How to Deploy Dell Bios Firmware Updates Via SCUP and SCCM CB Configuration Manager ConfigMgr

How to Deploy Dell Bios Firmware Updates Via SCUP and SCCM CB Configuration Manager ConfigMgr. SCUP 2017 has four 3rd party software update catalogs. Dell, HP, Fujitsu, and Adobe are those four 3rd party software update catalog providers in SCUP 2017 Preview version. I have explained about installation, configuration, and integration process of SCUP with SCCM in the previous blog posts and video tutorial.

In this post, we will see how to “How to Deploy Dell Bios Firmware Updates Via SCUP and SCCM CB”. We need to follow the same process for publishing HP and Fujitsu software updates as well. The video tutorial available here.

  • How to Install, Configure and Integrate with SCUP 2017 and SCCM CB here
  • How to Publish 3rd Party Abode Acrobat Patches via SCCM SCUP 2017 here

How to Add Dell Software Update Catalog to SCUP

Open the SCUP 2017 console. You can navigate to “Update Workspace – Overview” and click Add Partner Software Updates catalogs. Select Dell and click on button Add. This will add the Dell updates to SCUP database. Dell updates include Dell Bios updates, Drivers updates, Dell Applications updates and Dell Firmware updates.

How to Deploy Dell Bios Firmware Updates Via SCUP and SCCM CB Configuration Manager ConfigMgr
How to Deploy Dell Bios Firmware Updates Via SCUP and SCCM CB Configuration Manager ConfigMgr

How to Publish Dell Software Updates to SCUP, WSUS, and SCCM CB?

Dell Software updates Catalog (Bios, Drivers and Applications, Firmware) are added to SCUP console. Click on Dell Folder. Expand the Dell folder to see subfolders. Select the updates from the right pane of the SCUP console that you want to publish to SCCM CB.

Specify the publish option – There are 3 options while publishing updates.  Automatic, Full content and Metadata Only. I normally recommend selecting the Automatic option. The reasons for selecting automatic option are given below. This has been shown in the video here.

Click Automatic to all updates publisher to query SCCM to determine whether the selected software updates are published with full content or only metadata. In this mode, software updates are only published when they meet the client request count and package source size thresholds that are specified on SCCM server page of the options dialog box. Automatic is available only when SCCM integration is selected on SCCM server page.

How to Deploy Dell Bios Firmware Updates Via SCUP and SCCM CB Configuration Manager ConfigMgr
How to Deploy Dell Bios Firmware Updates Via SCUP and SCCM CB Configuration Manager ConfigMgr

Make sure you select the checkbox on the bottom of the SCUP publish wizard. The checkbox is to sign all software updates with a new publishing certificate when published software updates have not changed, but their certificate has changed.

How to Select Dell Products from SUP component Properties in SCCM? How to Deploy Dell Bios Firmware Updates Via SCUP and SCCM CB Configuration Manager ConfigMgr

Once the updates are published from SCUP console then, you can go to SCCM CB console to configure rest of the things. Navigate SCCM console – \Administration\Overview\Site Configuration\Sites.

Click on Settings – Configure Site Components – Software Update point component – Properties. Go to Products tab and Select Dell, Bios, Drivers and Applications, Firmware. Same thing I have shown in the video here.

How to Deploy Dell Bios Firmware Updates Via SCUP and SCCM CB Configuration Manager ConfigMgr
How to Deploy Dell Bios Firmware Updates Via SCUP and SCCM CB Configuration Manager ConfigMgr

Once the appropriate products are selected, navigate \Software Library\ Overview\Software Updates in SCCM CB console. Right click on Software Updates node & select synchronize software updates. This will help to sync and get the Dell updates to SCCM CB console. WsyncMgr.log will provide you the details about Dell updates.

How to Deploy Dell updates via Software Updates Deployment method?

I have already blogged about the SCCM Software Update process in the following post “Step by Step Guide SCCM ConfigMgr CB Software Update Patching Process“. The process of deploying Dell software updates to Windows 10 devices are similar to any other software update deployment.

Select all the Dell Bios and Firmware updates you want to deploy from All Software Updates node as I shown in the video here. Once selected, right click those updates and click on Deploy.

How to Deploy Dell Bios Firmware Updates Via SCUP and SCCM CB Configuration Manager ConfigMgr
How to Deploy Dell Bios Firmware Updates Via SCUP and SCCM CB Configuration Manager ConfigMgr

You have to provide Deployment name, Software update group name for Dell Software updates. On the next screen, you have to select the collection name from the list. The members of that collection will get the Dell software updates deployment. Schedule the deployment and make sure you set proper user experience.

Also, provide new Dell software update package name and the shared folder location to store the Dell software updates. You also need to select the DPs to distribute this package. To download the Dell updated from Dell, you need the internet connection to the server. Otherwise, you must have already downloaded the binaries from Dell and stored in a shared location as you can see in the video here.

Do you want to download different languages of this Dell software updates? If so, Language Selection is the page where you can select different languages.

Example of the Dell Software Update deployment via SCUP and SCCM – How to Deploy Dell Bios Firmware Updates Via SCUP and SCCM CB Configuration Manager ConfigMgr

• Dell Latitude 10 ST2 System BIOS,A09 0XM7C(Article ID)
• Dell Latitude 10 ST2e System BIOS,A07 T47W6(Article ID)
• Dell Latitude 12 Rugged Extreme 7204 System BIOS,A11 J6PG2(Article ID)
• Dell Latitude 12 Rugged Tablet,A15 X2GXX(Article ID)
• Dell Latitude 3180/3189 System BIOS,1.1.1 M6HF7(Article ID)
• Dell Latitude 3330 System BIOS,A08 800F5(Article ID)
• Dell Latitude 3340 System BIOS,A13 48CH6(Article ID)
• Dell Latitude 3350 System BIOS,A09 0468G(Article ID)
 Success: General: 
• Deployment Name: 3rd Party Updates SCUP - Dell Software Updates
• Collection: All Desktop and Server Clients
 Deployment Settings: 
• Send wake-up packets: No
• Verbosity Level: Only success and error messages
 Scheduling: 
• Deployment schedules will be based on: Client local time
• Available to target computers: 23-09-2017 07:25:00
• Deadline for software update installation: 30-09-2017 07:23:00
• Delayed enforcement on deployment: False
 User Experience: 
• User Notifications: Display in Software Center and show all notifications
• Install software updates outside the maintenance window when deadline is reached: No
• Restart system outside the maintenance window when deadline is reached: Suppressed
• If a restart is required it will be: Allowed
• Commit changes at deadline or during a maintenance window (requires restarts): Yes
• If any update in this deployment requires a system restart, run updates deployment evaluation cycle after restart: No
 Alerts: 
• On software update installation error generate a Window Event: No
• Disable Window Event while software updates install: No
 Download Settings: 
• Computers can retrieve content from remote distribution points: No
• Download and install software updates from the fallback content source location: Yes
Package:
 Success: The software updates were placed in a new package:
• 3rd Party Updates SCUP - Dell Software Updates
 Success: Content (1):
• SCCMTP1.INTUNE.COM
Software updates downloaded from the internet
 Success: Dell Latitude 10 ST2 System BIOS,A09
 Success: Dell Latitude 10 ST2e System BIOS,A07
 Success: Dell Latitude 12 Rugged Extreme 7204 System BIOS,A11
 Success: Dell Latitude 12 Rugged Tablet,A15
 Success: Dell Latitude 3180/3189 System BIOS,1.1.1
 Success: Dell Latitude 3330 System BIOS,A08
 Success: Dell Latitude 3340 System BIOS,A13
 Success: Dell Latitude 3350 System BIOS,A09
Language Selection:
 English

References :-

How to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection

How to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection? Endpoint Protection is the new solution that is going to replace Windows Information Protection (WIP).

In this post, I’ll give an overview of Windows Information Protection (WIP)/Enterprise Data Protection (EDP) policy configuration and Windows 10  EDP End User Experience.

What is WIP/EDP? Endpoint Protection

It is very important to understand that WIP is an accidental Data Leakage protection solution by Microsoft. Windows 10 enterprise has loads of security enhancements. I think Microsoft invested heavily mainly on 3 pieces and those are

  • 1. Secure Identities
  • 2. Information Protection
  • 3. Threat Resistance.  

Data Protection Options? Endpoint Protection

Windows Information Protection/EDP is part of Information Protection. Within information protection, Microsoft recommends having

1. Encryption (Bit locker),

2. WIP/EDP

3. Azure Information Protection (or RMS).

Endpoint Protection
Endpoint Protection

WIP/EDP is fully supported in Windows 10 anniversary edition (1607) which is released recently. We can use Intune standalone and SCCM CB 1606 to configure Windows Information Protection policies. Endpoint Protection policies?

Before implementing the WIP in your organization, it’s very important to find out which are the WIP enabled applications and we have to define which WIP mode the applications will be in Allow and Exempt.

Before I go into details, here is video tutorial to explain the configurations along with Windows 10 end user experience demo.   I used Windows 10 Insider Build 14342 with Microsoft Intune.

How to Create – Deploy WIP EDP Using SCCM CB 1606 and End-user experience of WIP :-

httpv://www.youtube.com/watch?v=embed/ogylLn18C10
Endpoint Protection

How to start Implementing Windows 10 Windows Information Protection Using Intune

httpv://www.youtube.com/watch?v=embed/k2shaV2Kj3Q
Endpoint Protection

Following are the quick steps to configure (Intune console) the Windows 10 EDP policies:-

Configure the list of Windows 10 Apps (Universal/Store or Desktop) which you wanted to protect through EDP
Select the EDP/WIP Mode of protection
Configure the Network locations/IP Range
Upload the Data Recovery certificates
EDP settings

Configure the list of Windows 10 Apps (Universal/store or Desktop) which you wanted to protect through WIP

There are two types of Apps in Intune console which we can configure Universal/Store and Desktop apps. To configure Windows 10 EDP/WIP policies, we need to first identify the applications which you wanted to protect via EDP policies. For that First thing we need to get the Publisher details and product name of the apps.  How to get those information ? Intune Console:-

Windows10_Intune_EDP_Policies_1
Endpoint Protection

SCCM Console :-

WIP_How_to_Add_App_Rules

You can find the publisher and product name of store, desktop apps using Local Security Policy – > Application Control Policies – > App Locker – > Package app Rules.

WIP_App_Publisher_Details_Package_Name_1
Endpoint Protection

Select the WIP/EDP Mode of protection – Endpoint Protection

Which mode of protection you wanted select for EDP polciy – I selected the block mode !! The protection modes available in EDP policy are  1. Block 2.Override 3. Silent 4.Off

Windows10_Intune_EDP_Policies_4
Endpoint Protection

Configure the Network locations through EDP/WIP Policies

Network locations that the apps you configured can access. No other apps can access these locations. These network location settings are very important for EDP/WIP policy to work on Windows 10 machine !! Below 4 network location settings are mandatory settings (I think):-

Primary Domain (my primary domain is trail tenant)
PuneITPro.onmicrosoft.com Enterprise Cloud Domain (Exchange Online)
outlook.office.com|outlook.office365.com Enterprise Network Domain (Dummy URL is fine I think – it worked for me)

blogs.anoopcnair.com Enterprise IPv4 Range (Any IP range is fine I think – Hyper-V lab IP Range worked for me)
Internal IP range 192.0.0.1-192.255.255.254 Intune Console :-

Windows10_Intune_EDP_Policies_5

SCCM Console :-

WIP_Corporate_Network_Definition

Configure WIP/EDP Data recovery agent cert

Configure WIP/EDP Data recovery agent cert is mandatory now !! The recommended way is to re-use the EFS DRA from your domain, when you have one. There are some other ways to create a test cert !!I have uploaded one as you can see in the below picture :-

Windows10_Intune_EDP_Policies_6
Endpoint Protection

Configure WIP/EDP Policy settings

WIP/EDP Settings – Last piece of WIP/EDP configuration in Intune. By default none of these settings are not enabled !! Allow user to edit or decrypt data – > NO
Protect App content when the device is in locked state – > Yes

Windows10_Intune_EDP_Policies_7

Windows 10 WIP/EDP – End User Experience

In my example here :-

WordPad is NOT EDP protected APP – I tried to copy the enterprise mail content to an unprotected app and it gave me the following error “This is work content only – your organization, PuneITPro.onmicrosoft.com, doesn’t allow you to change the ownership of this content from work to Personal”

Windows10_Intune_EDP_Policies_9


Notepad is EDP Protected APP – I tried to copy the enterprise mail content to an WIP/EDP protected app  (NOTEPAD) and it allowed me to copy the content.  And you should notice the EDP lock symbol.

Windows10_Intune_EDP_Policies_10

Internet Explorer(IE) provides a EDP Lock Symbol when you browse an Enterprise location :-

Windows10_Intune_EDP_Policies_8

Microsoft Edge provides an EDP Lock Symbol when you browse an Enterprise location :-

Windows10_Intune_EDP_Policies_11

OneDrive universal application provides an EDP Lock Symbol for enterprise OneDrive account but not for personal OneDrive account

Windows10_Intune_EDP_Policies

Reference

:- Here

Endpoint security – Microsoft Security