BIOS Updates & Configuration using BigFix

atlauren · January 23, 2018, 5:11am

Got it. Per the Using CLI Documentation, /forceUpdate isn’t compatible with /log.

waithidden cmd /C "\path\to\dcu-cli.exe" /forceUpdate {parameter “theUpdate”} /silent

jgstew · January 23, 2018, 7:17pm

Nice find, that is not a use case I’m using. I was preferring to make content in BigFix so I could use the relay infrastructure to deliver the updates, but being able to trigger specific updates on demand with DCU is good.

jgstew · January 24, 2018, 9:08pm

FYI Intel is no longer recommending installing the microcode updates they released for meltdown/spectre and I heard Dell/others pulled their bios updates that contained the updated microcode.

Brodiemac · March 7, 2018, 1:36pm

BIOS updates for HP have been re-released. Here is what I used for relevance for HPs (this example is model specific):

/* Desktop OS */ ((name of it = "Win7" AND NOT x64 of it) OR (name of it = "Win7" AND x64 of it) OR (name of it = "Win8" AND NOT x64 of it) OR (name of it = "Win8" AND x64 of it) OR (name of it = "Win8.1" AND NOT x64 of it) OR (name of it = "Win8.1" AND x64 of it) OR (name of it = "Win10")) of operating system AND TRUE
/* ProDesk 400 G1 SFF */ (string value of selects "Model from Win32_ComputerSystem" of wmi) as string = "HP ProDesk 400 G1 SFF"
/* BIOS version not L02 v02.52 */ unique value whose(it != "") of (it as string as trimmed string) of values "bios_version" of structures "bios_information" of smbios is not "L02 v02.52"

The command I have run manually (successfully) is Hpqflash.exe -s -f rom.cab -a -pBIOS.bin

My problem is when I run the same command through BigFIx, it flops, every time and I have yet to figure out why. Still plugging away…

JasonWalker · March 8, 2018, 3:47am

I have a working fixlet for a slightly older HP BIOS flash for z420 workstations. I should be able to post it tomorrow and will start working on the new flashes.

jgstew · March 8, 2018, 7:27am

Can you provide the actionscript you are using in total? (you should redact the root server from the prefetch URL if applicable or anything similar.)

I prefer to use the following:

windows of operating system
version of operating system >= "6.1"

You can also add a relevance statement to exclude servers if you want, but if for some reason a server OS is on a ProDesk 400 G1 SFF it could probably use the BIOS update too.

I generally keep the relevance of my fixlets/tasks/etc limited to what requirements when fulfilled SHOULD succeed. I then put those fixlets and tasks in custom sites that are limited to the scope that may have organizational or policy or political distinctions like not making BIOS updates available for server OSes.

TheCookieMonster · March 20, 2018, 7:46pm

has any of you been able to do a BIOS update for Lenovo systems without using TVSU? TVSU is banned in our company
I have been trying and it gets stuck in Running.
and when it completes im getting an Exit code 3

This is the last code I used. Running it from a different so I can keep a close look to the files.

dos xcopy /E /H /K /O {"__Download"} "C:\Users\Public\Downloads\repo\BIOS\*"

wait C:\Users\Public\Downloads\repo\BIOS\wflash2.exe /rsmb /quiet
restart 60

JasonWalker · March 20, 2018, 10:26pm

What do you get if you run it manually?

TheCookieMonster · March 21, 2018, 10:15am

It works. But I’m running CMD as an admin and typing the command manually not thru a .CMD like the BIOS update comes with.
And when I used the .CMD or changed it to a .bat it got stock in running as well

jgstew · March 28, 2018, 5:02am

Try something like:

wait cmd /c /s "C:\Users\Public\Downloads\repo\BIOS\wflash2.exe /rsmb /quiet"

Brodiemac · April 9, 2018, 6:14pm

I’ve tested so many different ways and they have all failed. This is the most current one I have tried:

prefetch 9e3275c76d020d413ce5d45b958563bd386e3696 sha1:9e3275c76d020d413ce5d45b958563bd386e3696 size:6826958 http://server:52311/Uploads/9e3275c76d020d413ce5d45b958563bd386e3696/HPQFlash.tmp sha256:6922b7d661c7cc19796623fa5189156f94a20a23032779f3bcc0befee8725980
extract 9e3275c76d020d413ce5d45b958563bd386e3696

waithidden "{pathname of system folder & "\cmd.exe"}" /Q /C "{(pathname of client folder of current site) & "\__Download\Hpqflash.exe -s -from.cab -a -pBIOS.bin"} TIMEOUT /t 600 /nobreak"
parameter "start" = "{now}"

I put the timeout in to let the processes run before BigFix tried rebooting but that hasn’t worked either.

JasonWalker · April 9, 2018, 8:51pm

Does that command line work when you run it manually?

JasonWalker · April 9, 2018, 10:35pm

Here’s what my fixlet is doing (after the download of sp_update.exe and my encoded bios password file)

// Extract the flash utilities to Windows Temp folder
// This extracts the archive without launching the install script or IE help page.  Originally I did not know how to suppress the IE launch, so I was extracting it outside of the __Download folder to stop it from locking up the client download path.  Extracting to \Windows\Temp may no longer be necessary.

waithidden "{pathname of download file "sp_update.exe"}" -pdf -f "{pathname of windows folder"}\temp\BIOSFlash" -s -e

// "password1" is an encoded password file built using the hpqpasswd utility that is also part of the sp_update.exe archive

waithidden "{pathname of windows folder}\Temp\BIOSFlash\HPQFlash\HPQFlash.exe" -s -p "{pathname of download file "password1"}"

continue if {exit code of action = 0}
action requires restart "BIOS_Flash"

jgstew · April 10, 2018, 12:10am

I’m a little confused by this part. Is this supposed to be for CMD or the BIOS update thing?

Try:

wait __Download\Hpqflash.exe -s -from.cab -a -pBIOS.bin

OR:

dos __Download\Hpqflash.exe -s -from.cab -a -pBIOS.bin

See if either of those options work.

jgstew · April 14, 2018, 6:23am

Verify Catalog Sig:

powershell -ExecutionPolicy Bypass -command "(Get-AuthenticodeSignature \"C:\Temp\CatalogPC.cab\").Status -eq 'Valid'"

tools/CMD/PS_VerifyFileSig.bat at master · jgstew/tools · GitHub
command line - Is there any way to check for digital signature on a file programmatically in Powershell? - Stack Overflow

Verify BIOS Sig:

powershell -ExecutionPolicy Bypass -command "(Get-AuthenticodeSignature \"C:\Temp\E7440A25.exe\").Status -eq 'Valid'"

Number of BIOS Updates in Catalog:

number of selects "/Manifest/SoftwareComponent/ComponentType[@value='BIOS']" of xml documents of files "C:\Temp\DellCatalogPC\CatalogPC.XML"

Download Paths:

( ("https://downloads.dell.com/" & it) of node values of selects "@path/text()" of it ) of parent nodes of selects "/Manifest/SoftwareComponent/ComponentType[@value='BIOS']" of xml documents of files "C:\Temp\DellCatalogPC\CatalogPC.XML"

Brand & Model:

( concatenations ", " of (item 0 of it & " " & item 1 of it) of (node values of selects "Display/text()" of it, node values of selects "Model/Display/text()" of it) of selects "SupportedSystems/Brand" of it ) of parent nodes of selects "/Manifest/SoftwareComponent/ComponentType[@value='BIOS']" of xml documents of files "C:\Temp\DellCatalogPC\CatalogPC.XML"

Brand&Model + Download:

(  ( concatenations ", " of (item 0 of it & " " & item 1 of it) of (node values of selects "Display/text()" of it, node values of selects "Model/Display/text()" of it) of selects "SupportedSystems/Brand" of it ), ( ("https://downloads.dell.com/" & it) of node values of selects "@path/text()" of it )  ) of parent nodes of selects "/Manifest/SoftwareComponent/ComponentType[@value='BIOS']" of xml documents of files "C:\Temp\DellCatalogPC\CatalogPC.XML"

size, version, releasedate:

Q: ( node values of selects "@size/text()" of it, node values of selects "@vendorVersion/text()" of it, node values of selects "@dateTime/text()" of it ) of parent nodes of selects "/Manifest/SoftwareComponent/ComponentType[@value='BIOS']" of xml documents of files "C:\Temp\DellCatalogPC\CatalogPC.XML"
A: 4026384, A19, 2018-03-26T04:59:06+00:00
A: 10392776, 1.2.8, 2018-03-16T14:36:57+00:00

Criticality:

(multiplicity of it, it) of unique values of ( node values of selects "Criticality/@value/text()" of it ) of parent nodes of selects "/Manifest/SoftwareComponent/ComponentType[@value='BIOS']" of xml documents of files "C:\Temp\DellCatalogPC\CatalogPC.XML"

Recommended
Urgent
Optional

Criticality of everything (not just BIOS Updates)

Q: (multiplicity of it, it) of unique values of preceding texts of firsts "-" of ( node values of selects "Criticality/Display/text()" of it ) of parent nodes of selects "/Manifest/SoftwareComponent/ComponentType" of xml documents of files "C:\Temp\DellCatalogPC\CatalogPC.XML"
A: 126, Optional
A: 2342, Recommended
A: 248, Urgent
T: 5530.308 ms

paulp · July 30, 2018, 6:03pm

“hpqflash -s -from.cab” exits immediately with exit code 0 on a machine needing a bios update but then takes 5 or 6 minutes to actually finish the update. With the /t 600, maybe the OP was trying to get bigfix to wait to let it finish. This is a snippet from the log file generated in silent mode. Return code 0xbc2 has been returned on the three machines I’ve tested successful bios updates on (HP elitedesk 800 G1 SFF)

I’m looking for a better way to detect success so bigfix can reboot at the right time.

2018/07/30 10:35:45.062|00001650|Information|CCpqCIMIntf::FlashRom|***** Start FLASHING *****
2018/07/30 10:35:45.078|00001650|Information|CCpqCIMIntf::FlashRom|Start Saving Original BIOS Contents
2018/07/30 10:39:30.614|00001650|Information|CCpqCIMIntf::FlashRom|End Saving Original BIOS Contents
2018/07/30 10:39:30.614|00001650|Information|CCpqCIMIntf::FlashRom|Start flashing (Write)  Attempt #1
2018/07/30 10:39:30.614|00001650|Information|CCpqCIMIntf::FlashRomImage|Start Flash Rom Image (Write)
2018/07/30 10:40:24.786|00001650|Information|CCpqCIMIntf::FlashRomImage|End Flash Rom Image (Write), bStatus = 1
2018/07/30 10:40:24.786|00001650|Information|CCpqCIMIntf::FlashRom|End flashing (Write)  Attempt #1
2018/07/30 10:40:24.801|00001650|Information|CCpqCIMIntf::FlashRom|***** END FLASHING PROCESS *****
2018/07/30 10:40:24.801|00001650|Information|ChpqFlashApp::hpqFlashInSilentMode|Return from Flashing in silent mode, bStatus = 1
2018/07/30 10:40:24.801|00001650|Information|ChpqFlashApp::hpqFlashInSilentMode|Exit hpqFlashInSilentMode, bStatus = 1
2018/07/30 10:40:24.801|00001650|Information|ChpqFlashApp::ExitInstance|Exit hpqFlash:  Return Code = 0xbc2
2018/07/30 10:40:24.801|00001650|Information|ChpqFlashApp::ExitInstance|--- END HPQFLASH SESSION ---

atlauren · May 24, 2019, 2:21am

I’m currently testing a fixlet for Dell computers, using Dell Command Update that runs an automated install/reboot process, for up to three cycles of installing updates and reboots, including a /driverRestore if the task has never ever been run before. Works pretty well on desktops and older laptops.

Current issues include:

DCU doesn’t see an available BIOS update. (Maybe because of EUFI / SecureBoot?)
WD15 dock firmware/drivers can’t be updated via DCU. Going to see if I can detect the docks via relevance (Registry? WMI?) and then download drivers as needed.

jgstew · May 15, 2020, 5:54pm

That is odd. Might need to file a bug with Dell on that.

That is interesting. Might also want to bug dell about that, but I think DCU is generally focused around the computer model, so that might be why that is missing.

Is the WD15 firmware info in the Dell Catalog?

jgstew · May 17, 2020, 7:21pm

In continuing the work on automating the creation of BIOS Update fixlets and tasks with BigFix, I came up with a Task to Suspend BitLocker, which is an important part of doing BIOS updates in cases where BitLocker is enabled.

https://github.com/jgstew/bigfix-content/blob/master/fixlet/Suspend%20BitLocker%20Until%20Next%20Reboot%20-%20Windows.bes

I looked at some existing content as a reference for this, but while testing this on one of my systems, I figured out that you need to not just handle the case in which BitLocker Protection is fully enabled but ALSO the case in which BitLocker is being enabled but is not fully enabled yet. It should be rare, but the potential issue occurs in which BitLocker was just enabled for the first time, but has not finished encrypting the drive for some reason. In this case, most other content that suspends BitLocker would not handle this case, then the BIOS update would be applied, then BitLocker finishes encryption and becomes fully enabled, then the reboot for the BIOS update occurs. If this rare circumstance were to happen, then BitLocker would likely be put in recovery mode, unless the BIOS Update process itself from the vender handles this case specifically, which could be, but I wouldn’t rely on it.

I intend to use the actionscript within the above Task within any BIOS update content. See here: https://github.com/jgstew/bigfix-content/issues/7#issuecomment-629689306

atlauren · May 18, 2020, 1:40am

Note that only Windows 10 has the reboot count indicator. In Windows 7 it’s either on/off.

My Dell Command Update automation uses client settings for tracking breadcrumbs across reboots. If it’s Windows 7 and I disable BitLocker, I plant a breadcrumb; if it’s there when the fixlet runs again, I reenable it. (The automation uses the breadcrumbs and action execution locks so that it reboots a maximum of three times.)