/build/static/layout/Breadcrumb_cap_w.png

Dell Patching SMA 12.0

Hello,

We are starting to use Dell Patching in our environment, and it is working great. 

The only issue is deploying BIOS. Our Dell computers are protected with BIOS "Admin Password" to prevent users' poking around.

When we run the Dell Patching schedule, everything installs fine, except for the BIOS packages, which eventually timed out after the default attempts.

Is there a way to have this successfully installed without having to remove the BIOS password? I want to fix a security issue without opening another hole (removing the password).

The BIOS package installed ok when we removed the password in a testing environment, no matter how many versions the BIOS was behind.


Thanks!


0 Comments   [ + ] Show comments

Answers (2)

Answer Summary:
Posted by: Nico_K 2 years ago
Red Belt
2

Dell BIOS updates are a problem, indeed.
THis has two causes:
1. Dell BIOSes cannot updated over huge distances (from A01 to A38 or similar) but need steps in between.
2. The driver feed (which is imported from Dell) only contains the latest version.
3. The Dell tool to install the drivers cannot handle passwords.

You can do the following:
1. create a bunch of smart labels with the nessesary BIOS versions. As an example you can use this  which checks for the E7450 with BIOS versions below A24 (you can also click it in the wizard)

SELECT MACHINE.NAME AS SYSTEM_NAME, SYSTEM_DESCRIPTION, MACHINE.IP, MACHINE.MAC, MACHINE.ID as TOPIC_ID FROM MACHINE  WHERE ((BIOS_VERSION < 'A24') AND (CS_MODEL like '%Latitude E7450%'))  2. create a software Item with the BIOS versions where you attach the BIOS version you want to use
3. run a MI with the following:
E7450A24.exe /s /f /r /p=YOURPASSWORD

Notes: if you use Bitlocker, you need to disable bitlocker before and reenable it afterwards. In that case a script would be more helpful.


Comments:
  • Thanks! this should get me around the BIOS issue. - horacior 2 years ago
Posted by: jct134 1 year ago
Senior Purple Belt
0

We had issues with a few things with the Kace dell patching section...

1. you have to have the newest Dell Agent installed in order to detect other updates needed (run detect for just agent, deploy, reboot)

2. then detect for updates (Bios etc..) however it did NOT detect until AFTER the device was inventoried UGH! so Force inventory, then detect

3. Detect for updates AGAIN.

4. Deploy updates, if you use bitlocker (like we do) it does NOT always allow bios to update, and on many devices prompts for the bitlocker password ugh!

3 another force inventory and new detect to show that the update was successfully installed...


Seems like way too much crap to go through just to get a Bios update (in our situation anyways)


So instead, what I do is this...


I download the newest bios for our devices (in our case the desktops are 5080, 5090 & 3000 Optiplex's)

I zip those up into bios.zip with 3 folders 1 for each model (and can add as many models as you need into seperate folders..)

I then attach that as a dependencies to a script that runs powershell that does the following...

1.Creates folder where I want the install files stored

2. unzips the zip file to that location

3. detects what model the computer is and sets the $biosFile path to the install file based on the model

4. checks if bitlocker is enabled, and if so suspends bitlocker

5. Installs the bios with /s /f (Silent and Force) and waits for the process to finish (with lines "$biosProcess = Start-Process -FilePath $BiosFile -ArgumentList "/s /f" -PassThru" AND $BiosProcess.WaitForExit()"

6. then after the bios install file finishes, the script checks to see if any user is currently logged in (in case someone just logged in while bios was updating) if no user, computer reboots.. If user is logged in

then I trigger the KUserAlert.exe (which you can use to pop up the same kace message boxes & customize what you want it to say...

1st I pop up a message that just says "IT updated your system, and it needs to be rebooted..." is auto closes in 1 minute, or if they click OK,

2nd I pop up another message that says "COMPUTER WILL REBOOT IN ABOUT 5 MINUTES..." again it auto closes in 1 minute or if they click OK

3rd I pop up 1 last message that says "REBOOTING... in 5 minutes, or as soon as you click OK.  If you have any questions, put in an IT ticket.  Thank you  DO NOT interrupt the reboot process the computer can become unusable" now that message auto closes in 5 minutes, or if they click OK

then the computer is forced to reboot...


So far I have had great success with this, I am also in the process of creating a similar script for our HP devices.. so about 2300 devices in all...

 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ