How to trigger HP Patch Assistant to run remotely manually using SCCM/MEMCM?

• Update BIOS settings to enable WOL and send an email saving computers will be rebooted over the weekend
  • Script WOL to run and run the script at 3am as well
  • Start by doing small batches of computers
  • Can choose not to update BIOS if there are no security concerns
• Use something like PSAppDeployToolKit to display a warning window and give users a chance to choose when to do it
  • Include verbiage, a button “install now” and a button “snooze”
  • Script can block shutdowns or flash another message on screen
• OS Deployment Task sequence has a built in option to test to check for A/C power
• Warn users before the reboot with a modal window that they need to let the update install or risk ending up with a bricked computer
  • Allow them to postpone the reboot a couple of times
• Hold the hand of VIP users to make sure the update runs fine on their computers
• Suspend Bitlocker before doing BIOS update, or users will need a Bitlocker Recovery Key
• Set deadline for 2am for update, repeat every night until most are done
• Deploy to group of test users to make sure it goes smoothly
• Spread a rumor around that one of the test users lost all of their data because they didn’t follow the instructions closely enough
• Send email with clear reminder to not lose data like the test user
• Remind users to read all emails from IT thoroughly in the future

• Use Softpaq Download Manager (SDM) to download for whichever devices you need it for but no need to download items that are not “SSM-Compliant” (similar to the blue circle icon you see in HPIA)
  • Suggested to download for whichever devices needed
  • No need to download items that are not SSM-Compliant
• Use a local repository so you don’t have to deal with network hiccups/issues
  • Suggested to use a local repository instead of downloading from the network
• Use the same SCCM package/program to update existing devices
  • Suggested to use the same SCCM package/program to update existing devices
• Use SSM (System Software Manager)
  • Suggested to use SSM instead of HPIA
  • Use the “local repository” method to download and install drivers
  • Use the command line “ssm.exe. /install /noreboot” in the task sequence to run HP Patch Assistant remotely manually using SCCM/MEMCM

• Use an application (rather than schedTask)
  • Use a powershell wrapper to write, lastrun and exitcode
  • Force a restart if HPIA reports one is needed
  • Allow users to “repair” to update their drivers at any time
• Deploy changes with an availability window
  • Deploy on Tuesdays 12am and deadline on Thursdays 12am
  • Give users acceptable ability to self-manage if they want to
• Train users on the bios update process and potential device appearance issues due to installation

None

None

💭  Looking into

What is the best way to package HP drivers for deployment?

💭  Looking into

What is the best way to deploy BIOS updates when needed?

💭  Looking into

What is the detection method for HP MIK Client Configuration Baseline?

💭  Looking into

How is HP Patch Assistant configured and deployed to a device collection?

💭  Looking into

What are the command line parameters necessary to install and run HPIA silently?

• Use the command string provided: sp81836.exe -e -s && timeout /t 30 && cd C:\SWSetup\SP81836 && Setup.exe -s
  • This command string should work universally for all HP softpaqs and has been tested without complaints with other customers using Altiris and Big Fix
  • Breakdown of command string:

    • sp81836.exe -e -s | -e = extract without execution | -s = run silently

    • timeout /t 30 | Timeout to account for extraction time taken before running next command

    • C:\SWSetup\SP81836 | HP Softpaqs will usually extract into a folder onto the C drive so I’ve put in a command to CD to that location

    • Setup.exe -s | Finally, is the command to run the actuall setup using a silent switch

• Use 7Zip to extract the Softpaqs from HP and get the actual files from inside them
  • Just open the EXE with 7Zip and you can extrace them out
  • You can also use the HP Softpaq Download Manager to get them in different formats
• Use the HP System Software Manager (or HP SSM)
  • Install this on the server to scan the file of original driver you downloaded for deployment
  • Option to package the application for clients that will look back to that file grab updates and silently install them
  • Does BIOS updates too
• Use Microsoft’s System Center Update Publisher (or SCUP)
  • Grabs catalogs from OEMs and software publishers who make their software compliant and HP does
  • Grab updates in a package and publish them to SCCM itself
  • Manage, deploy and track updates sent out to clients using the same process you would for some Windows Updates and it uses Windows Updates Services on clients to install them, no extra packages or programs
• Use the HP Manageability Integration Kit (or MIK)
  • Free tool that allows you to get driver packs, task sequence structures, manage security settings, BIOS password management, BIOS settings and more
• Get HP Driver Pack, which contains the bare minimum drivers needed in one convenient pack
  • Can obtain by visiting http://ftp.hp.com/pub/caps-softpaq/cmit/

• Use the HP Client Management Script Library to run HP Image Assistant:
  • Create a “contentless” application with the installation program field containing the necessary command line parameters to install HPIA
  • Create a reg key for your detection method that erases after reboot
  • Use the switches for HPIA that allow you to run the tool and update the drivers you want silently
  • Create a scheduled task to run the HPIA exe with the necessary switches
  • Export the scheduled task as an xml, then deploy HPIA via PS Script, then run schtasks.exe /create /XML <name of exported xml>
• Use SCCM to deploy HPIA:
  • Create a task sequence to install drivers from standard packages made with the Driver Automation Tool
  • Create a standalone Update Drivers task or stage drivers for an In-place Upgrade task
  • Deploy BIOS updates when needed, usually by building a package using the HP command-line tool
  • Create an application with the necessary command line parameters to install HPIA
  • Force a reboot if HPIA reports one is needed
  • Use an availability window, a couple days with toast notifications, and users can “repair” to update their drivers at any time

• HP MIK (client and console extension combo):
  • Installs on top of the MECM management console
  • Console extension displays a new node \Assets and Compliance\Overview\HP Manageability Integration Kit
  • Client is imported in MECM as a deployable app “HP MIK Client”
  • Client is installed in “C:\Program Files (x86)\HP\HP MIK Client”
  • It includes portable versions of HP Image Assistant, BIOS and TPM configuration utilities
  • Extends WMI on the clients
  • Configuration baselines can be created and existing polices edited
• HP Patch Assistant:
  • Periodically reports on the health of a collection of devices and optionally brings devices up to date
  • Deploys in a different way than the rest of the MIK configurations
  • Configured and deployed to a device collection
  • Creates a scheduled task that runs a PowerShell script
  • Results, logs and reports are synced back to MECM via hardware inventory
• HP MIK Client Configuration Baseline:
  • Repairs WMI corruption
  • Detection method - HP MIK Client is installed

• Use HP Image Assistant (HPIA)
  • Encrypt the BIOS password(s)
  • Deploy an application and run it regularly with a GPO deployed scheduled task or do a recurring package deployment
• Use a package with a small batch file and store the script in the C:\Windows\ccmcache folder
• Install the HP MIK on your endpoints and the SCCM plugin server side
• Use HP Patch Assistant
  • Configure Patch Assistant to the settings you are after and deploy to whatever collection you require
  • Deployment creates a scheduled task that runs the locally installed MIK (which in turn runs the HPIA) in the background
  • Use HP Client Script Library and a configuration baseline to check if the device has the latest BIOS and if it doesn’t, running the scheduled task created by Patch Assistant
• Use multiple BCU versions for different computer models and OS versions

• Look into setting up Windows Updates for Business with SCCM and some Delivery Optimization GPO’s to keep WAN bandwith low.
  • The WuFB policies can be managed by SCCM so that would make SCCM still the central service.
  • HP can do some extra work on their documentation though.
• Manually adding the executable silently in your task sequence via an application deployments
  • This would be done using the Modern Driver Management tool from MSEndpointMgr.

💭  Looking into

What is the best way to manually trigger HP Patch Assistant remotely using SCCM/MEMCM?