't actually flash the BIOS, and it goes all the way through and sets the password.

        Is there a way around this?  I initially thought that the task sequence would resume after the BIOS flash, but that has not been the case, at least not for me.

        I just wanted to see if anyone else has reported this issue, or if there is a way to solve it without having to run the task sequence twice.

        Thank you!!

         

        1+
  4. Profile gravatar of Alex Pazik Author
    Alex Pazik 3 weeks ago

    What does the log file say? And what mode reiviosion BIOS are you using? The restart must not be registering the SCCM client therefore the task sequence is not resuming. Have you checked the agent logs, too?

    0
    • avatar
      Kory 3 weeks ago

      Alex,

      Not sure what may have changed overnight, but moments after posting my problem to this forum this morning, things seem to be working fine.  The task sequence does not re-launch after the BIOS update, but it does process the "Set Bios Password" command, and it is working properly.  I will note that I had to add a success code of 6 to each of my Flash BIOS  run command line steps in order for it to succeed, I am running SCCM 1702, installed on a Windows Server 2016 box, supporting a Windows 10 Enterprise Environment, where Bitlocker is enabled.  Thank you for your reply!

      0
      • Profile gravatar of Alex Pazik Author
        Alex Pazik 2 weeks ago

        You're welcome-- I am glad it is working for you! I looked up error code 6 and it seems that the error code translates to something about not being able to return the number of requested data bytes. I'm not actually sure what that means, so for stability and the sake of knowledge, I would suggest you investigate the error code further.

        0

Leave a reply

Your email address will not be published. Required fields are marked *

*

CONTACT US

Please ask IT administration questions in the forum. Any other messages are welcome.

Sending
© 4sysops 2006 - 2017

Log in with your credentials

or    

Forgot your details?

Create Account