Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

BIOS update needs BIOS-Update-Settings.txt #78

Closed
merlinfrombelgium opened this issue Oct 16, 2018 · 37 comments
Closed

BIOS update needs BIOS-Update-Settings.txt #78

merlinfrombelgium opened this issue Oct 16, 2018 · 37 comments

Comments

@merlinfrombelgium
Copy link

For reference, I encountered this with HP ProBook 650 G1/G2 models.

If the BIOS setting 'Update System BIOS' is set to Disable, the computer reboots after SledgeHammer pass 1, the BIOS image is written to the system, computer reboots again and user is prompted for BIOS admin password. This of course breaks automation.

Since applying the BIOS-Settings.txt file has the least priority, we need something else to set certain BIOS settings before the BIOS update.

I would suggest to add a settings file for BIOS update, similar to TPM-BIOS-Settings.txt. Name it BIOS-Update-Settings.txt or something.

@texhex
Copy link
Owner

texhex commented Oct 18, 2018

Thanks for the report and you are right, if this setting is set we have an infinite loop. I like your idea with the additional file but can you please try if enabling this value and THEN applying the BIOS update (both in Windows) will actually work?

If not, we would plan for an reset cycle or find a new method that checks the value (and others) and change them if required.

@merlinfrombelgium
Copy link
Author

I had to read that a couple of times before understanding what it is you want me to test. After 2 coffees, I got it :)

Will validate and report back. Stand by.

@texhex
Copy link
Owner

texhex commented Oct 22, 2018

I'm sorry, this was poorly written. But good to know that you were able to transcribe it using a brew of magical beans :)

What I meant was that we need to check if this setting has an effect in case we are setting in AND updating the BIOS at the same POST phase.

I was thinking about this:

  • Set Update System BIOS to Disable
  • Confirm, boot Windows and restart right away (to make sure it's activated)
  • In Windows, use BCU.exe to set this value to Enabled (no restart)
  • Let the script update the BIOS
  • Restart the machine and see what happens during POST: Does the BIOS update happen right away, without any password entry, or do you need to enter the password again?

@texhex
Copy link
Owner

texhex commented Nov 1, 2018

@merlinfrombelgium Any updates on the test run?

@merlinfrombelgium
Copy link
Author

None so far. Haven't gotten round to it. Next Monday should be better!

@texhex
Copy link
Owner

texhex commented Nov 1, 2018

Alright, thanks.

@merlinfrombelgium
Copy link
Author

Haven't forgotten about this! I keep pushing it back though, sorry. Will definitely get back to this.

@texhex
Copy link
Owner

texhex commented Nov 8, 2018

Thanks. I would be great to get a feedback next week so I could include this into the next release.

@texhex
Copy link
Owner

texhex commented Dec 19, 2018

Assuming this issue to be abandoned and closing it.

Please feel free to reopen it if you have the results and we could give it a test run.

@texhex texhex closed this as completed Dec 19, 2018
@merlinfrombelgium
Copy link
Author

First up, Michael, apologies for not replying to this earlier. Other projects have gotten in the way, but I'm back on it now.

Am testing today and continuing tomorrow. Let's reopen the issue if we can still find value in doing so. I'm definitely still getting prompts on some systems.

Will update with my test results tomorrow.

@texhex
Copy link
Owner

texhex commented Dec 19, 2018

No problem, happy to reopen it. And yes, I still think it would be a great addition and happy to work with you on it.

@texhex texhex reopened this Dec 19, 2018
@merlinfrombelgium
Copy link
Author

So the issue was reproduced on the 650 G1, but not on the 650 G2.

Your test method indeed allowed to update the BIOS without prompt. I didn't need to reboot in between updating the Update System BIOS to Enable and running the SH script to update the BIOS.

On the G2, turns out this setting isn't present. Must have confused myself somewhere while figuring it out.

The conclusion is that it would certainly be beneficial to have certain settings in the BIOS checked and remediated before performing the BIOS update. I can free up some time during the holiday period to work in the script with you, if that's how you'd like to proceed.

@texhex
Copy link
Owner

texhex commented Dec 21, 2018

Thanks, very good it works the way that we were expecting.

Let me look into the code tomorrow or on Sunday. I should be able to replicate the handling from the TPM BIOS settings.

@merlinfrombelgium
Copy link
Author

Cool, let me know where I can help.

As a different note, I've been using your script beyond the scope you probably intended it to be used. Like in OSD (WinPE) and in BitLocker implementation. And I've had a thought. It would be cool to use the script with a parameter for specific updates: BIOS update, TPM, ME … The idea is to override/ignore the update order as scripted. Again, happy to help figure out how to. Is this something to open a new issue for? Not sure on the preferred approach.

@texhex
Copy link
Owner

texhex commented Dec 22, 2018

Please open a new issue for that, it would be interesting to know in which way you alter the use-case of it. Especially, I would like to know what you mean with "specific updates" because the order BIOS Sledgehammer uses should be correct, but I might be wrong there.

@texhex
Copy link
Owner

texhex commented Dec 27, 2018

The code changes are completed and should be ready. Just before the BIOS Update, BIOS Sledgehammer checks if a files called "BIOS-Update-Settings.txt" exists and if so, executes it. The documentation is already included: https://github.com/texhex/BiosSledgehammer#v52-bios-settings-for-bios-update

I was able to reach out to my contact which has a way better understanding of HP firmware than I have. According to him:

  • The "Lock BIOS Version" setting should be supported down to G1 devices, even if BCU does not list this setting as available. I was able to confirm this on a EliteBook 840 G1, so I would say it should also be there on a G2.
  • It can also happen that HpUpdBiosRec will fail depending on this setting, but he wasn't 100% sure there. I added this fact to the documentation anyhow, we better be safe than sorry
  • That the BIOS setting "Update System BIOS" has something to do with a "locked" BIOS version was new to him. This should control the automatic BIOS updates the devices pulls from the network. According to http://h10032.www1.hp.com/ctg/Manual/c05166986 (Page 14) this seems to be true. However, it would not be the first HP BIOS setting that controls two different things.

I added example file to Shared\HP EliteBook 8x0 Gx (all generations), they can act as a template for your configuration. To give it a test, download the repo (https://github.com/texhex/BiosSledgehammer/archive/master.zip) and use BiosSledgehammer.ps1 from it. It should report to be version "5.2" when started.

@merlinfrombelgium
Copy link
Author

Sweet, thanks for the work you put into this! Will try this out in week 2 of 2019 when I get back to work. Happy holidays dude!

@texhex
Copy link
Owner

texhex commented Dec 28, 2018

You're welcome, and the same to you!

I reopened the issue because I want it to have open until the code was verified by you and works as expected. It's not a problem if it stays open for two or more weeks. This isn't your internal ticket system where the supervisor keeps and eye on the number of open tickets 😉

@texhex texhex reopened this Dec 28, 2018
@merlinfrombelgium
Copy link
Author

I actually clicked close and comment by mistake and then thought it didn't really matter :)

Yeah thanks for not breathing down my neck. I got plenty of people doing that already on the job ;)

@texhex
Copy link
Owner

texhex commented Jan 15, 2019

@merlinfrombelgium Did you had a chance to test this already?

@merlinfrombelgium
Copy link
Author

Not yet Michael. Next Monday/Tuesday will be next opportunity.

@texhex
Copy link
Owner

texhex commented Jan 23, 2019

@merlinfrombelgium ?

@merlinfrombelgium
Copy link
Author

Sorry Michael. Still haven't had the opportunity. And I'm leaving on a 2 week holiday tomorrow. Happy to pick this up after 11 February. Once again, sorry to let you down.

@texhex
Copy link
Owner

texhex commented Jan 29, 2019

@merlinfrombelgium Alright, understood. Have a nice holiday!

@texhex
Copy link
Owner

texhex commented Feb 27, 2019

@merlinfrombelgium Any updates?

@merlinfrombelgium
Copy link
Author

@texhex no 🙁

@merlinfrombelgium
Copy link
Author

This week, I have 3 days on-site at that particular customer. I'm making a solemn promise to you now that I will test this! ✌🏻

@texhex
Copy link
Owner

texhex commented Mar 7, 2019

Thanks, let me know if it works as expected.

@merlinfrombelgium
Copy link
Author

So... I tested the bios-update-settings on a ProBook 650 G1 today. Luck had it, HP pushed out a new BIOS version. Or you could say, it took me so long, they got bored and decided to update this old machine for fun 😜

Works as described! Used your template, added a value for Ownership Tag, just as an extra check. Watched the log live, as the script ran to verify settings were applied. BIOS update was next, script exited with 3010. After a manual reboot, BIOS update applied without human intervention and the Ownership Tag was set as well.

Thumbs up 👍

@texhex
Copy link
Owner

texhex commented Mar 31, 2019

Sorry for the long delay!

Thanks for the verification and good to hear it works as expected. I will keep this open until I have 6.0 ready. I'm not quite sure if I keep the current file name, the title of it is a little bit misleading. Just as a heads up when 6.0 comes out and your current configuration stops working.

@texhex
Copy link
Owner

texhex commented Apr 14, 2019

@merlinfrombelgium For your information, I will change the filename of this file to BIOS-Update-BIOS-Settings.txt, simply to avoid that it sounds like it includes settings for the BIOS update process. I will provide an batch file later on that can rename all your existing files in one go.

texhex added a commit that referenced this issue Apr 14, 2019

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
…-BIOS-Settings.txt (#78)
@texhex
Copy link
Owner

texhex commented Apr 14, 2019

Here is the file to rename your existing file in one go. Just copy to the root of the BIOS Sledgehammer installation (where BiosSledeghammer.ps1 is), rename the extension from TXT to BAT and start it.

This will rename all existing BIOS-Update-Settings.txt files to the new name.

zRenameConfigFilesForV6.txt

@merlinfrombelgium
Copy link
Author

Cool. Will be a while probably before I use the script again.
Will you attend MMSMOA next month? If so, let's have a beer or two at the Firelake!

@texhex
Copy link
Owner

texhex commented Apr 14, 2019

Thanks for the offer, but as I first needed to google MMSMOA and I don't plan to fly to the US, I won't attend. But if you want to do me favor, point some more people to BIOS Sledgehammer. I'm happy if it's used by more people.

As a side note: That somebody from BELGIUM really offers somebody else American "beer" is somewhat... strange. Don't know if this was intended as insult ;-).

@merlinfrombelgium
Copy link
Author

I see your point. But they do have Belgian beer there :) And some very nice locally brewed beer as well.

I do suggest my customers and peers to use your script as it has proven its worth. I think there is still some undeserved trust issue around community tools. But the way you have documented and how you support your script, deserves to be treated as a proper production ready tool. I mean that, and that's how I sell the idea to others. I have in fact included your tool in a proposal for a new staging process at a big customer. With full credit to your name of course. I'll let you know when we get the deal signed.

About MMS, I assumed you would know about it, as you are clearly familiar with managing PCs. In any case, you would definitely be in your element there. It is the best event for technical people to meet and learn. And it's all about community and finding better ways of doing what we do. You should consider it for next year! Let me know if a recommendation to your boss or whoever decides about the budget, would help. I would gladly help to convince them so you could join us.

@texhex
Copy link
Owner

texhex commented Apr 24, 2019

Thanks, that's much appreciated and great to hear! Please let me know if the customer accepted it, I think it would be one of those email I would print out.

MMS: Thanks, I see. Maybe next year; right now no business trips, that are not considered business critical, are allowed, so no chance. Have fun there!

As a side note: I should be able to release 6.0 BETA 1 end of this week or start of next week. If you have some spare devices, it would be great to give it a try.

@texhex
Copy link
Owner

texhex commented May 5, 2019

A week later than announced, but now 6.0.1 BETA is available from /releases and includes the change and the batch file I already attached here. It would be great if you could give it a test run.

I'm closing this issue now, if you detect anything wrong with the new version, please feel free to reopen it.

@texhex texhex closed this as completed May 5, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants