In this guide, I am going to demonstrate how to use System Center Configuration Manager (SCCM) to deploy, update, and lock down the BIOS on HP systems using the HP BIOS Configuration Utility.

Alex Pazik

Alexander specializes in Windows deployments and systems management applications such as System Center Configuration Manager and System Center Operations Manager.

In my last article about deploying BIOS updates with SCCM, I went through the process of configuring BIOS settings and updates for Dell machines. With HP machines, the process is slightly different, as the utility used to configure BIOS settings does not have a GUI and is very command-line heavy.

Please note that this guide only applies to HP systems. I tested these steps on an HP EliteBook 2740P running Windows 10 Pro x64 Build 1703. This guide will not work with Windows Vista or Windows XP, as HP has deprecated support for these two operating systems in their utility.

Before we get started, you are going to need the following tools installed on your workstation:

  • System Center Configuration Manager 2012 R2 Admin Console
  • HP BIOS Configuration Utility (Download)

First, download and extract the latest BIOS revisions for each of the models deployed throughout your organization from HP's support website. Create a new folder in which you will place the downloaded revisions. I will be saving all necessary files to the following location:

\\SCS-CFGMGR-MP\SWSTORE\BIOS

BIOS repository

BIOS repository

Unlike Dell BIOS updates, HP BIOS updates contain multiple files and directories. Therefore, you will need to create separate directories for each model as well as each revision. If you download multiple revisions for one model, I suggest you come up with a naming convention to shorten the folder path name. I will be using the following naming convention:

E2740P-AF60 | E = EliteBook (Family), 2740P = (Model), A = (BIOS Revision), F60 = (Version)

Now we are going to export the BIOS settings of the HP EliteBook 2740P using HP's BIOS Configuration Utility (BCU). Launch a command prompt as an administrator and cd to C:\Program Files (x86)\HP\BIOS Configuration Utility. Enter the following command to export the system's current BIOS settings to a text file:

BiosConfigUtility64.exe /GetConfig:C:\BIOS_Config.txt

When you navigate to the C:\ drive, you should see the generated text file BIOS_Config.txt.

Generated config file

Generated config file

Click the file to open it with Notepad. The generated configuration file will resemble the image below:

Generated config file contents

I am going to edit the configuration file to achieve the following:

  • System will power on at 7:00 a.m. every day
  • Ownership Tag will be set to HSCS
  • Startup Menu Delay will be 10 seconds

To achieve this, I will need to delete all text that does not interact with these settings. Regardless of the settings you would like to configure, make sure to delete all system-specific entries including: Product Name, System ID, Universal Unique Identifier, System Configuration ID, Processor Type, SKU Number, Warranty Start Date, Processor Speed, Memory Size, ROM Date, ROM BIOS Version, Serial Number, Video BIOS Revision, and other system components.

Note that some models have different names for the same BIOS settings. For example, on an HP EliteBook 2740P, the setting for BIOS power-on time is called Set Alarm Time, and on an HP ZBook 15 the setting is called BIOS Power-On Time. To avoid using multiple configuration files with complex queries, make sure to add all the different entries for a particular setting to one master configuration file. We will add a switch during the task sequence that will simply ignore any notifications regarding BIOS settings that will not apply for whatever reason. Your completed BIOS configuration should resemble the text below:

BIOSConfig 1.0

;

; SU17 Family WKS BIOS Config

;

Manufacturer

            Hewlett-Packard

Sunday

            Disable

            *Enable

Monday

            Disable

            *Enable

Tuesday

            Disable

            *Enable

Wednesday

            Disable

            *Enable

Thursday

            Disable

            *Enable

Friday

            Disable

            *Enable

Saturday

            Disable

            *Enable

Set Alarm Time

            07:00

BIOS Power-On Time (hh:mm)

            07:00

Ownership Tag

            HSCS

Startup Menu Delay (Sec.)

            0

            5

            *10

            15

            20

            25

            30

            35

For this guide, I will be saving my configuration to the following location:

\\SCS-CFGMGR-MP\SWSTORE\BIOS\HP BCU\~Configs

Once you save your configuration, navigate to C:\Program Files (x86)\HP\BIOS Configuration Utility and copy the contents of the folder to a location accessible by SCCM. You will be importing the directory you copy these files to as a package in SCCM. I will be copying these files to the following location:

\\SCS-CFGMGR-MP\SWSTORE\BIOS\HP BCU

Note your configuration file and the content from the BIOS Configuration Utility folder must be accessible through the same package in SCCM. This is because you need HP's BIOS Configuration Utility x64 executable to apply your configuration.

HP BCU contents

HP BCU contents

We are now going to generate the password file we will use to reset and apply the BIOS administrator password. Launch HPQPswd64.exe and fill in the text boxes accordingly.

HPQPswd utility

HPQPswd utility

For this guide, I will be saving the password bin file to the following location:

\\SCS-CFGMGR-MP\SWSTORE\BIOS\HP BCU\~Configs

Now we are ready to create the task sequence that will push the BIOS configuration. This task sequence will deploy as a required advertisement, and will also flash any BIOS updates needed using the revisions you downloaded earlier.

Open the Configuration Manager Admin Console and navigate to the Software Library applet. Expand the Application Management node and click on the Packages applet. Create a new package using the HP BCU folder you just created, but do not create a program or add any requirements.

HP BIOS Configuration Utility

HP BIOS Configuration Utility

When you are finished creating the package, distribute it to the necessary distribution points. Now we need to import the BIOS revisions downloaded earlier into SCCM.

Once again, create a package for each model you wish to deploy BIOS updates to, but do not create a program or add any requirements.

HP EliteBook 2740P BIOS revisions

HP EliteBook 2740P BIOS revisions

When you are finished creating your packages, distribute them to the necessary distribution points. When you add a new revision to the source folder, you will need to update your distribution points to push the revision out to clients.

All BIOS revision packages

All BIOS revision packages

Finally, we are going to create the task sequence that will push your BIOS configuration and any updates needed.

Expand the Operating Systems node and click on the Task Sequences applet. Create a new custom task sequence, and specify a name and boot image to use.

Create Task Sequence Wizard

Create Task Sequence Wizard

When you are done, click Close to exit the Create Task Sequence Wizard. Open your newly created task sequence and create a new group called Apply BIOS Updates. Add a new step to Run Command Line and configure the step as shown below. This step in the task sequence will clear the password before applying any updates or configurations.

Clear BIOS password properties

Clear BIOS password properties

Clear BIOS Password options

Clear BIOS Password options

Note that this is the only step where we will tell the task sequence to continue on error, as new machines will not have a password set in the BIOS. Make sure the value you set for "cspwdfile" is the bin file that contains the current encrypted administrator password, otherwise your task sequence will fail. Add another step to Run Command Line and configure the step as shown below:

Flash BIOS HP EliteBook 2740P properties

Flash BIOS HP EliteBook 2740P properties

Make note of the following switches:

  • exe – Name of the BIOS update executable located in the package source folder
  • /s – Switch to run executable silently
  • /a – Switch to force a BIOS flash regardless of the version or revision
Flash BIOS HP EliteBook 2740P options

Flash BIOS HP EliteBook 2740P options

Make sure to point the step to the package that contains the executable you wish to run. Repeat this process for every model you wish to deploy BIOS updates to. Note that on newer HP machines, the manufacturer is simply %HP%. To confirm this, launch a command prompt on an HP system you wish to verify and type wmic computersystem get manufacturer. I did not add a query regarding the BIOS revision, simply because the system is going to flash the BIOS regardless of the version or revision. When you are done, add a new group called Apply BIOS Configuration. Then add another step to Run Command Line and configure the step as shown below:

Lockdown BIOS All Systems properties

Lockdown BIOS All Systems properties

Lockdown BIOS All Systems options

Lockdown BIOS All Systems options

Unlike the previous steps in the task sequence, this step will run if any of the conditions are true. In this case, if any of the models match the model this task sequence is running on, the step will apply the BIOS configuration. You will need to add a WMI query for each model in your organization. Finally, add one more step to Run Command Line and configure the step as shown below:

Set BIOS password properties

Set BIOS password properties

Set BIOS Password options

Set BIOS Password options

Close the task sequence when you are done configuring the last step. Finally, we are going to deploy the task sequence to a device collection. Right-click on the task sequence and click Deploy. Choose a collection to deploy the task sequence to and click Next. Choose Required as the purpose and make the advertisement available only to Configuration Manager clients. When specifying the deployment schedule, keep in mind the task sequence will force a reboot on the machine. For this reason, I have chosen to deploy the task sequence at 11:00 p.m. If this is going to run on HP laptops, I recommend notifying staff in your organization that you are going to deploy an update that requires their laptops to be powered on, connected to the corporate network, and plugged into a power source. If a laptop is not plugged into a power source when the BIOS update runs, the update will fail, as that is a requirement.

Deployment schedule

Deployment schedule

Since we do not modify any other settings past this point, keep clicking Next until you finish the Deploy Software Wizard. Depending on the time you specified your deployment to become available, you will be able to see the task sequence start to run.

Clear BIOS Password action

Clear BIOS Password action

Flash BIOS HP EliteBook 2740P action

Flash BIOS HP EliteBook 2740P action

Lockdown BIOS All Systems action

Lockdown BIOS All Systems action

Set BIOS Password action

Set BIOS Password action

To confirm the tool successfully applied your BIOS configuration, reboot your system and enter the BIOS setup. It should prompt you for an administrator password, and by scrolling through the settings, notice the system has applied your configurations (if applicable).

Win the monthly 4sysops member prize for IT pros

Share
0

Related Posts

1 Comment
  1. DazzaDog 2 weeks ago

    One question.

    Why not use HP's Managebility Integration Kit? It's got a GUI, you can change all BIOS settings including passwords and various other HP Settings

    0

Leave a reply

Your email address will not be published. Required fields are marked *

*

CONTACT US

Please ask IT administration questions in the forum. Any other messages are welcome.

Sending
© 4sysops 2006 - 2017

Log in with your credentials

or    

Forgot your details?

Create Account