BIOS Patching
I'm curious to see what everyone's practice is regarding BIOS updates. Do you update the BIOS on your machines? I'm pretty much only a Dell shop and notice the bulk of my devices are pretty far behind in BIOS patches. If you do update them, how do you do that through KACE. I did a quick Google search and didn't see a best practices or crash course on how to patch BIOS on your machines. Just curious to see everyone's thoughts and what would be a good place to start. Thanks
Answers (3)
Go to the Quest support website, select your product, then go to technical documentation, and download the KACE Systems Management Appliance Administrator's guide.
here:
https://support.quest.com/download/downloads?id=6089094
Then go to page 607-610 , "Managing Dell devices and updates. You can use the KACE SMA to manage device updates from Dell."
We had issues with a few things with the Kace dell patching section...
1. you have to have the newest Dell Agent installed in order to detect other updates needed (run detect for just agent, deploy, reboot)
2. then detect for updates (Bios etc..) however it did NOT detect until AFTER the device was inventoried UGH! so Force inventory, then detect
3. Detect for updates AGAIN.
4. Deploy updates, if you use bitlocker (like we do) it does NOT always allow bios to update, and on many devices prompts for the bitlocker password ugh!
3 another force inventory and new detect to show that the update was successfully installed...
Seems like way too much crap to go through just to get a Bios update (in our situation anyways)
So instead, what I do is this...
I download the newest bios for our devices (in our case the desktops are 5080, 5090 & 3000 Optiplex's)
I zip those up into bios.zip with 3 folders 1 for each model (and can add as many models as you need into seperate folders..)
I then attach that as a dependencies to a script that runs powershell that does the following...
1.Creates folder where I want the install files stored
2. unzips the zip file to that location
3. detects what model the computer is and sets the $biosFile path to the install file based on the model
4. checks if bitlocker is enabled, and if so suspends bitlocker
5. Installs the bios with /s /f (Silent and Force) and waits for the process to finish (with lines "$biosProcess = Start-Process -FilePath $BiosFile -ArgumentList "/s /f" -PassThru" AND $BiosProcess.WaitForExit()"
6. then after the bios install file finishes, the script checks to see if any user is currently logged in (in case someone just logged in while bios was updating) if no user, computer reboots.. If user is logged in
then I trigger the KUserAlert.exe (which you can use to pop up the same kace message boxes & customize what you want it to say...
1st I pop up a message that just says "IT updated your system, and it needs to be rebooted..." is auto closes in 1 minute, or if they click OK,
2nd I pop up another message that says "COMPUTER WILL REBOOT IN ABOUT 5 MINUTES..." again it auto closes in 1 minute or if they click OK
3rd I pop up 1 last message that says "REBOOTING... in 5 minutes, or as soon as you click OK. If you have any questions, put in an IT ticket. Thank you DO NOT interrupt the reboot process the computer can become unusable" now that message auto closes in 5 minutes, or if they click OK
then the computer is forced to reboot...
So far I have had great success with this, I am also in the process of creating a similar script for our HP devices.. so about 2300 devices in all...
