Reporting Group

With the recent Intel AMT vulnerability, there must be other customers interested in how to best keep BIOS updated with symantec's client management tool besides me.  Until now, we've feared touching it and either bricking people's machines or locking them out because of bitlocker.

I found this thread which reports BIOS version.  

This is an interesting write up on how to update BIOS via ith Microsoft's config mgr.  Is anyone doing something similar with CMS?  Or at least using Dell's Client Command Suite to update BIOS at image time?

Thanks for any ideas.

Found this older write up, sure wish it would be updated for the new suite of Dell products.  OMCI is now Dell Command | Monitor and Dell Client Command Suite is now Dell Command | Configure

Definitely going to try to spend some time parsing to see if I can figure anything out.

So I came up with below for updating BIOS as part of imaging workflow via powershell.  My goal was one script that would work across all of our dell models that could be added to our HI imaging process.  

My script assumes

- You're copying down the latest BIOS version for each model computer as part of imaging workflow (I use this method for deploying drivers vs deploy anywhere which makes adding BIOS to workflow pretty seemless).  I just add another folder to our driver share for each model called BIOS.  

- You also have to copy the bios flash utility down.

- You create tokens in CMS for your bios password(s).  

#Get Bios File Name 
$BiosFileName = Get-ChildItem c:\drivers\bios\*.exe -Verbose | Select -ExpandProperty Name

#Update Bios
c:\drivers\biosflash\Flash64W.exe /b=c:\drivers\bios\$BiosFileName /s /p=%biospwtoken% /l=c:\drivers\bios

This works except you have to account for your environment likely blocking unsigned powershell scripts.  You can nestle the task in a job that disables the powershell signing policy, runs your script, and then re-enables it, but this seems risky to me as we don't want machines out there with signing policy disabled. Maybe it's less of a risk if you enforce signing policy as part of a GPO and run above before binding to AD.

Are there any other powershell options out there for running a script via CMS - where I want to tokenize the password and not have it locally on the machine?

I was trying to get this working as part of a command script to avoid the Powershell signing thing & got pretty close with below, but it's complaining about the bios payload (same payload/file works fine via powershell so I know the file is ok).  Anyone a better scripter than me and see my error?

@ECHO off
FOR %%F in (c:\drivers\bios\*.exe) do (
set biosname=%%~nF)
c:\drivers\biosflash\Flash64W.exe /b=c:\drivers\bios\%biosname% /p=%biospwtoken%

If I echo out the last line, it seems to be sending the correct command, but I get bios payload error. If i type exactly what's echoed back, it runs fine locally on the machine.  

I don't script all that much so if anyone has ideas, I'd appreciate them.

Reference link that helped me 

Variable expansion works differently inside a batch FOR loop. Try the following (untested):

@ECHO off
FOR %%F in (c:\drivers\bios\*.exe) do (
   set biosname=%%~nF
   c:\drivers\biosflash\Flash64W.exe /b=c:\drivers\bios\%%biosname%% /p=%%biospwtoken%%
)

Edit: if this doesn't work, change %%biospwtoken%% to %biospwtoken% I think tokens are replaced before the script is run

Found my mistake in the batch script -the biosname wasn't capturing the file extension.

This appears to be working!

@ECHO off
FOR %%F in (c:\drivers\bios\*.exe) do (
set biosname=%%~nF)
c:\drivers\biosflash\Flash64W.exe /b=c:\drivers\bios\%biosname%.exe /p=%biospwtoken%

Thanks for taking the time to reply - appreciate it.  I was mising the file extension in the variable so am good now.