In this guide, I am going to demonstrate how to use System Center Configuration Manager (SCCM) to deploy, update, and lockdown the BIOS on Dell systems using Dell Command | Configure.
Profile gravatar of Alex Pazik

Alex Pazik

Alexander specializes in Windows deployments and systems management applications such as System Center Configuration Manager and System Center Operations Manager.
Profile gravatar of Alex Pazik

Updating the BIOS on multiple laptops and desktops can be a tiresome task that may just seem easier to do without. However, securing the BIOS can prevent attackers from overwriting or tampering with the OS and ensures your data stays safe.

Please note that this guide only applies to Dell systems. I tested these steps on a Dell OptiPlex 780 SFF (Small Form Factor), Dell OptiPlex 790 SFF, and Dell OptiPlex 3040 MT (Mini-Tower). All systems were running Windows 7 Professional x64 and Windows 10 Pro x64. I cannot guarantee this guide will work with Windows Vista or Windows XP.

Before we get started, you are going to need the following tools installed on your workstation:

  • System Center Configuration Manager 2012 R2 Admin Console
  • Dell Command | Configure Toolkit (Download)

First, download the latest BIOS revisions for each of the models deployed throughout your organization from Dell's support website. Create a new folder in which you will place the downloaded revisions. For this guide, I will be saving all necessary files to the following location:

\\SCS-CFGMGR-MP\SWSTORE\BIOS

BIOS repository

BIOS repository

I have created separate folders for each model. If you download multiple revisions for one model, I suggest you come up with a naming convention so you don't have multiple separate directories to hold one revision. For this guide, I will be using the following naming convention:

O780-A15 | O = OptiPlex (Family), 780 = (Model), - A15 = (BIOS Revision)

Next, launch the Dell Command | Configure Toolkit Wizard. Although you can configure separate packages for each model in your organization, I recommend creating a multiplatform package that will work with all models. I have never had any issues creating a multiplatform package that works with different Dell models, even those manufactured as late as 2010. With that in mind, select the Create Multiplatform Package tab and configure the package options.

Dell Command | Configure Toolkit

Dell Command | Configure Toolkit

For this guide, I have configured the following options:

My configuration

My configuration

When you are satisfied with your configuration, export your package as a .CCTK (Client Configuration Toolkit) file using the EXPORT CONFIG button and save it to a location SCCM can access. For this guide, I will be saving my configuration to the following location:

\\SCS-CFGMGR-MP\SWSTORE\BIOS\Dell CCTK\~Configs

Once you save your configuration, navigate to "C:\Program Files (x86)\Dell\Command Configure" and copy the contents of the folder "X86_64" to a location SCCM can access. You will be importing the directory to which you copy these files as a package in SCCM. For this guide, I will be copying these files to the following location:

\\SCS-CFGMGR-MP\SWSTORE\BIOS\Dell CCTK

Note your configuration file and the contents from the "X86_64" folder must be accessible through the same package in SCCM. This is because you need Dell's CCTK executable to apply your configuration.

CCTK folder structure

CCTK folder structure

Now we are ready to create the task sequence that will push the BIOS configuration. The toolkit will deploy this task sequence as a required advertisement and will also flash any BIOS updates needed using the revisions you downloaded earlier.

Open the Configuration Manager Admin Console and navigate to the Software Library applet. Expand the Application Management node and click on the Packages applet. Create a new package using the Dell CCTK folder you just created, but do not create a program or add any requirements.

Dell Command | Configure Toolkit package

Dell Command | Configure Toolkit package

When you are finished creating the package, distribute it to the necessary distribution points. Now we need to import the BIOS revisions downloaded earlier into SCCM. Create a package for each model you wish to deploy BIOS updates to, but do not create a program or add any requirements.

Dell OptiPlex 3040 BIOS revisions

Dell OptiPlex 3040 BIOS revisions

After creating your packages, you can distribute them to the necessary distribution points. When you add a new revision to the source folder, you will need to update your distribution points to push the revision out to clients.

All BIOS revision packages

All BIOS revision packages

Finally, we are going to create the task sequence that will push your BIOS configuration and any needed updates.

Expand the Operating Systems node and click on the Task Sequences applet. Create a new custom task sequence, and specify a name and boot image to use.

Create task sequence wizard

Create task sequence wizard

When you are done, click Close to exit the New Custom Task Sequence Wizard. Open your newly created task sequence and create a new group called "Apply BIOS Updates." Add a new step to Run Command Line and configure the step as shown below:

Install HAPI driver properties

Install HAPI driver properties

Install HAPI driver options

Install HAPI driver options

Note you do not need to specify the BIOS password to install the HAPI driver. The next step in the task sequence will clear the password before applying any updates or configurations. Add another step to Run Command Line and configure the step as shown below:

Clear BIOS password properties

Clear BIOS password properties

Clear BIOS password options

Clear BIOS password options

Note that this is the only step where we will tell the task sequence to continue on error, as new machines will not have a password set in the BIOS. Make sure the value you set for "‑valsetuppwd" is your current administrator password and that you've typed it correctly, otherwise your task sequence will fail. Add another step to Run Command Line and configure the step as shown below:

Flash BIOS OptiPlex 780 properties

Flash BIOS OptiPlex 780 properties

Take note of the following parameters:

  • O780-A15.exe – Name of the executable located in the package source folder.
  • /s – Switch to run the executable silently.
  • /r – Switch to force a system restart. If this switch is not present, the flash with fail and generate error code 2.
  • /l=C:\Temp\O780_A15.log – Switch to generate a log file from the executable.
Flash BIOS Dell OptiPlex 780 options

Flash BIOS Dell OptiPlex 780 options

Make sure to point the step to the package that contains the executable you wish to run. Repeat this process for every model to which you wish to deploy BIOS updates. If you add a new revision, you will need to update the executable name and WMI queries as needed. It seems that newer Dell models such as the OptiPlex 3040 do not use A01, A02, etc. as their BIOS revisions but just numbers instead (1, 1.4.2, etc.). Pay close attention when entering your WMI query for the "SMBIOSBIOSVersion" property. When you are done, add a new group called "Apply BIOS Configuration" and add another step to Run Command Line. Configure the step as shown below:

Lockdown BIOS all systems properties

Lockdown BIOS all systems properties

Lockdown BIOS all systems options

Lockdown BIOS all systems options

Unlike the previous steps in the task sequence, this step will run if any of the conditions are true. In this case, if any models match the model on which this task sequence is running, the step will apply the BIOS configuration. You will need to add a WMI query for each model in your organization. Finally, add one more step to Run Command Line and configure the step as shown below:

Set BIOS password properties

Set BIOS password properties

Set BIOS password options

Set BIOS password options

Close the task sequence when you've finished configuring the last step. Finally, we are going to deploy the task sequence to a device collection. Right-click on the task sequence and click Deploy. Choose a collection to deploy the task sequence to and click Next. Choose Required as the purpose and make the advertisement available only to Configuration Manager clients. When specifying the deployment schedule, keep in mind the task sequence will force a reboot on the machine. For this reason, I have chosen to deploy the task sequence at 11:00 PM.

Run at 11:00 PM

Run at 11:00 PM

Since we do not need to modify any other settings past this point, keep clicking Next until you finish the Deploy Software Wizard. Depending on the time at which you specified your deployment to become available, you will be able to see the task sequence start to run.

Install HAPI driver action

Install HAPI driver action

Flash BIOS Dell OptiPlex 780 action

Flash BIOS Dell OptiPlex 780 action

Lockdown BIOS all systems

Lockdown BIOS all systems

To confirm the task sequence successfully applied your BIOS configuration, check the directory you specified for the CCTK log file to see the changes that took place. If an option is not applicable to a certain model, the CCTK executable will flag it accordingly.

CCTK log

CCTK log

Win the monthly 4sysops member prize for IT pros

Share
1+

Users who have LIKED this post:

  • avatar

23 Comments
  1. avatar
    seb 6 months ago

    Hi, why don't you just specify the bios password during the update bios with the /p  instead of clearing / re specifying it?

    also those password will appear in clear text in the logs files, which I find annoying, I've ended up creating a SCE.exe from the dell command| configure with just the new bios password parameter, that will hide it.

    0

    • Profile gravatar of Alex Pazik Author
      Alex Pazik 6 months ago

      If you run the task sequence on a new computer that has an outdated BIOS revision and does not have a BIOS password set, and you specify the /p switch for the BIOS update the update will fail because an incorrect password was specified. If you choose the option to continue on error, the BIOS will not update which defeats the purpose of the step.

      As for the password being stored in clear text in log files, this is not true. Dell was smart enough to configure their utility to omit the specified password when writing log files (see the CCTK log file image). Even though the password will be stored in clear text in the task sequence step, only users with access to SCCM will be able to see the password.

      0

  2. avatar
    seb 6 months ago

    make sense:) thanks for your reply.

    the smsts.log will display the password in clear text (sorry I was not clear) and yes user need to access the sccm log location and I think by default they can't but, having the bios password hidden in a sce.exe is, I think, worth mentioning 🙂 (I guess I just don't like passwords in clear text)

    1+

    Users who have LIKED this comment:

    • avatar
  3. avatar
    Joe 4 months ago

    Some updates have prerequisites (eg. to install A17 you must first install A12). Do you/How do you handle those cases?

    0

    • Profile gravatar of Alex Pazik Author
      Alex Pazik 4 months ago

      Hi Joe-- That was actually one of my concerns when I tested the deployment process for this article. The oldest model I tested this on was a Dell OptiPlex 780 which was released in 2009. I managed to upgrade from A02 to A16 without having to do a step-ladder upgrade process. This may be an issue with models previous to 2009, and if that is the case than those workstations will most likely be upgraded if they haven't been already-- thus eliminating the problem.

      I cannot say if this problem affects laptops or not, but if that is the case then I would create a model-specific device collection for all the workstations with an outdated BIOS revision. I would then deploy a custom task sequence that goes through and updates the BIOS one revision after the other until the workstation has the most current revision. This can be accomplished by having each task sequence step run depending on the result of a WMI query to detect the BIOS revision. If you can think of a cleaner / more efficient way to accomplish this I encourage you to comment it below!

      0

      • avatar
        Kory 2 months ago

        Alex,

        I've followed your guide, and it works pretty well, however, I am hitting one minor issue.  I'm able to clear the bios password (if it is there, if not it skips as it should) however, the next step is to flash the bios, once that happens, the computer reboots, the bios is flashed successfully, however the task sequence doesn't actually finish because the bios update is prompting a reboot before it gets to the last step in the task sequence, which is to set the BIOS password back.  Basically, SCCM thinks the task sequence has "failed" so I go back into the catalog and just rerun it a second time, this time since the bios has already been flashed, it doesn't actually flash the BIOS, and it goes all the way through and sets the password.

        Is there a way around this?  I initially thought that the task sequence would resume after the BIOS flash, but that has not been the case, at least not for me.

        I just wanted to see if anyone else has reported this issue, or if there is a way to solve it without having to run the task sequence twice.

        Thank you!!

         

        1+

  4. Profile gravatar of Alex Pazik Author
    Alex Pazik 2 months ago

    What does the log file say? And what mode reiviosion BIOS are you using? The restart must not be registering the SCCM client therefore the task sequence is not resuming. Have you checked the agent logs, too?

    0

    • avatar
      Kory 2 months ago

      Alex,

      Not sure what may have changed overnight, but moments after posting my problem to this forum this morning, things seem to be working fine.  The task sequence does not re-launch after the BIOS update, but it does process the "Set Bios Password" command, and it is working properly.  I will note that I had to add a success code of 6 to each of my Flash BIOS  run command line steps in order for it to succeed, I am running SCCM 1702, installed on a Windows Server 2016 box, supporting a Windows 10 Enterprise Environment, where Bitlocker is enabled.  Thank you for your reply!

      0

      • Profile gravatar of Alex Pazik Author
        Alex Pazik 2 months ago

        You're welcome-- I am glad it is working for you! I looked up error code 6 and it seems that the error code translates to something about not being able to return the number of requested data bytes. I'm not actually sure what that means, so for stability and the sake of knowledge, I would suggest you investigate the error code further.

        0

  5. avatar
    Alan 1 month ago

    Hi

    Similar to Alex I have followed the blog and clears BIOS password, Flashes the BIOS for an Optx 7020 reboots but does not continue the TS after reboot and get a failed status. When I rerun the TS manually it will complete the TS & reset the BIOS password.
    I have it set to run as domain admin in TS

    TS Is- Install HAPIx64 Driver - Clear BIOS Pwd - Flash BIOS (/r restarts device)
    The following does not run after reboot unless I manually run the TS again
    Lockdown BIOS All Systems - Set BIOS Pwd-Restart

    Any ideas

    0

  6. avatar
    Alan 1 month ago

    from smsts.log

    Failed to locate the local data path. The files needed to resume the task sequence are missing.  This could be because the task sequence finished while in Windows PE.  Please check the largest available partition for SMSTSLog\smsts.log file for more information.
    The system cannot find the file specified. (Error: 80070002; Source: Windows)

    Cant find anything online

    0

    • Profile gravatar of Alex Pazik Author
      Alex Pazik 1 month ago

      Hi Alan -- By running as a domain admin, do you mean that the task sequence step runs as a domain administrator or that you log in as a domain administrator and run the task sequence?

      0

  7. Profile gravatar of Elad Cohen
    Elad Cohen 1 month ago

    Hi

    my Purpose is to apply Password for all dell computers and disable any boot options Except hdd.

    SCCM1602
    Windows 10 ENT 1607
    Dell OptiPlex 9020

    I've followed your guide, and it not working for me,  i need help SAP !!

    i will upload the smsts.log and photos of the TS and program i created.

    the only thing that is not slimier to the post is the folder "~Configs"

    i didn't see it at all, so i created empty one .

    sorry for the poor language.

    i will very appreciate all the help i can get !

    all the files uploaded to my google drive

    https://drive.google.com/drive/folders/0BzgKCIjawTShSFJGNmFIXzR4eHM?usp=sharing

    Thnks Elad.

    0

    • Profile gravatar of Alex Pazik Author
      Alex Pazik 1 month ago

      Hi Elad -- First of all you are going to want to move the files excluding OptiPlex9020-A19.exe from Dell\OptiPlex 9020\BIOS to App$\Dell CCTK\~Configs. Update/Redistribute the package in SCCM. For the step Lockdown BIOS - All Systems, change the file "FamilyWKS_BIOS_Config.cctk" to "multiplatform_201705251920.cctk. It should now run without any problems (hopefully). You never know with SCCM!

      1+

      Users who have LIKED this comment:

      • avatar
  8. Profile gravatar of Elad Cohen
    Elad Cohen 1 month ago

    Hi Alex

    First i want to say thank you very much !!

    so i did exactly what you told my to to and the TS is steel field .

    im uploading you photos of all the changes .

    Thank you very much for your help!

    https://drive.google.com/open?id=0BzgKCIjawTShVG9hZThmUFVjbE0

     

    0

  9. Profile gravatar of Alex Pazik Author
    Alex Pazik 1 month ago

    From what I gathered from the screen grabs you provided, it seems the TS is failing not on the actual BIOS lockdown phase of the task sequence, but the Flash BIOS step. Make sure that the package referenced in that step points to the Dell OptiPlex-9020-All Revisions package. The 80070002 error means that ConfigMgr can't find one or more of the referenced files. Also, ensure that the folder C:\Temp exists on the HD of the machine you are running the task sequence on, so the application actually has a folder to write to.

    0

  10. avatar
    Curtis 4 weeks ago

    Great work on this!  I did need to make some tweaks though..

    I also was having issues with the task sequence resuming after the BIOS update restart.  I believe this was due to the PC not being able to save the TS state fast enough before the machine restarted (I have pretty new Dell's here with SSD drives).  Once it restarted there were errors in the logs re: not being able to find content.

    My solution was to remove the /r (force restart) on the BIOS steps and add a TS "restart computer" step at the end of all the BIOS steps.

    You will need to add success code "2" to all the BIOS steps as well.

    I also added the Task Sequence variable condition "_SMSTSLastActionRetCode" equals "2" to the restart computer step so that the PC would only restart if one of the BIOS steps actually ran.

    Last note is to also make sure your PC's have a C:\temp folder (or just pick a different folder, i used C:\Windows\CCM\Logs\" as I have a few which didn't for some reason which will error out when CCTK tries to write a log file.

    Hope that helps some people

    1+

  11. avatar
    Michael S 6 days ago

    Curtis,

    Did you mean to say you were adding the TS Restart step after the last "Flash BIOS...." step, or after the 'Set BIOS Password' step? I just wanted clarification. Thanks.

    1+

    • avatar
      Curtis Kutzan 6 days ago

      Add the ts restart after the last flash bios step.

      0

  12. avatar
    Anthony 2 days ago

    Has anyone figured out how to query the new BIOS update versions from Dell?

    i.e. with the comparison test above 1.17.5 is actually a lower version than 1.5.3

    I've tried to look at other unique increasing fields that could be used, but cannot find any.

    The major version/minor version fields can't be used, as they are sometimes the same (e.g. 1.16.4 and 1.17.5 are both major 3 minor 0)

    0

  13. Profile gravatar of Alex Pazik Author
    Alex Pazik 2 days ago

    Hi Anthony-- could you tell me which model this would be applicable to? I might have it in my inventory and could test some queries to try and get the task sequence to correctly distribute BIOS updates.

    0

    • avatar
      Anthony 2 days ago

      Thanks Alex.

      The one causing us problems at the moment is the Latitude E7470. It's current BIOS is 1.5.3, and the latest one is 1.17.5

      When running the query, (1.5.3 < 1.17.5) == FALSE, when it should be TRUE

      I'm hoping that it is just something stupid I'm doing

      0

Leave a reply

Your email address will not be published. Required fields are marked *

*

CONTACT US

Please ask IT administration questions in the forum. Any other messages are welcome.

Sending
© 4sysops 2006 - 2017

Log in with your credentials

or    

Forgot your details?

Create Account