Deploying ThinkPad BIOS Updates With Intune

This walk-through will cover deploying ThinkPad BIOS updates with Intune.  As you're aware, these are provided as standalone executables so adding these as a Win32 client app will involve converting them to the .intunewin format using the Win32 App Packaging Tool

App Conversion
Create a working folder where the Win32 App Packaging Tool and BIOS packages will reside.  Download the latest BIOS for your model system and save it to the working folder.  In a PowerShell or Command Prompt, run the IntuneWinAppUtil.exe and follow the prompts to:
Specify the source folder - This is the location where the BIOS package downloaded from the web is saved.Setup File - The BIOS package file name, i.e. r0suj16w.exeOutput folder - Location where the converted app will drop.   Once this information is entered, you will see the tool validate the package parameters, encrypt the content, and generate the detection XML file.  You'll now have a new file in the .intunewin format, which will need to be…

Dynamically Updating ThinkPad BIOS from an Update Retriever Repository

The following solution was developed for a customer that had specific requirements during ThinkPad BIOS updates.  The environment consisted of a ConfigMgr infrastructure alongside an Update Retriever [UR] repository for drivers and hardware apps.  The customer wanted to leverage the Scripts feature in ConfigMgr to be able to push out BIOS updates from their UR repository as needed.

The challenge here is how BIOS updates are installed by default, which is a force reboot.  When you have a fleet of a couple dozen models in the field, combing through each BIOS update that's downloaded into your repository and changing the force reboot to a required reboot can be a bit time consuming.

Here's an example of what a ThinkPad BIOS update looks like when you examine the installation setup from within UR.

One of the goals in the solution is to automatically flip the -r to a -s so that when the client completes the BIOS flash, the system will suppress the reboot.

Below is a screenshot …

Lenovo's Ready to Provision (RTP) Preload: How to Install the ConfigMgr Client using a Provisioning Package

As part of the transition to modern management for Windows PC's, Lenovo has been offering custom, clean preloads for business class products.  This can be an alternative to maintaining custom images in-house while also staying current with Windows 10.

Lenovo's Ready-To-Provision custom preload (RTP), includes:
 Only the operating system and essential drivers. Reduced inbox apps (approximately 25 removed) No third-party software More efficient with INF-only drivers If you're currently managing your Windows PC's with SCCM but are looking to offload image maintenance, Lenovo's RTP custom preload may be an option worth looking into.  It is simply an option you can add to a custom model.  Consult your Lenovo sales rep for more details.

Example Workflow
Provisioning package (.ppkg) is created using Windows Configuration Designer (WCD) that will:
Join the system to the on-premise domainSuppress OOBE promptsCalls a script to install the ConfigMgr client (and other t…

MDT no longer detects my desktop is a desktop

The SMBIOS Specification was updated again this year to add new enclosure type values that affect the IsDesktop variable in MDT.  This variable is populated by ZTIGather.wsf which has not been updated officially to keep up with the changing SMBIOS spec.

We saw this same issue when the spec was expanded to add new enclosure type values for different laptop form factors.

To ensure your IsDesktop and IsLaptop variables are accurate you should upgrade your MDT environment to version 8450.  You can also easily update ZTIGather.wsf:

- Find the following lines of code:
Select Case objInstance.ChassisTypes(0) Case "8", "9", "10", "11", "12", "14", "18", "21" bIsLaptop = true Case "3", "4", "5", "6", "7", "15", "16" bIsDesktop = true …

Lenovo Vantage vs. System Update

We've had several customers ask "should we use Vantage or System Update to keep our systems current?"  Some of these customers have been using System Update and managing an Update Retriever repository for years.

What's the difference between the two when it comes to updating Lenovo drivers and hardware apps, such as Hotkeys?  There really isn't one.  Both tools use the same mechanism to check and install updates.


What makes Vantage an attractive option is that it comes preloaded on Thinkpad.  With the ramp up in AutoPilot and cleaner OEM Windows 10 images, keeping the end user updated out of the box sounds like the way to go.  An added bonus if you have an Update Retriever repository and want to control which updates your systems install.  Just like System Update, you can point Vantage to a custom repository or to the default repository hosted on Lenovo's servers.

A brief explanation on a couple of the moving parts.  Shortly after OOBE, a scheduled tas…

Tracking ThinInstaller Update History With ConfigMgr Current Branch

Due to customer feedback, Lenovo is introducing a couple of new features focused on tracking updates.  Traditionally, updates installed on the client were logged in the Updates_log<timestamp>.txt.

Admittedly, parsing through the log to find out which updates were skipped, installed, or failed is not that easy.  If you're deploying a task sequence to your Lenovo systems that runs ThinInstaller, you can only see if ThinInstaller runs or not.  How do you tell which updates installed without logging into each system and checking the logs?

A new switch can now be added to your ThinInstaller command line that will do the following upon execution:
Create a new Lenovo WMI namespace and Lenovo_Updates classAdds the following Properties to the ClassPackageID - Listed as Update ID in Update RetrieverTitle - Friendly name of the updateStatus - Possible values can be:NotApplicableAlreadyInstalledApplicableNotInstalledDownloadFailedInstallFailedInstallSuccessAdditionalInfo - Provides more…

Reporting BIOS Password States on Think Products with ConfigMgr Current Branch

There may be a need to run a report on your Think products to check which BIOS settings are enabled or disabled, or if there is even a BIOS supervisor password set.

This post will walk through creating a simple custom report in ConfigMgr that will display the following:
All Lenovo Think productsModel (Friendly Names)Computer NameBIOS VersionIs TPM Enabled?Is TPM Activated?Secure Boot StatusUEFI Enabled?Device Guard in BIOS Enabled?BIOS Password(s) Set
Extending Hardware Inventory

First, you'll need to extend hardware inventory to collect these two Lenovo WMI classes.

Lenovo_Bios PasswordSettings

To make this a bit easier, there's a zip at the bottom of the page you can download that contains a MOF file you can import into your Default Client Settings that will add these classes.