Configuration Manager (SCCM) | Operating System Deployment (OSD) | BIOS Updates | With and Without Password Set

With the heightened demand for securing hardware through Firmware and OS Security Updates, an example BIOS Update Task Sequence has been outlined below.

It shows how to add BIOS updates as part of your Windows Operating System Deployment process or Post Deployment Task.

The BIOS Firmware updates covered in this article are for the top three manufactures HP, Lenovo and Dell.

The steps have been designed that they will work within both WinPE (OSD Deployment) and Full OS (Post Deployment)

Let’s get started…..

Overview of the BIOS Upgrade Task Sequence

OSDDoNotLogCommand = True
Type : Set Task Sequence Variable
Value : True

BIOSSupervisorPassword =
Type : Set Task Sequence Variable
Task Sequence Variable : BIOSSupervisorPassword
Value : ‘your BIOS supervisor password
Confirm Value: ‘your BIOS supervisor password
Do Not Display Value : Ticked

NOTE: If supporting HP hardware you will need to create the Encrypted Password .bin file using HP Tool (HpqPswd64.ex), then name it EncryptedPassword.bin and add to the root of the BIOS Update Package.

This will then get sent in as an argument to the BIOS Update run command

Get BitLocker Protection Status
Type : Set Task Sequence Variable
Task Sequnce Variable : BitLockerProtectionEnabled
Value: True

Conditions
If all Conditions are true
Task Sequence variable _SMSTSInWinPE = False
SELECT * FROM Win32_EncryptableVolume Where driveletter=’c:’ and ProtectionStatus = ‘1’

NOTE: Condition WMI Namespace for Win32_EncryptableVolume is root\cimv2\Security\MicrosoftVolumeEncryption

Get IsBIOSPasswordSet
Type: Run PowerShell Script
PowerShell Script: (As below)
PowerShell execution Policy : Bypass

<#
.SYNOPSIS
    This script can be used within a task sequence to identify if a BIOS Admin Password is set for Dell, HP and Lenovo

.DESCRIPTION
   This script will identify if a BIOS Admin Password is set for Dell, HP and Lenovo hardware layers and create the SMS Variable
   [Boolean] - 'IsBIOSPasswordSet' which can then be used in the task sequence logic to configure the arguments passed to the BIOS Update.exe

.NOTES
    References for the wmi classes were obtained from Dell, HP, Lenovo and https://www.configjon.com/

    File Name      : Get-ISBIOSPasswordSet.ps1
    Author         : S.P.Drake
    Website        : https://ourcommunityhelper.com/
    Version        : 1.0  : Initial version
#>

$VerbosePreference = "SilentlyContinue"

function Get-DellBIOSSetting {

# Dell Hardware Layer

    # Connect to the Dell PasswordObject WMI class
    $PasswordState = (Get-CimInstance -Namespace root\dcim\sysman\wmisecurity -ClassName PasswordObject | Where-Object {$_.NameId -eq 'Admin'}).IsPasswordSet

    # Check the current password configuration state
    switch ($PasswordState){

        0 { $isPasswordSet = $false  }   # No BIOS Admin Password
        1 { $isPasswordSet = $true   }   # Bios Admin Password

        Default{$isPasswordSet = $false} # No BIOS Admin Password
    }

    # write-Verbose message
    Write-Verbose "BIOS Password State = $PasswordState" -Verbose
    Write-Verbose "BIOS Password IsPasswordSet = $IsPasswordSet" -Verbose

    # Set SMS IsBIOSPasswordSet variable
    $TSEnv = New-Object -COMObject Microsoft.SMS.TSEnvironment
    $TSEnv.Value('IsBIOSPasswordSet') = $isPasswordSet
}


function Get-HPBIOSSetting {

# HP Hardware Layer

    # Connect to the HP_BIOSPassword WMI class
    $PasswordState = (Get-CimInstance -Namespace root/hp/InstrumentedBIOS -Class HP_BIOSPassword | Where-Object {$_.Name -eq 'Setup Password'}).IsSet

    # Check the current password configuration state
    switch ($PasswordState){

        0 { $isPasswordSet = $false  }   # No BIOS Setup Password
        1 { $isPasswordSet = $true   }   # Bios Setup Password

        Default{$isPasswordSet = $false} # No BIOS Setup Password
    }

    # write-Verbose message
    Write-Verbose "BIOS Password State = $PasswordState" -Verbose
    Write-Verbose "BIOS Password IsPasswordSet = $IsPasswordSet" -Verbose

    # Set SMS IsBIOSPasswordSet variable
    $TSEnv = New-Object -COMObject Microsoft.SMS.TSEnvironment
    $TSEnv.Value('IsBIOSPasswordSet') = $isPasswordSet
}


function Get-LenovoBIOSSetting {

# Lenovo Hardware Layer

    # Connect to the Lenovo_BiosPasswordSettings WMI class
    $PasswordState = (Get-CimInstance -Namespace root\wmi -Class Lenovo_BiosPasswordSettings).PasswordState

    # Check the current password configuration state
    switch ($PasswordState){

        0	{$isPasswordSet = $false}    # No BIOS Passwords Set
        1	{$isPasswordSet = $false}    # Only Power On Password
        2	{$isPasswordSet = $true}     # Only Supervisor Password
        3	{$isPasswordSet = $true}     # Supervisor + Power On Password
        4	{$isPasswordSet = $false}    # User HDD and/or User HDD and Master Password
        5	{$isPasswordSet = $false}    # Power On + User HDD and/or User HDD and Master Password
        6	{$isPasswordSet = $true}     # Supervisor + User HDD and/or User HDD and Master Password
        7	{$isPasswordSet = $true}     # Supervisor + Power On + User HDD and/or User HDD and Master Password
        64	{$isPasswordSet = $false}    # Only System Management Password
        65	{$isPasswordSet = $false}    # System Management + Power On Password
        66	{$isPasswordSet = $true}     # Supervisor + System Management Password
        67	{$isPasswordSet = $true}     # Supervisor + System Management + Power On Password
        68	{$isPasswordSet = $false}    # System Management + User HDD and/or User HDD Master Password
        69	{$isPasswordSet = $false}    # System Management + Power On + User HDD and/or User HDD Master Password
        70	{$isPasswordSet = $true}     # Supervisor + System Management + User HDD and/or User HDD Master Password
        71	{$isPasswordSet = $true}     # Supervisor + System Management + Power On + User HDD and/or User HDD Master Password

        Default{$isPasswordSet = $false} # No BIOS Setup Password

    }

    # write-Verbose message
    Write-Verbose "BIOS Password State = $PasswordState" -Verbose
    Write-Verbose "BIOS Password IsPasswordSet = $IsPasswordSet" -Verbose

    # Set SMS IsBIOSPasswordSet variable
    $TSEnv = New-Object -COMObject Microsoft.SMS.TSEnvironment
    $TSEnv.Value('IsBIOSPasswordSet') = $isPasswordSet
}

# Get hardware manufacturer
$Manufacturer = (Get-CimInstance -ClassName Win32_BIOS).Manufacturer

# Run BIOSSettings function
switch ($Manufacturer){

    'Dell Inc.'           {Get-DellBIOSSetting}
    'HP'                  {Get-HPBIOSSetting}
    'Hewlett-Packard'     {Get-HPBIOSSetting}
    'Lenovo'              {Get-LenovoBIOSSetting}

}

Manufacture Group Folders

Lenovo
Conditions
If any Conditions are true
SELECT * FROM Win32_ComputerSystem Where Manufacturer Like “%Lenovo%”

HP
Conditions
If any Conditions are true
SELECT * FROM Win32_ComputerSystem Where Manufacturer Like “%HP%”
SELECT * FROM Win32_ComputerSystem Where Manufacturer Like “%Hewlett-Packard%”

Dell
Conditions
If any Conditions are true
SELECT * FROM Win32_ComputerSystem Where Manufacturer Like “%DELL%”

Manufactures BIOS UpdatesExamples

Lenovo

ThinkPad Yoga 260 – 1.84
Conditions
If all conditions are true
SELECT * FROM Win32_ComputerSystem WHERE Model Like ‘%20FE%’
SELECT * FROM Win32_BIOS WHERE SMBIOSBIOSVersion < ‘N1GETA5W’

NOTE: Model and SMBIOSBIOSVeriosn will need to be updated according to your Model and BIOS Firmware version being installed

Suspend BitLocker
Type : Disable BitLocker
Choose the drive on which to disable BitLocker : Current Operating System
Resume protection after Windows has been restarted the specified number of times : 1

Conditions
If all conditions are true
Task sequence variable _SMSTSInWinPE = False
Task sequence variable BitLockerProtectionEnabled = True

BIOS Update
Type : Run Command Line
Command line : cmd.exe /c WINUPTP64.exe -s
Package : Package containing BIOS firmware update files (downloaded from Manufacturer Website and extracted )

Lenovo

ThinkPad Yoga 260 – 1.84
Conditions
If all conditions are true
SELECT * FROM Win32_ComputerSystem WHERE Model Like ‘%20FE%’
SELECT * FROM Win32_BIOS WHERE SMBIOSBIOSVersion < ‘N1GETA5W’

NOTE: Model and SMBIOSBIOSVersion will need to be updated according to your Model and BIOS Firmware version being installed

Suspend BitLocker
Type : Disable BitLocker
Choose the drive on which to disable BitLocker : Current Operating System
Resume protection after Windows has been restarted the specified number of times : 1

Conditions
If all conditions are true
Task sequence variable _SMSTSInWinPE = False
Task sequence variable BitLockerProtectionEnabled = True

BIOS Update
Type : Run Command Line
Command line : cmd.exe /c WINUPTP64.exe -s
Package : Package containing BIOS firmware update files (downloaded from Manufacturer Website and extracted )

Lenovo

ThinkPad Yoga 260 – 1.84
Conditions
If all conditions are true
SELECT * FROM Win32_ComputerSystem WHERE Model Like ‘%20FE%’
SELECT * FROM Win32_BIOS WHERE SMBIOSBIOSVersion < ‘N1GETA5W’

NOTE: Model and SMBIOSBIOSVeriosn will need to be updated according to your Model and BIOS Firmware version being installed

Suspend BitLocker
Type : Disable BitLocker
Choose the drive on which to disable BitLocker : Current Operating System
Resume protection after Windows has been restarted the specified number of times : 1

Conditions
If all conditions are true
Task sequence variable _SMSTSInWinPE = False
Task sequence variable BitLockerProtectionEnabled = True

BIOS Update
Type : Run Command Line
Command line : cmd.exe /c WINUPTP64.exe -s
Package : Package containing BIOS firmware update files (downloaded from Manufacturer Website and extracted )

Restart Computer – WinPE
Type : Restart Computer
The boot image assigned to the task sequence : Ticked

Conditions
If all conditions are true
Task sequence variable _SMSTSInWinPE = True

Restart Computer – Full OS
The currently installed default operating system : Ticked

Conditions
If all conditions are true
Task sequence variable _SMSTSInWinPE = False

HP

EliteBook G5 – 01.17.00
Conditions
If all conditions are true
SELECT * FROM Win32_ComputerSystem WHERE Model Like ‘%EliteBook 840 G5%’
SELECT * FROM Win32_BIOS WHERE SMBIOSBIOSVersion < ‘Q78 Ver. 01.17.00’

NOTE: Model and SMBIOSBIOSVersion will need to be updated according to your Model and BIOS Firmware version being applied

Suspend BitLocker
Type : Disable BitLocker
Choose the drive on which to disable BitLocker : Current Operating System
Resume protection after Windows has been restarted the specified number of times : 1

Conditions
If all conditions are true
Task sequence variable _SMSTSInWinPE = False
Task sequence variable BitLockerProtectionEnabled = True

BIOS Update
Type : Run Command Line
Command line : cmd.exe /c if %IsBIOSPasswordSet%==True (HpFirmwareUpdRec64.exe -s -r -b -pEncryptedPassword.bin -l%_SMSTSLogPath%\BIOSUpdate.log) else (HpFirmwareUpdRec64.exe -s -r -b -l%_SMSTSLogPath%\BIOSUpdate.log)
Package : Package containing BIOS firmware update files (downloaded from Manufacturer Website and extracted )

For older models HPBIOSUPDREC64.exe maybe used instead of HpFirmwareUpdRec64.exe

Restart Computer – WinPE
Type : Restart Computer
The boot image assigned to the task sequence : Ticked

Conditions
If all conditions are true
Task sequence variable _SMSTSInWinPE = True

Restart Computer – Full OS
The currently installed default operating system : Ticked

Conditions
If all conditions are true
Task sequence variable _SMSTSInWinPE = False

DELL

Latitude 7320 – 1.9.6
Conditions
If all conditions are true
SELECT * FROM Win32_ComputerSystem WHERE Model Like “%Latitude 7320%”
SELECT * FROM Win32_BIOS WHERE SMBIOSBIOSVersion < ‘1.9.6’

NOTE: Model and SMBIOSBIOSVersion will need to be updated according to your Model and BIOS Firmware version being installed

Suspend BitLocker
Type : Disable BitLocker
Choose the drive on which to disable BitLocker : Current Operating System
Resume protection after Windows has been restarted the specified number of times : 1

Conditions
If all conditions are true
Task sequence variable _SMSTSInWinPE = False
Task sequence variable BitLockerProtectionEnabled = True

BIOS Update
Type : Run Command Line
Command line : cmd.exe /c if %IsBIOSPasswordSet%==True (Flash64W.exe /b=Latitude_7X20_1.9.6.exe /s /f /bls /p=%BIOSSupervisorPassword% /l=%_SMSTSLogPath%\BIOSUpdate.log) else (Flash64W.exe /b=Latitude_7X20_1.9.6.exe /s /f /bls /l=%_SMSTSLogPath%\BIOSUpdate.log)
Package : Package containing BIOS firmware update files (downloaded from Manufacturer Website and extracted )

NOTE: Flash64W is an independent .exe from Dell to allow the BIOS Updates to run in WinPE, that can be downloaded from the Dell Website and needs to be added to the Package containing the BIOS Firmware exe

Flash64w Download link : https://www.dell.com/support/kbdoc/en-uk/000135555/how-to-update-dell-system-bios-in-winpe10x64-environment-using-flashupdate-tool

Restart Computer – WinPE
Type : Restart Computer
The boot image assigned to the task sequence : Ticked

Conditions
If all conditions are true
Task sequence variable _SMSTSInWinPE = True

Restart Computer – Full OS
The currently installed default operating system : Ticked

Conditions
If all conditions are true
Task sequence variable _SMSTSInWinPE = False

Example OSD Deployment Task Sequence With BIOS Updates

Add the Step BIOS Update and select your BIOS Update Task Sequence

The Get-IsBIOSPasswordSet script and and example BIOS Update Task Sequence can be downloaded from

https://github.com/Drakey2000/CommunityHelper/tree/master/Get-IsBIOSPasswordSet

Additional Information

OSDDoNotLogCommand = True https://docs.microsoft.com/en-us/mem/configmgr/osd/understand/task-sequence-variables

BIOSSupervisorPassword = Used for hardware layers that have a BIOS Supervisor password set and required to run the Firmware Update.

Get BitLocker Protection Status : Added to enabled the BIOS Upgrade Task Sequence to work in WinPE and Full OS.

It will detect if the Operating System has BitLocker enabled and then suspend BitLocker for the count of 1 reboot, to enable the BIOS Firmware to execute successfully.

Get IsBIOSPasswordSet : Will detect if the BIOS Setup is enabled with a supervisor password, and apply the correct arguments to the BIOS Update run command.

Restart Computer – WinPE and Restart Computer – Full OS – Enables the task sequence to be used both in WinPE and a Full OS.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: