Welcome back to our “Managing the Dell BIOS” series! In this final part, we are going to start pushing BIOS setting with Group Policy.
Before we proceed, make sure that:
- You have installed the Client Configuration Toolkit (CCTK). The download can be found on our Tools page under the Deployment/MDT section.
- You know how CCTK works in command line.
- You have created your customized BIOS package.
Now that you have everything you need, let’s lock down your BIOS and deploy your settings!
Saving your CCTK Package
At the end of Part 2, you created a CTTK package in the form of an EXE. If you are using MDT as your deployment suite, navigate to the Applications folder under your DeploymentShare. Create a new folder named Dell. If you are not using MDT, simply create a new folder on a file or software distribution server.
Note: The BIOS Updates sub-folder is used in our environment to update the Dell BIOS version before imaging. I find that it is much safer to update the BIOS before the OS is installed rather than afterwards. We won’t go down that rabbit hole in this post. If you would like instructions on setting up the BIOS version update feature, then check out part 4 of this series.
Save your BIOS settings package in the root of the Dell folder. Saving the package here instead of on a file server has one big benefit. It allows you to change machine settings through Group Policy and/or MDT.
Next, create batch file in the same Dell folder. Edit it so that it will execute your BIOS package. Be sure that the BIOS package path points to the UNC. An example would look like this:
\\SERVER\Deploymentshare$\Applications\Dell\BIOSPACKAGE.exe
Create your BIOS Settings GPO
In the GPMC, create a new GPO named “Dell BIOS Settings”. Edit the GPO and browse to the Shutdown Scripts node. Browse to your batch file and add it to your GPO. Test your GPO by linking it to a few computers. After a GPUpdate and a restart, you should see your BIOS settings take effect. Be sure to restart each computer twice after the update has been installed. This will help you identify any potential problems.
For me, the easiest way to see my settings is to configure the Dell Asset attribute in your BIOS package. The asset attribute lets you configure a company tag that appears when your machines POST. When computers start in our environment, they will display “GCBE” right above the Dell logo. This also has the added bonus of proving ownership in case a device decides to grow legs.
Your BIOS – Now Managed
In this three part series, you learned how to use the Dell Client Configuration Toolkit. You’ve created a BIOS package and learned how to deploy settings with Group Policy. Using this tool and configuring your machines will let you fix some pretty difficult problems! Just to get you motivated, you can:
- Make your users happier by having their machines pre powered on
- Secure your BIOS with a password to prevent unauthorized changes
- Restrict boot devices to stop password cracking CDs
- Disable the wireless adapter kill switch (the one that every user accidently turns on)
- Tattoo your computers with an asset tag
Go forth and start pushing BIOS Settings with Group Policy!If you have any questions or thoughts (such as why I use exclamation marks so much), let me know in the comments below!
Hello,
If I want to deploy a “bios update” in an enterprise environment, how can that be achieved safely?
The workstations are primarily running windows 10 and have bitlocker enabled.
Thanks
Billy
You will need to suspend bitlocker on the shutdown and then enable it on the reboot. This should help: https://gallery.technet.microsoft.com/scriptcenter/Suspend-Bitlocker-and-0e3d43c0
Hi Joseph! This is a great set of articles, and I really appreciate the breakdown. I’m having a simple issue, however.
I have the script on a fileshare under \\server\folder\bios. This has wrx permissions for domain computers (since the shutdown node runs the script as “local system”). The shutdown GPO runs the batch file from that server. The exe is pushed out to the local computer and resides in the root of the c: drive (at least for testing).
The batch file contains:
“cd c:\
echo i >> run.txt
start DellBiosSettings-Final.exe
sleep 60”
The script runs perfectly when run manually. For some reason, however, the computer doesn’t waits for 60 seconds during shutdown, and never applies the settings (no log generated from the exe). Do you know what the issue here is?
Thanks!
If you call just DellBiosSettings-Final.exe, does it generate a log file and apply the settings?
Well that specifically didn’t work, but I took what you had and ran with it (added file location).
Shrinking my file down to the line below (quoteless) did the trick.
“C:\DellBiosSettings-Final.exe”
Thanks Joseph!
Not a problem at all! Glad you got it working.
Hey Joseph,
I am trying to use this guide to implement BIOS changes in my environment but seem to be having a problem with both the GPO and the .bat file itself.
My config exe was saved using the “no password” option and put in a deployment fileshare location where all computers have read and execute permission along with the .sh file and my created .bat file.
My batch file looks so: \\SERVER\Deploymentshare$\Applications\Dell\BIOSPackage.exe
The policy script is set to call the batch file from the same folder. However, no computers in the linked group seem to be getting the BIOS settings. Also, when I attempt to go to a test computer and simply click to run the batch file myself, I get the following error from the log that is produced:
cctk – Setup Password is required to change the setting. Use –valsetuppwd to provide password.
CCTK STATUS CODE : FAILURE
I tried putting in a cctk commandlet –valsetuppwd:PASSWORD with no luck; I didn’t figure it would work anyway since cctk isn’t installed on this test computer anyway.
Any suggestions??
Do your computers have a BIOS (setup) password on them? If so, you will want to specify that when you create the package.
They do not currently have a password, rather one is being set up with the package. It seems if I run the .exe from the file share, it works. The batch file, however, is giving the error above.
Also, the .exe sets all the settings appropriately, but does not remove certain boot devices. I would like to remove the optical drive and USB from boot options list. I set a particular list to include only the hdd and nic, but still see other devices on test computers I’ve run the .exe on. Am I missing a ‘remove boot device’ option somewhere perhaps?
I’ve been trying to deploy this via GPO but I want to be able to abort running the .exe in the event that the settings have already been applied. I thought of doing this via having the log generated by the .exe saved on a network share and then having the script check and see if that file exists (I’d have the .txt file have the same name as the computer name). However, I couldn’t get that to work. Any thoughts as to something else I can do? I just don’t want to have this file sent across the WAN every single time a machine shuts down. I’d also like to be able to see what machines have actually had the settings applied.
I have built my .exe and .sh files–however I’m not sure of how to build a batch file–please help!
You can use a group policy shutdown script to deploy this.
The EXE should run silently. You can simply create a batch file that contains the full path of the exe. You will have to put the exe on a network share that domain computers have read/execute to.
Hello!
If I use GPO with a batch file, how could I prevent that this bat is running every time the machine shuts down?
I mean – I want it to run once only – or is it negligable if that exe is running on every shutdown?
But also – I want to run it again on changes to the bios.exe…
GPO with RunOnce…?
Thank you!
GPO with runonce works. You can also add a create file statement at the end of the batch file. Then add an if file doesn’t exist statement before the exe executes.
But – you may not even want to worry about it. You are talking about 5 seconds extra on shutdown and you get the assurance that BIOS settings aren’t being changed from your baseline settings.
Hi Joseph,
I’m back, I’m unsure what I’m doing wrong.
My test worked but when I tested another machine it did not work.
This is my setup.
1. In Command and Configure, created and saved .exe and .cctk file to a network share
\\server\folder\Dell_BIOS_Update\
2. Created a GPO and linked it to a test OU
In Group Policy editor configured Computer Configuration > Windows Settings > Scripts > Shutdown
3. Added \\server\folder\Dell_BIOS_Update\Dell_BIOS_Update.exe as script name (no parameters)
4. Added test PC to OU, ran gpupdate /force on PC
Nothing happens…
Your assistance is appreciated, thanks.
***Edit***
For the shutdown script I entered \\server\folder\Dell_BIOS_Update\DellBiosUpdate.bat
The batch file is simply \\server\folder\Dell_BIOS_Update\Dell_BIOS_Update.exe
TIA
Verify that the computer saw the GPO – you can check event viewer for this or run gpresult /h report.htm.
Do you have anything that could block the EXE from running? Like applocker?
gpresult did not see the GPO.
rsop.msc showed the script
Nothing blocking exe from running.
the batch file runs fine when manually running it.
Any other ideas? hmmm…
That is very odd that gpresult doesn’t show the GPO. Can you run gpresult as an administrator? Does it show it then?
I figured it out – the location of the batch file and exe is read-only.
The batch file was failing because it was unable to write the log to the same location of the batch file.
I re-read the documentation and found the answer there. My brain is not working as I know I read that sentence many times.
Solution: edited batch file entered “/nolog” at the end and all is working now!
Thanks for your help Joseph!
Your articles are very helpful.
I figured it out – the location of the batch file and exe is read-only.
The batch file was failing because it was unable to write the log to the same location of the batch file.
I re-read the documentation and found the answer there. My brain is not working as I know I read that sentence many times.
Solution: edited batch file entered “/nolog” at the end and all is working now!
Your articles are very helpful.
Thanks for your help Joseph!
That is awesome Michael!
Hi,
Can anyone share how they wrote their batch file?
Thanks in advance.
The batch file just needs the name of your EXE in it.
Thanks Joseph,
I had already tried that, but I was using a UNC path which it doesn’t like.
How do I work around this?
Hi Joseph,
I tried that however, I used a UNC path which it did not like.
How would I get around this?
Thanks.
Nevermind, your suggestion worked.
My shutdown configuration in the GPO was incorrect.
Thanks for the help Joseph!
No problem at all Michael! Let me know if you have anymore questions.
BIOS password.
Just found this article today, Awesome!!! Tested it out and it seems to be working, with ONE exception. I can’t get it to apply the password. All the other settings are applying, just fine, it’s just the password that will not. Ideas?
Are you trying to set an admin (startup) password or setup (BIOS password)?
I am stuck …
I’ve created the .EXE and it applies the BIOS settings successfully when I execute it manually. I’ve created a GPO and added a shutdown script. The scripts calls ‘bios.bat’ and it appears to execute successfully (at the root of C:\ the text file gets created, C:\Bios_2014.04.10_1222_PM.txt) , but the BIOS settings won’t apply; even after multiple reboots. The .EXE and ‘bios.bat’ reside in the same folder. Here’s the content of the .bat.
@echo off
ECHO Install BIOS update 2014.04.10_1222_PM
\\LAN\share\public\Bios\multiplatform_201404100952.exe
ECHO.
ECHO Create Reminder
ECHO BIOS update 2014.04.10_1222_PM Successfully Run > C:\Bios_2014.04.10_1222_PM.txt
ECHO.
goto exit
:EXIT
exit
Any suggestions?
Hey Z0rk – I am stuck as well! But lets try something.
Download the PSTools suite. Copy the psexec tool and put it into you \share\public\bios folder. Launch an administrative command prompt and type psexec.exe -s BIOS.bat
Does the BIOS settings get applied? This test simulates the shutdown script process.
I didn’t get far with PSexec. I ran CMD as administrator on a local workstation with access to the UNC share:
M:\Public\xxx\Bios>PsExec.exe -s [UNC_path]\bios.bat
PsExec v1.98 – Execute processes remotely
Copyright (C) 2001-2010 Mark Russinovich
Sysinternals – http://www.sysinternals.com
PsExec could not start bios.bat on [local_computer_name]:
The system cannot find the file specified.
M:\Public\Everett\Bios>
… good news though; I’ve changed security permissions to Full Control for Everyone. That fixed it.
Silly permissions.
Thanks!
Dang permissions! Glad you glad it fixed!!
BTW, I am curious what tool do you use to view the permission hierarchy of a folder (or/and share)? It would be cool to get a visual layout of it with diffs highlighted; or a way to run a diff that outputs the differences. Anyway … just curious.
Thanks again
I use this script here: http://blogs.technet.com/b/ashleymcglone/archive/2014/03/17/powershell-to-find-where-your-active-directory-groups-are-used-on-file-shares.aspx
Hi Joseph
thanks for these posts, they’re incredibly helpful. One thing I can’t see in here though (and apologies if I’m missing it), if you already have BIOS passwords set, is it possible to include that in the config file to either update the BIOS version or turn features on?
Thanks in advance, Sean.
When you create your packages in the toolkit, there is an option to specify an existing BIOS password. Let me know if you have any problems setting this.
Perfect, found it thanks Joseph.
Dear Joesph
I have set all according to the guide but the setting is not applied. When I tried to run the .bat manually I got prompt from UAC. Could this be the reason it doesn’t work, if so can I suppress the UAC with silent switch perhaps?
Many thanks,
Archie
Are you deploying this as a startup script in Group Policy? If so, UAC shouldn’t play a part.
Hi Joesph,
I am trying to push the CCTK .exe file out with SCCM 2012 instead of group policy, but have not had any luck. Do you have any experience or write-ups you can post about that process?
You will probably have to deploy it as a package instead of an application. Are you currently doing that?
I got this worked out today. Yes, I was using a package instead of an application. I believe my failure was that I did not “Update Distribution Points” after I created the package. –Tony
SCCM does have quite a few more steps than Group Policy Software installation. Thanks for letting us know how you fixed it!
If I want to update some BIOS settings during my MDT task sequence, would it be best to do so when still in WinPE? Can the bios package EXE be executed in WinPE or do you have to use the command line? Is that what the .sh file is for? Thanks!
Sorry, I think I found my own answer. It looks like the EXE cannot be executed from WinPE. CCTK only. I’m assuming I can feed it an ini file to change a bunch of settings at once. And I guess the .sh file is a script for Linux.
We feed just a few settings with cctk. The rest are fed with an exe once the machine is on the domain. Either way – it is pretty self maintaining once it is setup.
I tried implementing this to turn TPM on and activate it in the BIOS. No luck however. I get this as an error. Any ideas? The BIOS already has a password set and I enter this and save it in my EXE.
cctk – Error in Setting the Value.
Note: To set TPM – 1. Admin Password must be set , 2. TPM must not be owned and 3. TPM must be deactivated.
Hi Jim – what are the exact commands you are using when you are trying to enable/activate TPM?
My process is as so…(no doubt this could be OE). I made an exe for my BIOS using CCTK. made the edit to enable TPM AND ACTIVATE. I then put the exe in domain controller netlogon. Created a BAT to call the exe and deployed to a test OU via GPO shut down script. It actually upgrades the BIOS but doesn’t do the one thing I am most concerned about, that being the TPM enable and Activate. We have just recently deployed MBAM for BitLocker and I have a handful out of the 1500 or so workstations that the BIOS doesn’t have it enabled. I am hoping to save the workstation people a lot of walking around. Any help is greatly appreciated. Thanks!
That looks identical to the way that my EXE is deployed. Have you tried doing this from the CCTK command line? If not, here are the commands you can try:
cctk –tpm=on –valsetuppwd=BIOSPASSWORD
restart computer once.
cctk –tpmactivation=activate –valsetuppwd=BIOSPASSWORD
If these commands work manually, you can script these settings. Just let me know what you find out.
I am interested in the BIOS version update feature.
I should have it done by late next week! Thank you for interest!
I am interested in the BIOS version update feature.
Here you go Michael: https://deployhappiness.com/updating-bios-versions/
Nice guide.
Got one question.
On the website of dell it says
“-Support for the following only in CLI:
Displaying the hard disk drive (HDD) details
Setting and clearing password for all HDDs”
I found how to configure these things via the command line but I would like to make an exe out of it. Of course i can install the tool and then run to cmd but I would rather not install the tool on the remote pc. Do you know if this is possible?
Thank you Bram!
If you put the CCTK files on a server, you can access them from the remote machine without having to install them. That is how we manage certain settings!