Updating the firmware for systems with Intel vPro technology often yields significant results. For example Dell laptops shipped with the SOL and IDER disabled in the BIOS, but a new firmware update enables them, or a desktop running AMT 2.1 can be upgraded to AMT 2.2 which enables Remote Configuration. No matter the reason, often a firmware upgrade will be beneficial to vPro systems, and this article covers how to deploy firmware updates using Altiris Software Delivery Solution.

Introduction

Software Delivery has the ability to deliver and execute any module or installer made for Windows. This includes Windows capable Firmware updates. Both the BIOS updates and Intel ME firmware updates available from HP, Dell, Lenova, and others are Windows capable and can be sent down and executed through Software Delivery to upgrade firmware.This document covers how to setup and configure these updates, and hopefully provide you information on caveats and other potential trouble spots.

Why Update Firmware?

The first thing you need to determine is what type of firmware update do you require?The two main ones are the Intel Management Engine (ME) firmware and the standard BIOS firmware.How these two interact is dependent on the Manufacturer.

Examples and Reasons

For example HP has a BIOS option to enable or disable Intel AMT, and if it is disabled in the BIOS the Intel ME will not be available.Another example is the Dell laptop model Lattitude 620 Centrino vPro capable.The BIOS contains a setting to enable or disable the Serial Over LAN (SOL) and IDE Redirection (IDER) capabilities, and by default these came from the manufacturer disabled.This and other reasons for firmware updates are detailed in this list:

• Dell Lattitude 620 SOL IDER disabled in the BIOS - The update to automatically enable these features without having to physical update each BIOS manually is a BIOS firmware upgrade that set these as enabled, among other fixes/updates.
• Upgrading AMT 2.1 to 2.2 - Desktop models of AMT version 2.1 can be upgraded to support Remote Configuration (certificate-based zero-touch provisioning) by upgrading the Intel ME firmware to version 2.2.
• Upgrading AMT 2.5 to 2.6 - Notebook models of AMT version 2.5 can be upgraded to support Remote Configuration by upgrading the Intel ME firmware to version 2.6.
• Upgrading AMT 2.0 to 2.1 - Some major fixes were incorporated between versions 2.0 and 2.1 of AMT.
• UUID reset fix for HP Compaq 6910p - This fixed a flaw in the firmware where sometimes Intel ME returned the UUID of all zeroes or a default UUID set in the firmware, causing duplicates.This update patches the firmware for Intel ME on these laptop models.
• Miscellaneous fixes to Intel ME - Other fixes have been incorporated in ME firmware updates

Obtaining the Right Firmware Update

For all BIOS updates, the manufacturer's website should be consulted.For each vPro model you wish to update BIOS firmware with, use the following basic steps:

1. Go to the Manufacturer's main site.For this example, we'll use Dell.www.dell.com.
2. Choose the Support icon and click 'Download and Drivers'.
   
   

   Click to view.

3. An applet will appear where you can choose the system through several options:
   • Model
   • Service tag
   • Log in to choose from a list of systems
4. Once you have the right system listed, there will be a list where you can click the plus + next to 'BIOS'.
5. From the provided list choose the applicable update by clicking the 'Download Now' link to the right.The download will usually be in the form of an EXE.

While Intel manages the basic firmware for the Intel ME, the manufacturer packages it for deployment, including changes that may be required for specific models of vPro capable systems.It is advised that you only use the manufacturer's Intel ME firmware updates on your vPro systems.The following walkthrough will hopefully help you identify what updates are available.For this example we're using HP's website.

1. Go to www.hp.com.
2. Click on the 'Support and Drivers tab.
3. Choose the option Download drivers and software (and firmware) for Step 1 and put in the Model number of the vPro system in question for Step 2.
4. Press Enter to go to the main page for the system.
5. Though it prompts for what Windows you're running, the updates are OS independent so choose any.
6. For the Intel ME firmware updates, the categories differ.For HP it's under simply 'Firmware'.Other potential categories include:
   • Firmware
   • System Firmware
   • Chipsets
7. Click Download to the right of the applicable ME update.
   
   

   Click to view.

8. Once the EXE is downloaded, move on to the next section.

Rolling out the Firmware Update

Once you've obtained the EXE, it's time to configure a Software Delivery Package/Program and create a task to roll it out.It's important to understand how, depending on how the manufacturer packaged the EXE, the rollout can be accomplished silently without user interaction.

Creating a Software Package/Program

1. On the Notification Server place the EXE you downloaded for the firmware update into a self-contained folder.The folder and everything in it will become the "package" so it is recommended to have only the needed file therein.
   
   Note: You can use another method if you prefer.Simply adapt these steps to fit your preferred source method
2. In the Altiris Console, under View > Solutions > Software Delivery > Packages > right-click on Windows > choose New > Software Delivery Package.
3. In the resulting screen provide a name (i.e.: AMT 2.6 Firmware Update for HP 6910p).
4. Under Package Location put in the folder where the file resides.
   
   

   Click to view.

5. Click on the Program tab.
6. Click New next to the Program dropdown.
7. Provide a Name for the execution (i.e.: AMT 2.6 Update - Silent).
8. Provide a silent command-line (this is the hard part.The update I tested with had no documentation on silent installs and I had to tinker to find the -s command-line that ran it silently. i.e.: "sp38184.exe" -s).
9. Set the execution environment as follows (these settings may need adjusting depending on your environment):
   • Starting Window: Hidden
   • Run with rights: System Account
   • Program can run: Whether or not a user is logged on
   • User Input Required: *checked*
   

   Click to view.

10. Click Apply and Update Distribution Points.

Creating a Rollout Task

The next step is to create a task that pushes out the update.Follow these steps to create the task:

1. In the Altiris Console, under View > Solutions > Software Delivery > Tasks > Windows > Right-click on Software Delivery Tasks > New > Software Delivery Task.
2. Provide a name (i.e.: 6910p AMT 2.6 Firmware Update)
3. Click on the link --- Select a Package --- and choose the package previously created.
4. Under the Program name dropdown choose the applicable program you previously configured.
5. Select a Collection.It is advised to use first a test collection, and then use a general rollout collection.I used the following steps when setting up my collection:
   
   1. Under View > Resources > Computer Collections > My Collections I right-clicked and choose New > Collection.
   2. I Expanded the Query section and select Resource Type radial method.
   3. I Set the Resource type to Computer.
   4. I Clicked the No Filters link.
   5. On the subsequent page, I clicked the 'New Filter' button.
   6. On the resulting page, I choose the table Inv_AeX_HW_Serial_Number.
   7. Under the Field selection I choose the column Computer Model
   8. I choose the operator 'like'.
   9. I set the value at: 6910p.
   10. I click OK through the screens, and then Apply back at the main collection page.When it saves the collection it will populate the collection and you can see if the logic you supplied is successful.
   

   Click to view.

6. What options you select should be based off criteria that fits with your environment.For example some environments may allow a silent rollout at anytime as long as it doesn't disrupt the user, while others will only allow rollouts off-production hours.
7. Check the Enable box and click Apply to save the changes.
   
   

   Click to view.

Test the Rollout

The most important part of this process is to test the rollout.This will allow you to make corrections to the command line or execution environment should the first attempt fail.By testing the rollout you can ensure it is ready for the greater environment.In testing, you should:

1. Target a system that matches your Production Environment as closely as possible
2. Test the command-line to ensure it successfully and silently rolls out the firmware update.
3. Check the BIOS or Intel AMT for versioning change.
   
   Note: the ME version may not be synched with the AMT version.A good test is to try executing the update again manually to see if you receive a message indicating the version is already up to the latest version

Conclusion

Using this process, you should be able to remotely update any firmware required for successful use of Intel vPro Systems within Symantec Out of Band Management.The two tricky parts are figuring out the proper command line for a silent install, and creating a collection that properly targets those machines that need it.