Azure Local – Lenovo – Firmware and driver patching

Posted on Updated on by Christoffer Klarskov JakobsenCategories:Azure Local, Azure

Intro

It is VERY important to keep physical nodes in an Azure Local Stack up to date with the latest firmware and driver patches. Failing to do so, can lead to network and storage issues within the stack.

On Lenovo servers, all nodes within the stack can be updated using Windows Admin Center and the Lenovo XClarity Integrator Compliance and Updates:

Pre-Reqs – Windows Defender Application Control Policy

If Lenovo XClarity fails with info about missing WDAC policy, get the XML file that XClarity shows, and import it as a policy here: (the XML file needs to be copied to the C drive of first node in the cluster, before you can select it for import)

Connect Lenovo Xclarity to Native OS Management

Select Native OS Management:

Set Windows Defender Application Control in audit mode

Sometimes it is needed to set WDAC to audit mode before XClarity Integrator can execute the patches.

If you see this error in XClarity:
lenovo xclarity onecli reported error 1 generic failure

And this error in the “C:\Lenovo_Support\UX.LOG” file:
Update=PKG SDK wrapped update,Status=Failed,ReturnCode=191
PKG SDK Failure, Internal Error: 44, Error Message: .\miniunz.exe image.zip > nul

Use the following command: 

Enable-AsWdacPolicy -Mode Audit

Perform the patch

  1. Open Windows Admin Center and navigate to Extensions > Lenovo XClarity Integrator Compliance and Updates.
  2. Select the newest best recipe from Lenovo:
  3. Now get an overview of what driver and firmware the nodes are missing:
  4. Select the Install Updates botton:
  5. You can now see that the system have selected the updates to be downloaded and installed. Select Next:
  6. Make sure packages has been downloaded:
  7. Select Run As and input domain credentials for user that have local administrator permissions to all nodes in the stack:
  8. Select Automatically so Lenovo controls BitLocker pause and resume states:
  9. Now run the job (or schedule if prefered):
  10. Before starting, we get a summary of what is going to be executed:
  11. Submit the job and we are on the way:

Monitor execution

Then the job is running, we can monitor the job completion:

And if we select the job, we can get even more details:

Once all patching has completed, we get the 100% and completed state on the job:

After the patching has been completed, it is required to run the “Sync Inventory” to refresh all data, otherwise you will not see updated data from nodes in the stack:

Set Windows Defender Application Control back to enforced mode

If you had to set WDAC to audit mode, you now have to set it back to enforced.

Use the following command: 

Enable-AsWdacPolicy -Mode Enforced

Christoffer Klarskov Jakobsen

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *