Tag Archives: sccm

SCCM – Updating and configuring HP BIOS/UEFI in a task sequence – An update

Lately I’ve bee working on a little more SCCM operating system deployment work and I’ve got an updated toolset for configuring and updating UEFI firmware for HP machines easily in a task sequence. This is a reasonably long post, so bear with me.

A lot of the same techniques from my earlier posts on the subject apply. We are still using HPBIOSUPDREC, BiosConfigUtility and an SCCM package for the source files. I’ve updated the batch files to take an argument for the configuration or update file, as well as the previous architecture detection. The good thing about this method is that it supports all current HP laptop, desktop and workstation models with no change, you just give the update file, or the configuration as an argument and away you go.

I considered using PowerShell for this, however it takes a little while to start in WinPE and unless I add more logic to the process for particular models or action types, I don’t see the need to convert it yet.

I’ve set up the package for HP machines I need to configure and update as follows:

SCCMPackages\HP-UEFI\
    68ICF.CAB (UEFI firmware - EliteBook 8x70p)
    BiosConfigUtility.exe   (BIOS config utility - x86)
    BiosConfigUtility64.exe (BIOS config utility - x64)
    BIOSPW.bin              (Encrypted BIOS password)
    ConfigureUEFI.cmd (UEFI config command file)
    EliteDesk800G2-Win7.cfg (UEFI configuration - Win 7)
    EliteDesk800G2-Win10.cfg (UEFI configuration - Win 10)
    EliteBook8x0G3-Win7.cfg (UEFI configuration - Win 7)
    EliteBook8x0G3-Win10.cfg (UEFI configuration - Win 10)
    EliteBook8x70p-Win7 (UEFI configuration - Win7)
    N75_0110.bin (UEFI firmware - EliteBook 8x0 G3)
    N21_0219.bin (UEFI firmware - EliteDesk 800 G2 SFF)
    UpdateBIOS.cmd (UEFI update command file HPqflash models)
    UpdateUEFI.cmd (UEFI update command file HPBIOSUPDREC models)

A sample set of files for all of this can be found on GitHub, except the HP binaries and firmware, which need to be downloaded from HP.

You can follow the larger package format, with all models together, or spread the update and configuration files over multiple packages, whichever suits your requirements best.

You may notice that I’ve included an odd DLL file ‘oledlg.dll’. This is needed to make HPqflash work on WinPE 10 (10.0.10586.0). If you run HPqflash in WinPE 10 without it, you get an exit code of -1073741515 (0xC0000135), which means a DLL needed for the program is missing.

I did a bit of investigation with procmon on a full windows system and found oledlg.dll was required, but missing from WinPE. I put this DLL in the same folder next to HPqflash and all was good!

Both ConfigureUEFI.cmd and UpdateUEFI.cmd are general for all models using HPBIOSUPDREC and the HP BIOS config utility and look like this:

There’s also a slightly different version for deploying updated firmware, if you’re still using HPqflash:

We can use the same SCCM ‘Run command line’ task we used in the past for this, with a little tweak to run the command file with the right update or configuration. This is done in the same way as before, with the extra exit code for successful completion.

This is the configure command line:

command-line-configure

Followed by the update command line, along with the success exit codes shown.

command-line-update

update-exit-codes

The update command line needs to follow the configure step if as it requires a password bin file.

Hopefully this has been helpful updating things in the journey to support newer HP models.

SCCM 2012 R2 – Using WUSA (Windows Update Standalone Installer) in an Application

It’s been a little while since my last post, I’ve not long started a new job so things to write about got put on the back burner for a little while.

I needed to install IE11 on some Windows 7 machines that didn’t necessarily have the prerequisite updates. The main thing was the update package couldn’t be downloading all its prerequisites from the internet, because that’s just not professional!

This makes things a little more complicated from an SCCM perspective, since I can’t just go and install IE11 directly, I have to make sure the prerequisites get installed. I had a play around with the IEAK 11 (Internet Explorer Administration Kit), but it didn’t handle the prerequisites particularly well, I had a few failures, then decided to sort the dependencies myself.

This is where WUSA comes in! I built the IE11 application as normal, just calling the IE offline installer executable directly with the ‘/quiet’, ‘/update-no’, ‘/norestart’ and ‘/closeprograms’ switches, then gave it some Windows updates that required as prerequisites as dependencies for the deployment.

This went well, till I ran into some odd failures with some computers. I looked at the logs and WUSA was returning some odd return codes. I went on a bit of a search and found a list of return codes that applied, but none of them matched which annoyed me for a second till I realized that WUSA was returning the codes, but the SCCM AppEnforce.log was logging them as decimal, not the hexadecimal values shown in the knowledge base article!

A quick bit of converting from decimal to hex and I was there. I added the return codes to the deployments and all was well! Here’s the two main ones I ended up using:

2359301 (0x00240005) Success (Installed but the system must be restarted to complete installation of the update).

2359302 (0x00240006) Failure (The update to be installed is already installed on the system). This error highlights that you might have a bad detection rule in place.

2145124330 (0x80240016) Failure (Operation tried to install while another installation was in progress or the system was pending a mandatory restart).

There’s loads more I could have used, but I like to only put the extra return codes in the application when I need to, keep it simple!

SCCM 2012 R2 – Problems with SCEP 2012 R2 and Group Policy Results

We ran into an issue yesterday with Group Policy Results when using SCEP 2012 R2, the problem exactly follows this particular issue on the TechNet Forums, but appears to affect a couple of extra registry keys.

It’s really unfortunate that this still isn’t fixed in SCCM 2012 R2, having also been an issue in 2012, as the post describes.

To resolve the problem, I used my existing SCEP Group Policy ADMX template in creating a GPO to replicate the default settings pushed out to clients with SCCM, which solves the problem, as the exceptions and settings we push out to standard clients aren’t any different from the Microsoft recommended settings.

In the GPO I had to specify the exclusion settings and also the default threat actions, which are specified in the registry here:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Antimalware\Threats\ThreatSeverityDefaultAction

Previously these settings were defined as REG_DWORD, but need to be REG_SZ, as shown below:

ThreatSeverityDefaultAction