System Update Suite and MEM: Part 1 Deploying the Apps

This blog post is part of a series of posts that will demonstrate ways of leveraging the System Update Suite of tools (Lenovo System Update, Thin Installer and Update Retriever) in a Microsoft Endpoint Manager - Configuration Manager environment.  This series will show how to deploy the applications to clients, how to configure clients to update on a scheduled basis, how to maintain and deploy a repository, and how to report results from clients.
Part 1:  Deploying the Apps The first step in deploying these tools to clients is creating an Application and Deployment Type in Configuration Manager which can be time consuming.  If you're thinking about piloting Lenovo System Update and/or Thin Installer in your enterprise, the below script can save time when it comes to performing this task.

What it does: Downloads the current version of System Update or Thin Installer from LenovoVerifies the installer is signed by Lenovo (can't be too careful)Creates a new Application in ConfigMgr…

System Deployment Boot Mode

System Deployment Boot Mode (SDB) is a new feature added to the Whiskey Lake generation of ThinkPads.  This introduces the ability to programmatically configure key security BIOS settings during your operating system deployments.

Unlike previous generations, this boot mode will allow you to:

Set an initial Supervisor PasswordIn the past, a supervisor password had to be set manually or from the factory.  Once a supervisor password was set, it could be changed in an automated way leveraging the Lenovo_SetBiosPassword WMI classDisable the TPM Physical Presence for Clear requirementNo longer requires user interaction if a call to clear the TPM was performed.  In other words, no more pressing F9!Activating System Deployment Boot Mode
Boot the system and press F12 until the boot menu appearsPress the Delete key.  "System Deployment Boot Mode" will appear in the upper right side of the screen.  The internal boot device(s) will be removed from the list.  This is a security precaution. …

Automatic device encryption not working on new ThinkPads

This post will walk through how to resolve automatic device encryption issues on Whiskey Lake generation ('90 series) ThinkPads, caused by un-allowed DMA capable bus/device(s).

On an affected system, open System Information (as admin) and find the Device Encryption Support item.  The value should match what's shown below.

This status, as noted in this MS doc, "means Windows detected at least one potential external DMA capable bus or device that may expose a DMA threat."

The doc will also walk you through how to add the affected component to the whitelist.  The hard part is tracking down the component(s) to add.  In the Whiskey Lake generation, fortunately only 1 component needs to be added.

The following sample script can be used to accomplish this:

$regPath="SYSTEM\CurrentControlSet\Control\DmaSecurity\AllowedBuses"$keys=@{'PCI Express Upstream Switch Port'='PCI\VEN_8086&DEV_15C0'}if(!(Get-PSDriveHKLM-ErrorActionSilentlyContinue)){New-PS…

Deploying Vantage for Enterprise with SCCM Current Branch

Previously, Lenovo provided two separate apps (Lenovo Settings and Lenovo Companion) that allowed the user to change hardware settings, run diagnostic scans, and check for software and driver updates.  As of December 2017, all of the features in those two apps (discontinued) were merged into a single app - Vantage for Enterprise -

This post will walk through deploying Vantage for Enterprise as an SCCM application.  The following components will be required:

Vantage Application
Provided as an appx bundle.

Lenovo System Interface Foundation Driver
This is required to allow the Vantage app to provide control of system features and will be displayed in Device Manager under System Devices as System Interface Foundation V2 Device

Both components, as well as the Group Policy Admin Template, and sample registry files are included in the zip available for download on the Vantage landing page.


Create the Apps
There will be 2 separate apps to create.  One for the System Interface Foundation …

Manage Lenovo System Update with Intune

This post will describe how you can manage Lenovo System Update on
Windows 10 devices with Intune.

Before you begin, you will need:
System Update Administrator Tools - This contains the System Update ADM/ADMX files. By default, the contents are extracted to C:\SWTOOLS\TOOLS\AdminA Windows 10 device connected to Azure Active Directory and managed by IntuneSystem Update installed on the device Ingest the TVSU ADMX file Sign in to the Azure Device Management portalNavigate to Device Configuration > Profiles > Click Create ProfileEnter the required information for the new profile, for example:Name: Lenovo System Update configurationDescription: (Optional)Platform: Windows 10 and laterProfile Type: CustomIn the Custom OMA-URI Settings menu, click Add and enter the followingName: TVSU ADMX IngestDescription: (Optional)OMA-URI: ./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Lenovo/Policy/TVSUData Type: StringValue: Copy the contents of the tvsu.admx into this fieldClick OK to …

Lenovo Updates Catalog V2 for SCCM

New Catalog Format The Third-Party Software Update Catalogs node was a new addition for System Center Configuration Manager version 1806.  This introduced a new version of the well known "SCUP" catalog format that we refer to as "V2".

A V2 catalog contains individual update XML files for improved performance as well as the public portion of the signing certificates used to sign the updates in the catalog for increased security.  Lenovo offers a V2 version of our Lenovo Updates Catalog and, as of version 1902 of SCCM, it is presented as a partner catalog in the SCCM console making it easier to subscribe.  Prior to 1902 the catalog could be added manually using the following URL:

Lenovo Updates in SCCM 1902 

Deploy the Lenovo Updates Catalog Agent First! As part of the initial configuration steps, you will want to make sure you have the Lenovo Updates Products selected to be synchronized in your Software …

Deploying ThinInstaller With A Custom Repository Path Using Intune

This walk-through is a follow up to Hosting an Update Retriever Repository in an Azure Blob.

In this post, we're going to:
Deploy the latest version of ThinInstaller as a Win32 AppSet custom Repository and Log paths in the Configuration FileDefine a sample Scheduled Task to launch ThinInstaller and check for updates What you'll need:
Current version of ThinInstaller - LinkWin32 Content Prep Tool - LinkPowerShell Sample Script belowMake sure to replace the repoPath variable with your Blob Storage path.

$pkg = "lenovothininstaller1.3.0007-2019-04-25.exe"$installSwitch = "/VERYSILENT /SUPPRESSMSGBOXES /NORESTART"# Install ThinInstallerStart-Process".\$pkg" -ArgumentList $installSwitch -Wait # Identify Configuration File and Repository/Log Paths$configFile = [xml](Get-Content"${Env:ProgramFiles(x86)}\ThinInstaller\ThinInstaller.exe.configuration") $repoPath = "https://yourblobstoragepath"# Change Log location if desired…