- Configuration Items in Configuration Manager (SCCM, MECM) - Mon, Aug 22 2022
- Create and read SCVMM custom properties with PowerShell and the VMM Console - Mon, Apr 18 2022
- Prevent ransomware attacks on network shares with File Server Resource Manager (FSRM) - Mon, Mar 7 2022
Updating the BIOS on multiple laptops and desktops can be a tiresome task that may just seem easier to do without. However, securing the BIOS can prevent attackers from overwriting or tampering with the OS and ensures your data stays safe.
Please note that this guide only applies to Dell systems. I tested these steps on a Dell OptiPlex 780 SFF (Small Form Factor), Dell OptiPlex 790 SFF, and Dell OptiPlex 3040 MT (Mini-Tower). All systems were running Windows 7 Professional x64 and Windows 10 Pro x64. I cannot guarantee this guide will work with Windows Vista or Windows XP.
Before we get started, you are going to need the following tools installed on your workstation:
- System Center Configuration Manager 2012 R2 Admin Console
- Dell Command | Configure Toolkit (Download)
First, download the latest BIOS revisions for each of the models deployed throughout your organization from Dell's support website. Create a new folder in which you will place the downloaded revisions. For this guide, I will be saving all necessary files to the following location:
\\SCS-CFGMGR-MP\SWSTORE\BIOS
BIOS repository
I have created separate folders for each model. If you download multiple revisions for one model, I suggest you come up with a naming convention so you don't have multiple separate directories to hold one revision. For this guide, I will be using the following naming convention:
O780-A15 | O = OptiPlex (Family), 780 = (Model), - A15 = (BIOS Revision)
Next, launch the Dell Command | Configure Toolkit Wizard. Although you can configure separate packages for each model in your organization, I recommend creating a multiplatform package that will work with all models. I have never had any issues creating a multiplatform package that works with different Dell models, even those manufactured as late as 2010. With that in mind, select the Create Multiplatform Package tab and configure the package options.
Dell Command | Configure Toolkit
For this guide, I have configured the following options:
My configuration
When you are satisfied with your configuration, export your package as a .CCTK (Client Configuration Toolkit) file using the EXPORT CONFIG button and save it to a location SCCM can access. For this guide, I will be saving my configuration to the following location:
\\SCS-CFGMGR-MP\SWSTORE\BIOS\Dell CCTK\~Configs
Once you save your configuration, navigate to "C:\Program Files (x86)\Dell\Command Configure" and copy the contents of the folder "X86_64" to a location SCCM can access. You will be importing the directory to which you copy these files as a package in SCCM. For this guide, I will be copying these files to the following location:
\\SCS-CFGMGR-MP\SWSTORE\BIOS\Dell CCTK
Note your configuration file and the contents from the "X86_64" folder must be accessible through the same package in SCCM. This is because you need Dell's CCTK executable to apply your configuration.
CCTK folder structure
Now we are ready to create the task sequence that will push the BIOS configuration. The toolkit will deploy this task sequence as a required advertisement and will also flash any BIOS updates needed using the revisions you downloaded earlier.
Open the Configuration Manager Admin Console and navigate to the Software Library applet. Expand the Application Management node and click on the Packages applet. Create a new package using the Dell CCTK folder you just created, but do not create a program or add any requirements.
Dell Command | Configure Toolkit package
When you are finished creating the package, distribute it to the necessary distribution points. Now we need to import the BIOS revisions downloaded earlier into SCCM. Create a package for each model you wish to deploy BIOS updates to, but do not create a program or add any requirements.
Dell OptiPlex 3040 BIOS revisions
After creating your packages, you can distribute them to the necessary distribution points. When you add a new revision to the source folder, you will need to update your distribution points to push the revision out to clients.
All BIOS revision packages
Finally, we are going to create the task sequence that will push your BIOS configuration and any needed updates.
Expand the Operating Systems node and click on the Task Sequences applet. Create a new custom task sequence, and specify a name and boot image to use.
Create task sequence wizard
When you are done, click Close to exit the New Custom Task Sequence Wizard. Open your newly created task sequence and create a new group called "Apply BIOS Updates." Add a new step to Run Command Line and configure the step as shown below:
Install HAPI driver properties
Install HAPI driver options
Note you do not need to specify the BIOS password to install the HAPI driver. The next step in the task sequence will clear the password before applying any updates or configurations. Add another step to Run Command Line and configure the step as shown below:
Clear BIOS password properties
Clear BIOS password options
Note that this is the only step where we will tell the task sequence to continue on error, as new machines will not have a password set in the BIOS. Make sure the value you set for "‑valsetuppwd" is your current administrator password and that you've typed it correctly, otherwise your task sequence will fail. Add another step to Run Command Line and configure the step as shown below:
Flash BIOS OptiPlex 780 properties
Take note of the following parameters:
- O780-A15.exe – Name of the executable located in the package source folder.
- /s – Switch to run the executable silently.
- /r – Switch to force a system restart. If this switch is not present, the flash with fail and generate error code 2.
- /l=C:\Temp\O780_A15.log – Switch to generate a log file from the executable.
Flash BIOS Dell OptiPlex 780 options
Make sure to point the step to the package that contains the executable you wish to run. Repeat this process for every model to which you wish to deploy BIOS updates. If you add a new revision, you will need to update the executable name and WMI queries as needed. It seems that newer Dell models such as the OptiPlex 3040 do not use A01, A02, etc. as their BIOS revisions but just numbers instead (1, 1.4.2, etc.). Pay close attention when entering your WMI query for the "SMBIOSBIOSVersion" property. When you are done, add a new group called "Apply BIOS Configuration" and add another step to Run Command Line. Configure the step as shown below:
Lockdown BIOS all systems properties
Lockdown BIOS all systems options
Unlike the previous steps in the task sequence, this step will run if any of the conditions are true. In this case, if any models match the model on which this task sequence is running, the step will apply the BIOS configuration. You will need to add a WMI query for each model in your organization. Finally, add one more step to Run Command Line and configure the step as shown below:
Set BIOS password properties
Set BIOS password options
Close the task sequence when you've finished configuring the last step. Finally, we are going to deploy the task sequence to a device collection. Right-click on the task sequence and click Deploy. Choose a collection to deploy the task sequence to and click Next. Choose Required as the purpose and make the advertisement available only to Configuration Manager clients. When specifying the deployment schedule, keep in mind the task sequence will force a reboot on the machine. For this reason, I have chosen to deploy the task sequence at 11:00 PM.
Run at 11:00 PM
Since we do not need to modify any other settings past this point, keep clicking Next until you finish the Deploy Software Wizard. Depending on the time at which you specified your deployment to become available, you will be able to see the task sequence start to run.
Install HAPI driver action
Flash BIOS Dell OptiPlex 780 action
Lockdown BIOS all systems
To confirm the task sequence successfully applied your BIOS configuration, check the directory you specified for the CCTK log file to see the changes that took place. If an option is not applicable to a certain model, the CCTK executable will flag it accordingly.
Subscribe to 4sysops newsletter!
CCTK log
Hi, why don’t you just specify the bios password during the update bios with the /p instead of clearing / re specifying it?
also those password will appear in clear text in the logs files, which I find annoying, I’ve ended up creating a SCE.exe from the dell command| configure with just the new bios password parameter, that will hide it.
If you run the task sequence on a new computer that has an outdated BIOS revision and does not have a BIOS password set, and you specify the /p switch for the BIOS update the update will fail because an incorrect password was specified. If you choose the option to continue on error, the BIOS will not update which defeats the purpose of the step.
As for the password being stored in clear text in log files, this is not true. Dell was smart enough to configure their utility to omit the specified password when writing log files (see the CCTK log file image). Even though the password will be stored in clear text in the task sequence step, only users with access to SCCM will be able to see the password.
Just a note about that. If you provide a password on a BIOS update for a system without a password, the update just ignores the password. That way, you can provide the password to a system with or without a password and the update will succeed. The only time this will fail is if you provide the wrong password or no password to a system with a password.
make sense:) thanks for your reply.
the smsts.log will display the password in clear text (sorry I was not clear) and yes user need to access the sccm log location and I think by default they can’t but, having the bios password hidden in a sce.exe is, I think, worth mentioning 🙂 (I guess I just don’t like passwords in clear text)
Some updates have prerequisites (eg. to install A17 you must first install A12). Do you/How do you handle those cases?
Hi Joe– That was actually one of my concerns when I tested the deployment process for this article. The oldest model I tested this on was a Dell OptiPlex 780 which was released in 2009. I managed to upgrade from A02 to A16 without having to do a step-ladder upgrade process. This may be an issue with models previous to 2009, and if that is the case than those workstations will most likely be upgraded if they haven’t been already– thus eliminating the problem.
I cannot say if this problem affects laptops or not, but if that is the case then I would create a model-specific device collection for all the workstations with an outdated BIOS revision. I would then deploy a custom task sequence that goes through and updates the BIOS one revision after the other until the workstation has the most current revision. This can be accomplished by having each task sequence step run depending on the result of a WMI query to detect the BIOS revision. If you can think of a cleaner / more efficient way to accomplish this I encourage you to comment it below!
Alex,
I’ve followed your guide, and it works pretty well, however, I am hitting one minor issue. I’m able to clear the bios password (if it is there, if not it skips as it should) however, the next step is to flash the bios, once that happens, the computer reboots, the bios is flashed successfully, however the task sequence doesn’t actually finish because the bios update is prompting a reboot before it gets to the last step in the task sequence, which is to set the BIOS password back. Basically, SCCM thinks the task sequence has “failed” so I go back into the catalog and just rerun it a second time, this time since the bios has already been flashed, it doesn’t actually flash the BIOS, and it goes all the way through and sets the password.
Is there a way around this? I initially thought that the task sequence would resume after the BIOS flash, but that has not been the case, at least not for me.
I just wanted to see if anyone else has reported this issue, or if there is a way to solve it without having to run the task sequence twice.
Thank you!!
What does the log file say? And what mode reiviosion BIOS are you using? The restart must not be registering the SCCM client therefore the task sequence is not resuming. Have you checked the agent logs, too?
Alex,
Not sure what may have changed overnight, but moments after posting my problem to this forum this morning, things seem to be working fine. The task sequence does not re-launch after the BIOS update, but it does process the “Set Bios Password” command, and it is working properly. I will note that I had to add a success code of 6 to each of my Flash BIOS run command line steps in order for it to succeed, I am running SCCM 1702, installed on a Windows Server 2016 box, supporting a Windows 10 Enterprise Environment, where Bitlocker is enabled. Thank you for your reply!
You’re welcome– I am glad it is working for you! I looked up error code 6 and it seems that the error code translates to something about not being able to return the number of requested data bytes. I’m not actually sure what that means, so for stability and the sake of knowledge, I would suggest you investigate the error code further.
Hi
Similar to Alex I have followed the blog and clears BIOS password, Flashes the BIOS for an Optx 7020 reboots but does not continue the TS after reboot and get a failed status. When I rerun the TS manually it will complete the TS & reset the BIOS password.
I have it set to run as domain admin in TS
TS Is- Install HAPIx64 Driver – Clear BIOS Pwd – Flash BIOS (/r restarts device)
The following does not run after reboot unless I manually run the TS again
Lockdown BIOS All Systems – Set BIOS Pwd-Restart
Any ideas
from smsts.log
Failed to locate the local data path. The files needed to resume the task sequence are missing. This could be because the task sequence finished while in Windows PE. Please check the largest available partition for SMSTSLog\smsts.log file for more information.
The system cannot find the file specified. (Error: 80070002; Source: Windows)
Cant find anything online
Hi Alan — By running as a domain admin, do you mean that the task sequence step runs as a domain administrator or that you log in as a domain administrator and run the task sequence?
Hi
my Purpose is to apply Password for all dell computers and disable any boot options Except hdd.
SCCM1602
Windows 10 ENT 1607
Dell OptiPlex 9020
I’ve followed your guide, and it not working for me, i need help SAP !!
i will upload the smsts.log and photos of the TS and program i created.
the only thing that is not slimier to the post is the folder “~Configs”
i didn’t see it at all, so i created empty one .
sorry for the poor language.
i will very appreciate all the help i can get !
all the files uploaded to my google drive
https://drive.google.com/drive/folders/0BzgKCIjawTShSFJGNmFIXzR4eHM?usp=sharing
Thnks Elad.
Hi Elad — First of all you are going to want to move the files excluding OptiPlex9020-A19.exe from Dell\OptiPlex 9020\BIOS to App$\Dell CCTK\~Configs. Update/Redistribute the package in SCCM. For the step Lockdown BIOS – All Systems, change the file “FamilyWKS_BIOS_Config.cctk” to “multiplatform_201705251920.cctk. It should now run without any problems (hopefully). You never know with SCCM!
Alex, I am running into an issue. I final task set just like yours for the cctk file. but when the task runs, it errors out and log says it cannot find the file ~Configs\multiplatform_WOL.cctk but in the CCTK folder, we have the cctk files in the folder ~Configs.
This is our command line: cctk.exe -i “~Configs\multiplatform_WOL.cctk” -l=C:\Dell\CCTK.log
Hi Alex
First i want to say thank you very much !!
so i did exactly what you told my to to and the TS is steel field .
im uploading you photos of all the changes .
Thank you very much for your help!
https://drive.google.com/open?id=0BzgKCIjawTShVG9hZThmUFVjbE0
From what I gathered from the screen grabs you provided, it seems the TS is failing not on the actual BIOS lockdown phase of the task sequence, but the Flash BIOS step. Make sure that the package referenced in that step points to the Dell OptiPlex-9020-All Revisions package. The 80070002 error means that ConfigMgr can’t find one or more of the referenced files. Also, ensure that the folder C:\Temp exists on the HD of the machine you are running the task sequence on, so the application actually has a folder to write to.
Great work on this! I did need to make some tweaks though..
I also was having issues with the task sequence resuming after the BIOS update restart. I believe this was due to the PC not being able to save the TS state fast enough before the machine restarted (I have pretty new Dell’s here with SSD drives). Once it restarted there were errors in the logs re: not being able to find content.
My solution was to remove the /r (force restart) on the BIOS steps and add a TS “restart computer” step at the end of all the BIOS steps.
You will need to add success code “2” to all the BIOS steps as well.
I also added the Task Sequence variable condition “_SMSTSLastActionRetCode” equals “2” to the restart computer step so that the PC would only restart if one of the BIOS steps actually ran.
Last note is to also make sure your PC’s have a C:\temp folder (or just pick a different folder, i used C:\Windows\CCM\Logs\” as I have a few which didn’t for some reason which will error out when CCTK tries to write a log file.
Hope that helps some people
Hi Curtis– thanks for the tips!
Hi Curtis
Where do you put this info do you have a screen shot
You will need to add success code “2” to all the BIOS steps as well.
Thank you
Curtis,
Did you mean to say you were adding the TS Restart step after the last “Flash BIOS….” step, or after the ‘Set BIOS Password’ step? I just wanted clarification. Thanks.
Add the ts restart after the last flash bios step.
Has anyone figured out how to query the new BIOS update versions from Dell?
i.e. with the comparison test above 1.17.5 is actually a lower version than 1.5.3
I’ve tried to look at other unique increasing fields that could be used, but cannot find any.
The major version/minor version fields can’t be used, as they are sometimes the same (e.g. 1.16.4 and 1.17.5 are both major 3 minor 0)
Hi Anthony– could you tell me which model this would be applicable to? I might have it in my inventory and could test some queries to try and get the task sequence to correctly distribute BIOS updates.
Thanks Alex.
The one causing us problems at the moment is the Latitude E7470. It’s current BIOS is 1.5.3, and the latest one is 1.17.5
When running the query, (1.5.3 < 1.17.5) == FALSE, when it should be TRUE
I’m hoping that it is just something stupid I’m doing
From a mathematical perspective, 1.5.3 is less than 1.17.5. This is an issue that been around for a long time.
bah ! that should say 1.5.3 is GREATER THAN 1.17.5 hence the failure.
Hi Jim,
Yes, I do realise the reason the check is failing.
What I am looking for a is a way to get SCCM to compare the “numbers” correctly.
I can change the check to do a greater than check instead of a less than check, but then it will not work for 1.16.5
I was just hoping that someone may have figured out a method of doing these checks vs the new Dell revision numbers.
I’m getting increasingly more frustrated, as Dell tell me I need to talk to Microsoft for a solution, while Microsoft tell me I need to talk to Dell.
Can’t you just use a “not equal” operator? So if the query is not equal to the version you are currently installing it will install? Mind you this will only work if you’re pushing the latest available BIOS version, if you’re trying to push BIOS versions lower than the latest available this query will not work.
Just compare the systembiosminorversion and systembiosmajorversion variables instead. SMBIOSBIOSVersion is a string so it doesn’t process numbers correctly (it compares left to right, meaning if 1.4.6 gets compared to 1.17.3, it will split 17 into 1 and 7, so when comparing it will compare 1 with 1, then 4 with 1 and so on. Basically it does single digit comparrisons).
Hi, can I also use a custom export and use the BIOS Flash update instead of win package service?
thx
Oli
Great stuff, thanks. One thing that would be an added bonus is if you had the text which you enter in each Task Sequence step typed out so that it could be copied and pasted.
Hello all,
Thank you for this post. I would like to use this process to update firmware in my enterprise. We have 800+ PCs. How could you guarantee that PC’s don’t restart during the firmware update? Wouldn’t a premature restart brick a PC? If a user takes their laptop home or if it loses power, they could be screwed, correct?
How do other organizations handle this?
Thanks
Hi,
I found this procedure very useful!
Could you also indicate how to suspend and resume the Bitlocker ?
I read somewhere that it’s only a question of adding a task (or two) but I would like to know which package to use.
Thanks
Sorry for delay in replying.
It has been several months, and still no proper resolution to this.
I’ve worked with both MS and Dell, and they both say the other needs to help.
The only solution that will work is to create a lengthy script file and deploy that, rather than to use a Task Sequence.
As I am not a programmer or scripter, I was unable to write anything that would work.
We are still using Task Sequences, and are using the <> (not equals) operator. This will work, unless a newer revision is installed (which we have run into a few times when we purchase new computers with updated BIOS revisions.)
As mentioned previously, the BiosMinor and BiosMajor versions cannot be used, as they are sometimes identical for different BIOS versions (e.g. 1.16.4 and 1.17.5 are both major 3 minor 0)
So, the only two options I can see are:
Use the <> comparison, and make sure you keep it up to date with latest BIOS versions
Create a script to do the comparison and installation and deploy it via Package instead.
Hi guys,
I am actually trying to updated the BIOS on a E7450 machine. I downloaded the latest BIOS version which is A17 and did follow all the steps proposed in this forum.
I keep getting error 0x800700d8 and have not been able to figure this out. I tried to install a different BIOS such as A06 and A12 but I get the same error.
Any ideas?
Thank you!
Hi,
I have been trying to deploy Win10 on E7450 machines. In order to achieve this, I have created a sequence which involves updating the BIOS to A17.
However, it errors when completing the task: 0X800700D8
“0x800700D8 = This version of %1 is not compatible with the version of Windows you’re running. Check your computer’s system information and then contact the software publisher.”
After reading and following the steps proposed in this blog, I also have attempted to install a different BIOS version to see if that is a prerequisite of the latest BIOS version – I have tried to install A06 and A12 without any luck – same error.
Any ideas?
Thanks!
Hi Dario,
Is that a SCCM error or a BIOS error?
I google’d for the error code, and it could be this:
0x800700D8 = “This version of %1 is not compatible with the version of Windows you’re running. Check your computer’s system information and then contact the software publisher.”
I would try running the BIOS manually, and see if you get the same error.
Hi Anthony,
This is a SCCM error. I am able to update the BIOS manually but it errors when doing it through SCCM. I could send the screenshot of my task sequences if you like but they are pretty similar to the ones proposed here.
Thanks,