- Create and read SCVMM custom properties with PowerShell and the VMM Console - Mon, Apr 18 2022
- Prevent ransomware attacks on network shares with File Server Resource Manager (FSRM) - Mon, Mar 7 2022
- Block brute force Remote Desktop attacks with Windows PowerShell - Fri, Feb 11 2022
In my last article about deploying BIOS updates with SCCM, I went through the process of configuring BIOS settings and updates for Dell machines. With HP machines, the process is slightly different, as the utility used to configure BIOS settings does not have a GUI and is very command-line heavy.
Please note that this guide only applies to HP systems. I tested these steps on an HP EliteBook 2740P running Windows 10 Pro x64 Build 1703. This guide will not work with Windows Vista or Windows XP, as HP has deprecated support for these two operating systems in their utility.
Before we get started, you are going to need the following tools installed on your workstation:
- System Center Configuration Manager 2012 R2 Admin Console
- HP BIOS Configuration Utility (Download)
First, download and extract the latest BIOS revisions for each of the models deployed throughout your organization from HP's support website. Create a new folder in which you will place the downloaded revisions. I will be saving all necessary files to the following location:
Unlike Dell BIOS updates, HP BIOS updates contain multiple files and directories. Therefore, you will need to create separate directories for each model as well as each revision. If you download multiple revisions for one model, I suggest you come up with a naming convention to shorten the folder path name. I will be using the following naming convention:
E2740P-AF60 | E = EliteBook (Family), 2740P = (Model), A = (BIOS Revision), F60 = (Version)
Now we are going to export the BIOS settings of the HP EliteBook 2740P using HP's BIOS Configuration Utility (BCU). Launch a command prompt as an administrator and cd to C:\Program Files (x86)\HP\BIOS Configuration Utility. Enter the following command to export the system's current BIOS settings to a text file:
When you navigate to the C:\ drive, you should see the generated text file BIOS_Config.txt.
Click the file to open it with Notepad. The generated configuration file will resemble the image below:
Generated config file contents
I am going to edit the configuration file to achieve the following:
- System will power on at 7:00 a.m. every day
- Ownership Tag will be set to HSCS
- Startup Menu Delay will be 10 seconds
To achieve this, I will need to delete all text that does not interact with these settings. Regardless of the settings you would like to configure, make sure to delete all system-specific entries including: Product Name, System ID, Universal Unique Identifier, System Configuration ID, Processor Type, SKU Number, Warranty Start Date, Processor Speed, Memory Size, ROM Date, ROM BIOS Version, Serial Number, Video BIOS Revision, and other system components.
Note that some models have different names for the same BIOS settings. For example, on an HP EliteBook 2740P, the setting for BIOS power-on time is called Set Alarm Time, and on an HP ZBook 15 the setting is called BIOS Power-On Time. To avoid using multiple configuration files with complex queries, make sure to add all the different entries for a particular setting to one master configuration file. We will add a switch during the task sequence that will simply ignore any notifications regarding BIOS settings that will not apply for whatever reason. Your completed BIOS configuration should resemble the text below:
; SU17 Family WKS BIOS Config
Set Alarm Time
BIOS Power-On Time (hh:mm)
Startup Menu Delay (Sec.)
For this guide, I will be saving my configuration to the following location:
Once you save your configuration, navigate to C:\Program Files (x86)\HP\BIOS Configuration Utility and copy the contents of the folder to a location accessible by SCCM. You will be importing the directory you copy these files to as a package in SCCM. I will be copying these files to the following location:
Note your configuration file and the content from the BIOS Configuration Utility folder must be accessible through the same package in SCCM. This is because you need HP's BIOS Configuration Utility x64 executable to apply your configuration.
We are now going to generate the password file we will use to reset and apply the BIOS administrator password. Launch HPQPswd64.exe and fill in the text boxes accordingly.
For this guide, I will be saving the password bin file to the following location:
Now we are ready to create the task sequence that will push the BIOS configuration. This task sequence will deploy as a required advertisement, and will also flash any BIOS updates needed using the revisions you downloaded earlier.
Open the Configuration Manager Admin Console and navigate to the Software Library applet. Expand the Application Management node and click on the Packages applet. Create a new package using the HP BCU folder you just created, but do not create a program or add any requirements.
When you are finished creating the package, distribute it to the necessary distribution points. Now we need to import the BIOS revisions downloaded earlier into SCCM.
Once again, create a package for each model you wish to deploy BIOS updates to, but do not create a program or add any requirements.
When you are finished creating your packages, distribute them to the necessary distribution points. When you add a new revision to the source folder, you will need to update your distribution points to push the revision out to clients.
Finally, we are going to create the task sequence that will push your BIOS configuration and any updates needed.
Expand the Operating Systems node and click on the Task Sequences applet. Create a new custom task sequence, and specify a name and boot image to use.
When you are done, click Close to exit the Create Task Sequence Wizard. Open your newly created task sequence and create a new group called Apply BIOS Updates. Add a new step to Run Command Line and configure the step as shown below. This step in the task sequence will clear the password before applying any updates or configurations.
Note that this is the only step where we will tell the task sequence to continue on error, as new machines will not have a password set in the BIOS. Make sure the value you set for "cspwdfile" is the bin file that contains the current encrypted administrator password, otherwise your task sequence will fail. Add another step to Run Command Line and configure the step as shown below:
Make note of the following switches:
- exe – Name of the BIOS update executable located in the package source folder
- /s – Switch to run executable silently
- /a – Switch to force a BIOS flash regardless of the version or revision
Make sure to point the step to the package that contains the executable you wish to run. Repeat this process for every model you wish to deploy BIOS updates to. Note that on newer HP machines, the manufacturer is simply %HP%. To confirm this, launch a command prompt on an HP system you wish to verify and type wmic computersystem get manufacturer. I did not add a query regarding the BIOS revision, simply because the system is going to flash the BIOS regardless of the version or revision. When you are done, add a new group called Apply BIOS Configuration. Then add another step to Run Command Line and configure the step as shown below:
Unlike the previous steps in the task sequence, this step will run if any of the conditions are true. In this case, if any of the models match the model this task sequence is running on, the step will apply the BIOS configuration. You will need to add a WMI query for each model in your organization. Finally, add one more step to Run Command Line and configure the step as shown below:
Close the task sequence when you are done configuring the last step. Finally, we are going to deploy the task sequence to a device collection. Right-click on the task sequence and click Deploy. Choose a collection to deploy the task sequence to and click Next. Choose Required as the purpose and make the advertisement available only to Configuration Manager clients. When specifying the deployment schedule, keep in mind the task sequence will force a reboot on the machine. For this reason, I have chosen to deploy the task sequence at 11:00 p.m. If this is going to run on HP laptops, I recommend notifying staff in your organization that you are going to deploy an update that requires their laptops to be powered on, connected to the corporate network, and plugged into a power source. If a laptop is not plugged into a power source when the BIOS update runs, the update will fail, as that is a requirement.
Since we do not modify any other settings past this point, keep clicking Next until you finish the Deploy Software Wizard. Depending on the time you specified your deployment to become available, you will be able to see the task sequence start to run.
Subscribe to 4sysops newsletter!
To confirm the tool successfully applied your BIOS configuration, reboot your system and enter the BIOS setup. It should prompt you for an administrator password, and by scrolling through the settings, notice the system has applied your configurations (if applicable).