Tag Archives: sccm 2012 r2

SCCM 2012 R2 – Using WUSA (Windows Update Standalone Installer) in an Application

It’s been a little while since my last post, I’ve not long started a new job so things to write about got put on the back burner for a little while.

I needed to install IE11 on some Windows 7 machines that didn’t necessarily have the prerequisite updates. The main thing was the update package couldn’t be downloading all its prerequisites from the internet, because that’s just not professional!

This makes things a little more complicated from an SCCM perspective, since I can’t just go and install IE11 directly, I have to make sure the prerequisites get installed. I had a play around with the IEAK 11 (Internet Explorer Administration Kit), but it didn’t handle the prerequisites particularly well, I had a few failures, then decided to sort the dependencies myself.

This is where WUSA comes in! I built the IE11 application as normal, just calling the IE offline installer executable directly with the ‘/quiet’, ‘/update-no’, ‘/norestart’ and ‘/closeprograms’ switches, then gave it some Windows updates that required as prerequisites as dependencies for the deployment.

This went well, till I ran into some odd failures with some computers. I looked at the logs and WUSA was returning some odd return codes. I went on a bit of a search and found a list of return codes that applied, but none of them matched which annoyed me for a second till I realized that WUSA was returning the codes, but the SCCM AppEnforce.log was logging them as decimal, not the hexadecimal values shown in the knowledge base article!

A quick bit of converting from decimal to hex and I was there. I added the return codes to the deployments and all was well! Here’s the two main ones I ended up using:

2359301 (0x00240005) Success (Installed but the system must be restarted to complete installation of the update).

2359302 (0x00240006) Failure (The update to be installed is already installed on the system). This error highlights that you might have a bad detection rule in place.

2145124330 (0x80240016) Failure (Operation tried to install while another installation was in progress or the system was pending a mandatory restart).

There’s loads more I could have used, but I like to only put the extra return codes in the application when I need to, keep it simple!

SCCM 2012 R2 – Updating and configuring HP ProBook 650 G1 BIOS in a task sequence

This post is mostly a follow up to my guide on updating other HP ProBook BIOS in a task sequence. If you haven’t read that, this might not be of too much use to you!

The Problem

When updating a HP ProBook 650 G1 BIOS, I ran into a couple of small issues. This mostly related to an undocumented switch being required for the HPBIOSUPDREC tool. The BIOS update would always cause the computer to perform an unexpected reboot, which would break the task sequence.

The command line I was using was:

HPBIOSUPDREC.exe -s -pBIOSPW.bin -fL77_0120.bin

This would cause the BIOS to update, but then the computer would reboot without returning an exit code to SCCM, causing the task sequence to fail. Searching around, I found this post on the HP support forums, which pointed me in the right direction. Thanks

The Solution

The correct command line to update the HP BIOS for the ProBook 650 G1 is as follows:

HPBIOSUPDREC.exe -s -r -pBIOSPW.bin -fL77_0120.bin

This -r switch appears to be undocumented, which is a shame really, but this prevents the reboot without exit code. The command now returns a correct exit code and lets SCCM reboot the computer gracefully.

Putting it into Practice

In the SCCM package, I’ve placed both the HPBIOSUPDREC tool and the BIOS binary file. The task sequence runs it as shown below:



The WMI query makes sure it only runs on the selected/supported HP ProBook 640 G1 and 650 G1’s we have in our environment. There’s no danger in making this query less specific, as the update tool will only flash machines that the update is applicable to. I have also added the exit codes 273 and 282, which are exit codes for “BIOS is already same version” (273) and BIOS installed is newer than the one set to install (272).

SCCM 2012 R2 – Operating System deployment when on mains power only

It’s a quick little script I just had to write, after my testing today ran into the minor issue of a flat battery… halfway through the Operating System Deployment (OSD) process.

It’s a little PowerShell script, very similar to the last one that just pops up a box asking you to plug-in the laptop if you are running on battery. I haven’t put much in the way of validation that the device is actually a laptop with a battery, but since my OSD task sequences have a laptop/desktop divide, it’s not too much of a problem!

Here’s the script, the setup instructions are similar to the earlier script, with a different name and a call to a batch file instead of the ServiceUI command.

The batch script contains the command to run ServiceUI, after deciding which copy to run the PowerShell script with, based on the boot image architecture (x86/x64). I’ve put this in at the beginning of the task sequence, once the laptop has booted to the boot image, so we can get the user input or error states dealt with up front.

SCCM 2012 R2 – Updating and configuring HP ProBook 6470b/6570b BIOS in a task sequence – Part 3

If you’ve come to this post directly, it’s probably useful for you to read through both part 1 and part 2! If however you’ve already got that under your belt, read on…

As a recap, you’ll remember that I decided to set up two packages for the configuring and updating of the BIOS. Just in case you want a reference for the BIOS update portaion of the structure, here it is again.

    BIOSUpdate\HP Probook
        BIOSPW.bin              (Encrypted BIOS password)
        HPBIOSUPDREC.exe        (New BIOS update utility)
        hpqFlash.exe            (Old BIOS update utility)
        ProBook6x70bBIOS.cab    (HP Probook 6x70b BIOS file)

Updating the BIOS

This time, most of the hard work is actually done in the Operating System Deployment (OSD) task. The task needs to be set up to call the BIOS flash tool (Either HPBIOSUPDREC.exe or hpqFlash.exe (depending on the BIOS you need to flash). For the 6x70b’s, hpqFlash.exe is the one to use! The call to the BIOS flash tool follows the following syntaxes.



As you can guess, the most interesting command line switches to me are -s -p and -f. Please note, I have not tested and am not 100% sure of the other switches. I can imagine -a could be especially dangerous, so please take care!



You can see that the switches are exactly the same here, minus the microcode update switch. This is good, as it will make things easier if we automate the selection of flashing tool to use in the future.


This is run in the SCCM task sequence, just after the reboot for configuring the BIOS, but again before provisioning or enabling Bitlocker. Again, there should be a “Restart Computer” task directly after this to finalise the update procedure. As you can see, hpqFlash is called directly with the BIOS password and the cab file to install, as well as the silent switch.


As per the BIOS configuration task, it is based on the computer model name, so that we dont try to flash an incompatible BIOS. If inconsistencies were found that required a different BIOS for the same model, a seperate task could be created with an additional WMI query to obtain another identifying value. You may also see that an additional success code is added (273) this is the code returned by hpqFlash if the BIOS is already up to date and no action is taken. This allows the task sequence to continue as normal if the BIOS is already up to date.

Again, I hope this has been a helpful guide on your path to automating some of the more annoying parts of the imaging process, usually left as manual tasks. As I’ve said before, please let me know if you’ve got a better way of doing things, or have found some innacuracies with my posts and I’ll sort it out.

SCCM 2012 R2 – Updating and configuring HP ProBook 6470b/6570b BIOS in a task sequence – Part 2

If you’ve come to this post directly, you may want to read through part 1! If not, read on…

In this part, we’ll cover putting the files we’ve got together in a couple of packages and putting them into a task sequence. We’ll also be using WMI to query the computer model, so we don’t try updating the BIOS on a machine it certainly won’t work on.

I’ve set up the files I need in the following hierarchy, and spread the BIOS configuration and update over two packages. You may decide to do it differently.

    BIOSConfig\HP ProBook
        BiosConfigUtility.exe   (BIOS configuration utility - x86)
        BiosConfigUtility64.exe (BIOS configuration utility - x64)
        BIOSPW.bin              (Encrypted BIOS password)
        ProBook6x70bConfig.cfg  (BIOS configuration settings)
        ProBook6x70bConfig.cmd  (BIOS configuration command file)

    BIOSUpdate\HP Probook
        BIOSPW.bin              (Encrypted BIOS password)
        HPBIOSUPDREC.exe        (New BIOS update utility)
        hpqFlash.exe            (Old BIOS update utility)
        ProBook6x70bBIOS.cab    (HP Probook 6x70b BIOS file)
NOTE: “SCCMSources” is my network share I store the SCCM source files to use as the content location for applications and packages. I then have “OSD\Packages” to differentiate these packages as being primarily for OSD task sequences. Hopefully the “BIOSUpdate” and “BIOSConfig” folders will eventually house many folders for different types of laptop, but at the moment it’s a bit bare.

Configuring the BIOS

Most of the magic for configuring the BIOS is done in the file “ProBook6x70bConfig.cmd” (shown below).

This batch file picks the correct version of BiosConfigUtility to run (x86 or x64), then runs it with the configuration file. It runs it first, attempting to get access to the BIOS using a blank password, then set the password along with the configuration. If this completes successfully (exit code 0), that’s it!

However if it fails for some reason (i.e. there’s a BIOS password set) It then runs the second command, which attempts to set the configuration, using the current password. I’ve yet to properly test a parameterized version of this, to allow the configuration to be specified outside of the batch file.


This is run in the SCCM task sequence, at the beginning, before provisioning or enabling Bitlocker, but after formatting the drive, so that on the reboot that occurs directly afterward, using an “Restart Computer” task, the boot image can be successfully staged to the hard disk.


The options base the running of this task on the computer model name, so that we dont try to configure an incompatible BIOS or some other crazy situation. It’s not too clear in the image, but I’m using the single character wildcard “_” in the model – “SELECT * FROM Win32_ComputerSystem WHERE Model LIKE “HP ProBook 6_70b””

Hopefully this has covered everything that’s needed for yourself to go forth and configure the HP ProBook BIOS in an unattended way! As with most of my posts, please let me know if you’ve discovered improvements or inaccuracies and I’ll attempt to right them!

Read on, where I cover the flashing of the BIOS in part three.

SCCM 2012 R2 – Updating and configuring HP ProBook 6470b/6570b BIOS in a task sequence – Part 1

Continuing my recent foray into System Center Configuration Manager (SCCM) 2012 R2, I’ve been working on getting a task sequence to automatically update and configure the BIOS for our HP ProBook laptops. I’ve started with our most popular models, the HP ProBook 6470b/6570b. Fortunately, apart from their screen size, they are almost completely identical, which makes the job a lot easier.


The first thing we’ll need to do is take care of the prerequisites and the downloads, so we’ve got all the files required to complete the work.

Files Needed

  • The HO ProBook 6x70b BIOS is available here and should work with both the 6470b and the 6570b.
  • HP BIOS Configuration Utility (HP BCU). I’m using version, there could be changes if you are using something newer.
  • HP System Software Manager (HP SSM). Again, I’m using version, so be aware.

First of all, we’ll get the BIOS configuration working and we’ll do the BIOS update second. This may sound backwards, but it simplifies things if you will be imaging a mix of factory fresh and pre-provisioned machines. This is because we’ll be setting the BIOS password in the configuration stage and putting the logic there to deal with whether the machine already has a password set. This means when we come to the BIOS flash, we can just run the tool in a straightforward way.

NOTE: If you’re not using a BIOS password, you can do this in any order, but I highly recommend you secure things properly. The last thing your service desk needs is someone changing the boot order and installing their own OS or something, because users.

Encrypting your BIOS password

Extract the HP System Software Manager download and install it. You’ll then have to browse to either “%ProgramFiles(x86)%\Hewlett-Packard\SystemSoftwareManager”, or “%ProgramFiles%\Hewlett-Packard\SystemSoftwareManager” to find “ssm.cab”. The files you need are in here:

  • “HPBIOSUPDREC.exe” (BIOS updater tool we may need later)
  • “HpqPswd.exe” (BIOS password encryption tool)
NOTE: For the ProBook 6x70b, we’ll be using the hpqFlash.exe utility that we’ll get later, as that’s the one that works with these models. If you are using newer models (like the EliteBook 840G1), you will need to use HPBIOSUPDREC.exe.


If you run HpqPswd.exe, it will ask you for the BIOS password you wish to encrypt into a “.bin” file. Enter your BIOS password, then save the file somewhere useful, as this we will use this later to as the credential for configuring/updating the BIOS.

Preparing the BIOS configuration

Now, you’ll need a test machine of the right type to get a BIOS configuration from. You could in theory specify the configuration file from scratch, but that would take a while. The easiest way to do it is to set up a computer how you want it, export the BIOS config, tweak it to suit, then deploy!

To start this process, you’ll need to install the HP BIOS configuration utility, then browse to “%ProgramFiles(x86)%\Hewlett-Packard\BIOS Configuration Utility”, or “%ProgramFiles%\Hewlett-Packard\BIOS Configuration Utility” and get the following files:

  • “BiosConfigUtility.exe” (BIOS configuration tool, for x86)
  • “BiosConfigUtility64.exe” (BIOS configuration tool, for x64)
NOTE: Both of these files seem to work fine on x64 build of Windows 7, so I’m not too sure why there is a specific x64 version. The “BIOS Configuration Utility User Guide.pdf” is alo quite useful, so you may want to grab that too.


If you take BiosConfigUtility and run it on the machine you’ve configured, you can get it to export the current configuration to file, using “BiosConfigUtility.exe /get:”ProBook 6x70b\BIOSConfig.cfg””

The file format for the BIOS configuration isn’t particularly great, with tab indented options, but with the export, the current settings are all selected for you, with an asterisk (*) denoting the active option.

Here’s an example of part of my config file:

Data Execution Prevention
SATA Device Mode
Reset of TPM from OS
OS Management of TPM
Activate TPM On Next Boot
TPM Device
TPM Activation Policy
    F1 to Boot
    Allow user to reject
    *No prompts

You can tweak the file however you need, It seems the general recommendation is to remove anything you’re not actively going to set, as this provides a more concise config file and makes it easier to track down issues.

In the next part, I’ll cover setting up the SCCM side of things now we are nearly ready to deploy the new settings and upgrade the BIOS. Read on to Part 2!

SCCM 2012 R2 – Validating and setting OSDComputerName with PowerShell

I’ve recently been doing some work with System Center Configuration Manager (SCCM) 2012 R2 recently and I was interested in validating a computer name supplied during an Operating System Deployment (OSD) task sequence before actually attempting to set it and possibly causing an error (with the computer name being too long, for example). Since that sounds like a job for PowerShell, I immediately had a look and found a reasonable solution that almost fit my needs.

As an aside to this, I’m not currently using the Microsoft Deployment Toolkit (MDT) in any real way, however my solution does use a component of it in order to display the PowerShell script to the user. This gave me a good excuse to run through it and start to check it out with the idea of using it more down the line.

The solution I found that almost did what I wanted can be found here (I’ve contributed my alterations there too in the comments. Thanks very much to Nickolaj for his script, as it saved me a fair bit of work!

To run the script, a few things have to be done first (Instructions with screenshots can be found in Nickolaj’s post on scconfigmgr.com.

  • Add the ‘WinPE-NetFx’ and ‘WinPE-Powershell’ features to the boot image you will be using with the OSD. (in “Boot Images > Boot image > Properties > Optional components”)
  • Download a copy of MDT that matches the boot image architecture you want (x86/x64), then extract the ServiceUI.exe file from it, usually located at “%ProgramFiles%\Microsoft Deployment Toolkit\Templates\Distribution\Tools”
  • Create an SCCM package containing the script, plus ServiceUI, but don’t create a program for it, as we’ll deal with that bit when adding it to the task sequence.
  • Add a ‘Run Command Line’ task in your task sequence, then use the package created  in the previous step, along with a command line like:
ServiceUI.exe -process:TSProgressUI.exe %SYSTEMROOT%\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -File MYSCRIPTFILENAME.ps1
After testing the script and running it, there were a couple of things I saw that could be improved:
  • First was the ability to hit enter and have that correspond to the OK button. It’s  minor thing, but makes a massive difference to the user experience!
  • Next, was the validation/correction of the computername. The original script will silently strip out invalid characters, which may leave some wondering why the computer name appears differently to how it was originally typed.

I started with making the enter button correspond to the OK button. I did this by adding the following code just before the call to load the form:

$Form.KeyPreview = $True
$Form.Add_KeyDown({if ($_.KeyCode -eq "Enter"){Set-OSDComputerName}})

Next, I wanted to remove the silent removal of user input and make it obvious to the user that they had entered an invalid computer name. I did this by re-using the existing ErrorProvider and moving the validation code to another clause in the if statement.

This meant that instead of having:

else {
  $OSDComputerName = $TBComputerName.Text.Replace("[","").Replace("]","").Replace(":","").Replace(";","").Replace("|","").Replace("=","").Replace("+","").Replace("*","").Replace("?","").Replace("<","").Replace(">","").Replace("/","").Replace("\","").Replace(",","")
  $TSEnv = New-Object -COMObject Microsoft.SMS.TSEnvironment 
  $TSEnv.Value("OSDComputerName") = "$($OSDComputerName)"

We end up with something slightly different (ignoring the use of a Regular Expression to validate the computer name instead of a multiple string.Replace())

#Validation Rule for computer names.
elseif ($TBComputerName.Text -match "^[-_]|[^a-zA-Z0-9-_]")
  $ErrorProvider.SetError($GBComputerName, "Computer name invalid, please correct the computer name.")
  $OSDComputerName = $TBComputerName.Text.ToUpper()
  $TSEnv = New-Object -COMObject Microsoft.SMS.TSEnvironment
  $TSEnv.Value("OSDComputerName") = "$($OSDComputerName)"

As you can see, this makes the script a little easier to read, which always bodes well for improvements in the future. One thing that still slightly annoys me is the format of the if elseif elseif else. This is quite close to being made a switch statement, but it’s OK until I find the need to add another clause. I’d also like to find a way to remove the MDT dependency of ServiceUI.exe, as this requires a different SCCM package or invocation based on architecture (x86/x64). However, this may not be possible due to the way the OSD task sequence works.

Here is the current script I’m using in full. Please let me know if you have any improvements you can suggest, as it’s always a good day to learn!