/build/static/layout/Breadcrumb_cap_w.png

How do I get a Dell BIOS update to install through the Security/Patching mechanism?

I have a Dell Latitude E6440 laptop that has a brand-new scripted Windows 10.1709 Enterprise x64 image on it, with all my desired apps.

Now I want to upgrade the BIOS on the laptop from A05 to A21. I know I can do this manually, since it's a one-off, but I really want to know how to do these things more automagically, using the K1000 SMA.

My SMA is version 8.0.318; agent on the laptop is 8.0.152. I've created a Smart Label named "Latittude E6440 - tss-loaner" which is applied to all Latitude E6440s named "tss-loaner-10", which is the name of my laptop, and Force Inventory'd the machine so that it now has that label.

I look in Security/Dell Updates/Catalog and search for "E6440", and find five updates, one of which is the A21 BIOS update. That's the one I want to apply. It currently says "Not Downloaded", and has a "1" in the Upgradable column (which I suspect is there because I'm close to convincing the system to install it on the one laptop in my SmartLabel).

When I look at Security/Dell Updates/Schedules, I have a schedule named "Test BIOS Install", set to run every day at 0:40, doing a "Detect and Deploy", with "All Devices" set to "No". When I drill down into that schedule's Detail, in the "Configure" section it has "Detect and Deploy" as the Action, "All Devices" is not checked, "Device Labels" is set to "Latitude E6440 - tss-loaner-10", "Devices" is empty, "Operating Systems" is set to "Microsoft Windows (All)". In the "Deploy" section it has "All Updates" checked, applying "Upgrades Only", max deploy attempts = 3. The "Notify" section is left along, all grayed out (no "Options", 15 mins "Timeout", "Timeout Action"="Cancel","Snooze"=5). The "Reboot" section is "Prompt User", "Auto reboot if no one logged in", Timeout=5, Reboot now, 5 prompts. If I click the "Show All" link at the bottom of this Detail page, it shows "TSS-LOANER-10" with its IP address, saying Status is "scheduled" and today's date, recent time.

If I then do a "Run Now", I don't notice anything obvious happening (other than the "Confirm - You have not limited update deployment to any update labels. Are you sure you want to deploy all updates?" message, and then a return to the Details page on "Yes").

I can then do a "Force Inventory" on the "tss-loaner-10" laptop. Once that inventory has completed, I can look in the Inventory/Devices/Device Detail for the laptop, in the "Dell Updates" section, and see that the "Test BIOS Install" is scheduled, and is the schedule for Dell Driver inventories and Dell Updates.

But I never see any activity toward installing the BIOS update. I've even tried restarting the laptop after all this; no change. The "Dell system Inventory Report" says Device Inventory Status "Completed Successfully", and still shows the BIOS as being at version A05. The "Dell Update Catalog Comparison Report" shows the A21 BIOS patch as "Urgent", with a yellow up-pointing arrow next to it that has a hover-over hint of "Upgrade not downloaded".

How do I get the system to download and install the BIOS patch?

Thanks!

/Kent




7 Comments   [ + ] Show comments
  • Are you using Bitlocker?
    Also there are times where a BIOS will have upgrade PATH, check in support.dell.com and see if that A21 BIOS version has any minimum version required - Channeler 6 years ago
    • No Bitlocker.

      I find no indication of a minimum BIOS version to install this upgrade.

      Thanks for the suggestions, though! - kentwest 6 years ago
  • A few things I can see that can also stop a BIOS deployment are:
    1 - Does BIOS need to be updated in stages. Not just jump to the latest version.
    2 - Does the BIOS have a Admin password on it? KACE does not have the support in Dell Updates for configuring the BIOS Password.
    If you do have a password or need to do stages, I would suggest writing scripts to do this. It would be easy to create Smart labels for model and current BIOS version to apply for the BIOS update.
    Also, Like Channeler mentioned, if you do use Bitlocker, you will want to add a line in the script for pausing Bitlocker so it doesn't require the password upon booting after BIOS has updated. - DaveMT 6 years ago
  • The BIOS update never even begins to start. There's no hint whatsoever that the machine is going to start doing an update.

    As I've tinkered, I've also turned on Patching as well, and there's no hint that KACE is pushing out those patches.

    If I go onto the laptop itself into the Windows "Check for Updates", there's a truckload of updates to install (all MS-related, no BIOS patch), and the screen has a "Install now" button and a paragraph containing the last line of "Select this button to get going".

    So apparently Windows itself is checking for updates, and downloading them, but not installing them without the user's go-ahead. But I can find no clue that KACE is triggering any update activity. - kentwest 6 years ago
    • I *think* (not fully understanding how it all works), the Windows Updates may not be important enough to be in the Dell patching scheme, and that's why Dell is not pushing ordinary Windows updates (because there are no important enough Windows updates for Dell to want to push them).

      Concerning the BIOS update, I just found this thread, which seems to indicate this is not just a problem for me: http://www.itninja.com/question/kace-k1000-dell-update-not-doing-bios - kentwest 6 years ago
      • No, I don't think my first paragraph is correct, because when I go into Inventory > Devices > Device Detail for the laptop, and look under Security > Patching Detect/Deploy Status, I see about five patches waiting(?) to be deployed. - kentwest 6 years ago
  • You said the BIOS "currently says "Not Downloaded", and has a "1" in the Upgradable column" in the Dell Updates Catalog.

    In Security > Dell Updates > Dell Update Subscription, do you have it set to download those updates? If not, KACE knows that the computer needs the BIOS, but has nothing to push to it.

    Another option, one which I have used, is to install the BIOS with a script. Here's an example of my command for that:

    Launch “C:\Windows\System32\cmd.exe” with params “/c $(KACE_DEPENDENCY_DIR)\Latitude_E5x70_Precision_3510_1.18.6.exe /s /f /r”. - ondrar 6 years ago
    • The script would work, but then that kind of defeats the whole "KACE handles patching automagically" idea. If it were just a matter of installing a BIOS update, that's easy, but I'm trying to make KACE do what (I thought, at least, that) we paid for it to do.

      In the Security > Dell Updates > Update Subscription screen, I don't see any place to specify what updates get downloaded, other than "All files" or "Files detected as missing". Currently, "Files detected as missing" is what is selected. The last download attempt was 25 minutes after midnight this morning/last night (schedule is every night at that time), and the "Update files" field says "59". - kentwest 6 years ago
      • In Security > Dell Updates > Catalog, if I search for "A21" I find the patch, and it says "Downloaded" in the "Downloaded" column. - kentwest 6 years ago
      • I agree, but I had to go that route, because there are some computers where Dell Updates would not report the BIOS version, so they would not get updated. There was no consistency across models or OSes or anything, so it may be a bug, I don't know. - ondrar 6 years ago
      • Now that it shows that it's downloaded, try doing a Run Now on the schedule that pushes that BIOS update. - ondrar 6 years ago
    • ondrar writes, 'You said the BIOS "currently says "Not Downloaded", and has a "1" in the Upgradable column" in the Dell Updates Catalog.'

      Now that I look again today, a day or two later (Inventory > Devices > Device Detail > Dell Update Catalog Comparison Report), I see that the "Catalog Version" column no longer says "Not Downloaded", but has a yellow up-pointing triangle with a Bang within it, that the hover-over hint says "Failed".

      So, I'm beginning to think that the way this whole process works is to run a schedule against third-party Lumension and/or Dell to learn the catalog of available patches, then run a patch detect schedule against the particular device (my laptop) to see what patches are missing/needed, then run another schedule against Lumension/Dell to download the required patches, then run another schedule against the device to deploy the patch.

      And that in my case, I was expecting things to happen more quickly than the schedules specify, and now that the download of the patch has failed. - kentwest 6 years ago
  • Yes. With "Files detected as missing" selected, you will need to run detects against all Dell models in your inventory in order for KACE to know what to download. Luckily, detecting isn't very process-intensive, so no one should notice when it's happening. Even though it requires that task, it's better than selecting "All files" because then KACE will download every update in the catalog (over 3000 packages).

    Take a look at your Dell Update Subscription schedule again. I have mine download every day at 7:00 AM, so if a new driver is detected during the day, I would have to wait until after 7:00 AM the next day to be able to use it. If you want to get that quicker, set the time to sometime in the near future, and KACE will begin that download.

    As for why it failed to download, I'm not sure, because I haven't had that happen, but if you set the Dell Update Subscription schedule ahead, you can have KACE try again. - ondrar 6 years ago
  • I left the laptop alone all weekend, powered up and awake (turned off sleep mode), and when I checked it just now, was surprised to see that the BIOS had updated over the weekend. There are still a couple of other Dell patches that have orange warning flags, but I'll let the machine sit for another few days and see what happens. - kentwest 6 years ago
    • Nothing changed overnight.

      I do notice in Inventory / Devices / Device Detail for the laptop, in /Security / Dell Update Catalog Comparison Report, the version of an Intel HD Graphics driver is listed in the "Device Version" column as the same version as what's in the "Catalog Version" column, and yet it has an orange/yellow flag instead of a green checkmark, and the "Criticality" column says "Recommended".

      Another driver with a down-pointing arrow (not a green checkmark, and not an orange/yellow flag) has a "Device version" of .6098 as opposed to the "Catalog Version" of .6070.

      Seems to me that in both of these cases, what is in the "Catalog Version" is older or the same as what's already on the laptop (if I'm understanding this screen correctly). So why are these two updates even listed as "Recommended"? Does KACE want to downgrade/keep-reinstalling these two drivers? - kentwest 6 years ago
  • I'm trying the same thing with a desktop All-In-One now, a Dell 9020 AIO, that has an A05 BIOS currently installed.

    The Comparison Report sees that A05 is on the machine, and A17 is Urgent, but it also has a yellow bang-triangle that hover-says "Failed". Failed what? Installation? Downloading? other?

    When I look at the Dell Update Catalog package for the A17 upgrade, it says "Downloaded".

    This machine has been sitting like this for _days_, and I see no indication whatsoever that a BIOS update ever tries to install. I've got my Detect & Deploy schedule running against this machine every hour (this is just a test schedule/PC, so I've set it very frequent to see if I can detect some movement on the process).

    It's very frustrating that the K1 simply does not work for me as advertised. - kentwest 5 years ago

Answers (1)

Answer Summary:
Posted by: kentwest 5 years ago
Second Degree Brown Belt
0

Top Answer

As mentioned in my original post, in my "Dell Update Schedules", in my "Test BIOS Install" detect & deploy schedule, I was trying to deploy "All Updates" (and this, after detecting all updates in the same schedule).

Turns out that's a bad idea, because it takes so long to detect and deploy all the updates, that the detect and download part of the process never finished before the process times out.

The correct method is to go into the "Dell Update Catalog", and build a "Smart Label" that has only a subset of updates, say, anything that mentions "BIOS", or anything released in the past 2 years, etc. Then change the schedule so that instead of deploying all patches, deploy only to this patch Smart Label.

Also, separate the detect from the deploy, creating two schedules, perhaps detect on Monday, and deploy on Tuesday, or detect at 8am, and deploy at noon, etc.
 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ