So you have deployed your machines with the latest and greatest drivers and BIOS updates, but what do you do to maintain your systems post deployment?

This is a question that I have had asked more than a few times of late. In answer to your question, there are several methods to maintain both the BIOS and drivers on the machines but most are vendor specific / developed.

The vendor utilities where available do a good job, the Dell Command Update utility is an excellent example of how to do things right. In some cases however, this means also maintaining a separate master repository for the machines to scan or allowing internet access. When you talk about allowing machines to maintain their driver and BIOS version over the internet, the lack of version control is something that most ConfigMgr admins will complain about. The complaints are justified though, as we all know that system stability can be greatly affected by drivers. So this got me thinking.

Maintaining the BIOS version through our Modern BIOS Management approach has been around for a little while now, so I thought I would extend this maintenance approach to cater for drivers. Below I will show you how you can wrap this up into a single task sequence and then deploy this to your client fleet. You can of course have it re-run as often as you wish within a maintenance window or on-demand for those mobile workers who are seldom in the office.

PowerShell + WebService FTW

Most of you who are familiar with our MDM & MBM solutions will know that we can dynamically determine/download the latest available versions of driver and BIOS packages from ConfigMgr. So I have extended the Invoke-CMApplyDriverPackage.ps1 script used to undertake driver matching and downloading in WinPE with an additional switch, that being the “OSMaintenance” switch. The new switch allows you to tell the script to perform some actions differently, the key action of course being to avoid the DISM step which we cannot undertake on an already deployed OS.

When run with a $true value for the optional OSMaintenance switch works to detect the currently installed version of Windows, this time however not based on the WIM being deployed but on the properties of the NTDLL.DLL. If a matching package is found, it is downloaded and then ready for the next step. Note: This does mean that your task sequence will require a reboot into WinPE for this process to complete, this is due to the method in which we leverage the OSDDownloadContent command.

Applying Drivers

Having taken influence from an earlier post by Mikael Nystrom (https://deploymentbunny.com/2011/05/07/adding-drivers-using-pnputil-and-forfiles/), I have created an additional PowerShell script that leverages the fact we already have a process for downloading the latest available driver package from ConfigMgr. Using the PNPUtil command all we need to do is point the utility at the location to which we downloaded the driver package and your system will then detect and install the latest drivers contained within;

# Apply driver maintenance package
try {
  Write-CMLogEntry -Value "Starting driver installation process" -Severity 1
  Get-ChildItem -Path "C:\_SMSTaskSequence\DriverPackage" -Filter *.inf -Recurse | ForEach-Object {
    pnputil /add-driver $_.FullName /install
  } | Out-File -FilePath C:\Windows\Temp\DriverMaintenance.log -Force
  Write-CMLogEntry -Value "Driver installation complete. Restart required" -Severity 1
  exit 0
}
catch [System.Exception] {
  Write-CMLogEntry -Value "An error occurred while attempting to apply the driver maintenance package. Error message: $($_.Exception.Message)" -Severity 3
  exit 1
}

The Task Sequence

In the sequence below I have a total of 8 steps, which will ensure that your machine is kept up to date at all times. Remember this requires no client software and you can tailor logging values to suit your environment.

 

Lets step through the process
  1. Suspend your disk encryption protection to allow for the BIOS to be updated
  2. Restart the computer into WinPE
  3. Run the Invoke-CMDownloadBiosPackage.ps1 PowerShell script
  4. Run the vendor specific BIOS update script, in this example we are using the Invoke-DellBIOSUpdate.ps1 for Dell systems
  5. Run the Invoke-CMApplyDriverPackage.ps1 with the following switches:
    -URI “http://%YOURSERVERNAME%/ConfigMgrWebService/ConfigMgr.asmx” -SecretKey “%YOURSECRETKEY” -Filter “Drivers” -OSMaintenance $true
  6. Restart the computer into the full OS
  7. Run the Invoke-CMDriverMaintenance.ps1 script to apply drivers
  8. Restart the computer to apply the driver updates

Example

In the below example we have a Dell Optiplex 7040. Looking at Dell’s SCCM driver site, we can determine that we should be expecting at least the following drivers to be updated as part of the maintenance TS.

Arch Category Device Description Previous CAB Current CAB Status
x64 audio Realtek High-Definition Audio Driver ReleaseID: DDG39
DellVersion: A06
VendorVersion:6.0.1.6111
ReleaseID: RT1XX
DellVersion: A07
VendorVersion:6.0.1.6117
Updated
x64 storage Intel Rapid Storage Technology Driver and Management Console ReleaseID: 02RN8
DellVersion: A05
VendorVersion:15.2.10.1044
ReleaseID: CRRKJ
DellVersion: A07
VendorVersion:15.2.15.1058
Updated
x64 video Intel HD, 500, P500 series Graphics Driver ReleaseID: WNF3C
DellVersion: A10
VendorVersion:21.20.16.4590
ReleaseID: TDP4X
DellVersion: A11
VendorVersion:21.20.16.4627
Updated

Driver Package A09 – Source: http://en.community.dell.com/techcenter/enterprise-client/w/wiki/11660.optiplex-7040-windows-10-driver-pack

Intel Storage Driver

 

PowerShell Script Sources

The PowerShell scripts referenced are available on GitHub – https://github.com/SCConfigMgr/ConfigMgr/tree/master/Operating%20System%20Deployment

Conclusion

Maintaining drivers and BIOS versions can easily be automated with this method. Now set up your task sequences, deploy and keep your environment current.

 

Maurice Daly
Maurice has been working in the IT industry since 1999 and was awarded his first MVP Enterprise Mobility award in 2017. Technology focus includes Active Directory, Group Policy, Hyper-V, Windows Deployment (SCCM & MDT) and Office 365.

(1789)

comments
  • John
    Posted at 03:16 October 18, 2017
    John
    Reply
    Author

    Are the driver packages referenced traditional ConfigMgr driver packages or standard packages used for drivers?

    As always, thank you for your contributions to the community.

  • ben
    Posted at 12:15 October 20, 2017
    ben
    Reply
    Author

    Hi Maurice,

    i’m missing two things?
    1. Download BIOS Package
    2. Resume Bitlocker.

    Could i use “Enable Bitlocker” TS Step after the last reboot? or should i use Manage-Bde -Protectors -Enable C:?

    Regards
    ben

    • Maurice Daly
      Posted at 14:54 October 20, 2017
      Maurice Daly
      Reply
      Author

      Hi Ben,

      The download BIOS package is contained within the Invoke-CMDownloadBIOSPackage.ps1 script. In regards to Bitlocker, encryption will automatically resume post full OS restart.

      Maurice

  • Leave a Reply