The Think BIOS Config tool

For a while now Lenovo’s business-class ThinkPad, ThinkCentre and ThinkStation products have offered a WMI BIOS Interface for controlling BIOS settings through scripting.  This was a big improvement over the old DOS-based utilities that were unique per model.  Now everything needed to make changes in settings during a deployment is built into the machine. 

A downside to the WMI approach has been that you have to be fairly skilled with scripting to make use of it and you have to know all the values of the settings you want to set.  In our lab we constantly felt the need for a GUI interface that would show us the current settings, what their possible values are, and allow us to set them on a local or remote machine.  While we were at it we also wanted a solution that would allow us to create a profile of settings that we could apply via command line in a deployment task sequence.


And that’s why we created the Think BIOS Config tool.  It has been created as an HTA so the source code is freely visible so it is clear exactly what the tool is doing.  Also, if you’re so inclined, the tool can be extended and modified to suit your needs.

When launched, you will see it appear and then be replaced by a UAC prompt.  This is one of the challenges with working with an HTA.  The code being executed to access the WMI BIOS interface requires admin level privileges.  To accomplish this with an HTA in a standard and secure way, the HTA re-launches itself to trigger the UAC prompt and the elevation of privileges.

The tool will initially show the BIOS settings of the local system if it is running on a Lenovo product that supports it.  In the image below you can see that the settings are implemented as a series of drop-downs offering the possible values for each setting.

2016_08_04_14_41_15_Think_BIOS_Configurator

Any changes made will be indicated in red text.  There are buttons at the top and bottom of the settings list that allow you to save the changes in BIOS, reset back to the current settings, or to apply all the Default settings for the targeted machine.

At the top of the tool are some File actions.  The Export Settings button on the right will create a simple .ini text file that captures all of the current settings of the targeted machine.  This file could later be used on the left side of the tool to load in a set of values that you might want to apply. 

2016_08_04_14_43_33_Think_BIOS_Configurator

The .ini file can also be used in a command line scenario which is useful in a deployment task sequence.  The HTA can be launched in WinPE using an MDT or SCCM boot image without any additions or changes to the boot image.  It can be executed and passed the .ini file to silently set a group of BIOS settings.  There is a user’s guide document included in the .zip for this tool that provides all the details on the command line usage and other features of the tool.

Please try the tool out and let us know how it can be improved.  One item we are working on is driving consistency across the Think Brands.  We are also looking at how to securely support some of the management tasks facing enterprises as they straddle the transition from Windows 7 to Windows 10.  Hopefully more to come on this in the near future.


DOWNLOAD LINK

https://download.lenovo.com/cdrt/tools/tbct128.zip

Changes:
1.28: Added password validity check; Added support for creating a System Deployment Mode password file
1.26: Fixed issue applying config file to machine using plain text SVP
1.25: Fixed bug on no supervisor password applying the first setting from a file.
1.22: Logging. Automatic detection of the supervisor password
1.21:  Fixed issue when running by command line and a duplicate setting is reported from BIOS
1.20:  Bug fix for not showing settings correctly when connecting remotely from laptop to a desktop
1.19:  Bug fix on alarm times; bug fix on password div not disappearing; removed auto-generated key and added button to generate a key; updated picture in guide
1.17:  Bug fix on boot order export when the changes haven't been saved
v1.16:  Added support to change the supervisor password. Added support to create a supervisor password change file
1.15:  Fixed the export of Alarm Time and Date
1.14:  Improved handling of boot order on certain ThinkStation/ThinkCentre models; added version to title
1.11:  Added command line option to change back to default settings - 

Eg. ThinkBiosConfig.hta “default=true” 

Notice: This script is shared AS IS with no implied warranty or support.  If you have questions or suggestions please post a comment to this post.

Comments

  1. Will this do the settings for UEFI as well as legacy BIOS?

    ReplyDelete
  2. This tool leverages our WMI BIOS interface which is accessible in both Legacy and UEFI modes.

    ReplyDelete
  3. Great tool, much appreciated!

    The docs mention that this requires a formatted disk before being able to run. Is it possible to run this tool to set BIOS settings immediately after that?
    In our SCCM task sequences we use the "Pre-provision BitLocker" step just after formatting. Of course, this requires TPM to be enabled beforehand.

    Also, is it possible to set supervisor password with this tool?

    Martin

    ReplyDelete
    Replies
    1. Hi Martin,

      The reason the disk must be formatted first is because SCCM needs a location to download the package containing the .hta and .ini files before the task sequence can run the tool. You may even want to format the disk, run the tool, reboot, then format the disk again before pre-provisioning BitLocker. (I've had issues in the past where a reboot after formatting but before applying the OS caused my drive letters to get mixed up.)

      Info about setting a supervisor password is here: https://forums.lenovo.com/t5/Enterprise-Client-Management/M700-900-Set-Admin-BIOS-password-from-SCCM2012/m-p/3367636#M2250

      Delete
    2. Hi, I was wondering if I can put in a command to load default(as Commandline)? I found that on Lenovo P310 I cant set secure boot. But if I load defaults, secureboot is the default.
      Something like ThinkBiosConfig.hta “config=Load Defaults,Enable” or something?

      Delete
    3. Let us look into that. There is a separate method in WMI for doing that we may be able to leverage.

      Delete
    4. This feature has been implemented starting with version 1.11. The command line call will look like this: ThinkBiosConfig.hta "default=true"

      Delete
  4. I do not see any specific security chip settings. If I create an .ini file with the settings I want, (Discrete T), will this be applied to the target computer even though there is no mention of it in the .ini file?

    ReplyDelete
  5. The Think BIOS Config Tool only works through the WMI interface. It will display the settings that are available to be set through WMI. Changing the TPM is not available through WMI because it is a security setting that could have serious impact if flipped by a malicious script. The SRSETUP tool can change the TPM setting but must be executed from a bootable USB key so that physical presence is required.

    ReplyDelete
  6. Can this this also be used for Lenovo Miix 720 devices ?

    ReplyDelete
    Replies
    1. Do not have a Miix 720 to test this on but I don't believe the Miix 720 models support the WMI BIOS Interface in which case this tool would not be supported.

      Delete
  7. Having issues setting Secure Boot with ThinkCentre M82 model in a task sequence. BIOS is up to date and has worked for ThinkCentre M93 and M93p models in a task sequence.

    Script Error
    An error has occurred in the script on this page
    Line: 909
    Char: 6
    Error: This key is already associated with an element of this collection
    Code: 0
    URL: file://servername/thinkbiosconfig.hta

    ReplyDelete
    Replies
    1. Unfortunately the M92, M82, M72 models did not support enabling Secure Boot using the WMI interface.

      Delete
    2. Is there any other setting the M82 doesn't support? I removed the Secure Boot portion from my M82 .ini file and I'm still getting the above error. Thanks!

      Delete
    3. Have you tried generating an ini file by running the tool on an M82 and exporting the settings? This should give you a complete list of the settings that are supported on M82 through the WMI BIOS interface.

      Delete
    4. Yes, however it was from an older version of the BIOS than the one I'm targeting/deploying to. Would that matter? I'll try exporting from the newer version and see if that makes a difference.

      Delete
    5. OK, so I tried resetting to factory defaults and then generating a new M82 ini. "Secure Boot,Disabled" is among the settings, but I see a couple of posts above this one you mentioned that the M82 does not support setting Secure Boot through WMI. Any insights here?

      Delete
    6. It's interesting, if I load my intended ini file with the GUI and click "Apply config file", it takes the settings and lets me know they will be applied after a reboot. If I try with the command line, e.g., ThinkBiosConfig.hta "file=M82Config.ini" , it fails with the above error. Strange.

      Delete
    7. Please try v1.14 and let us know if it address the issue.

      Delete
    8. Unfortunately, it did not fix the "This key is already associated with an element of this collection" error on an M82.

      Delete
    9. We had the same issue. If you use the HTA with "config=Secure Boot,Enable" it will work. just not with the INI file method

      Delete
  8. How would you run this from PowerShell? I can't get it to accept the INI file.

    ReplyDelete
    Replies
    1. To get it to run from PowerShell you need to put single quotes around the double quotes. Here is an example: ThinkBiosConfig.hta '"file=C:\W550sConfig.ini"'

      The user guide will be updated with the next release.

      Delete
    2. To get it to run through PowerShell, you will need to put single quotes around the double quotes. Here is an example: ThinkBiosConfig.hta '"file=C:\W550sConfig.ini"'

      The user guide will be updated when the next version is posted. Hope this helps!

      Delete
    3. Is this product compatible with the P320? We used it without fail with the P310 but I cannot get any of the settings to take for the P320. This is the Command line we use in SCCM:
      cmd /c ThinkBiosConfig.hta "file=P320Config.ini" and it runs with a package.

      Thank you,
      George

      Delete
    4. Is this tool compatible with the Thinkstation P320? We used it without fail for the P310 but have had a lot of issues getting the BIOS to set right for these P320's. Here is the command line we are using with our package in SCCM:
      cmd /c ThinkBiosConfig.hta "file=P320Config.ini"


      Thank you,

      Delete
    5. What is in your P320Config.ini? Are you trying to set boot order?

      Delete
    6. Primary Boot Sequence and Configure Sata as AHCI are just two of major settings that fail. But none of the settings are taking properly. The bios never changes from the default. This will not let me attach a file, so here it goes:
      Serial Port1 Address,3F8/IRQ4
      USB Support,Enabled
      USB Legacy Support,Enabled
      USB Virtual KBC Support,Disabled
      USB Enumeration Delay,Disabled
      Front USB Ports,Enabled
      USB Port 1,Enabled
      USB Port 2,Enabled
      Rear USB Ports,Enabled
      USB Port 3,Enabled
      USB Port 4,Enabled
      USB Port 5,Enabled
      USB Port 6,Enabled
      USB Port 7,Enabled
      USB Port 8,Enabled
      SATA Controller,Enabled
      SATA Drive 1,Enabled
      SATA Drive 2,Enabled
      SATA Drive 3,Enabled
      SATA Drive 4,Enabled
      SATA Drive 5,Enabled
      SATA Drive 6,Enabled
      SATA Drive 6 Hot-Plug Support,Enabled
      Configure SATA as,AHCI
      Hard Disk Pre-delay,Disabled
      Select Active Video,Auto
      Pre-Allocated Memory Size,32MB
      Total Graphics Memory,Maximum
      Onboard Audio Controller,Enabled
      Internal Speaker,Enabled
      Onboard Ethernet Controller,Enabled
      PXE Option ROM,Enabled
      PXE IPV4 Network Stack,Disabled
      PXE IPV6 Network Stack,Disabled
      PCIe 16x Slot Speed,Auto
      PCIe 4x Slot Speed,Auto
      PCIe 1x Slot 1 Speed,Auto
      PCIe 1x Slot 2 Speed,Auto
      Intel Thunderbolt Technology,Disabled
      Security Level,No Security
      Ignore Thunderbolt Option Rom,Enabled
      TBT Device IO resource Support,Disabled
      EIST Support,Enabled
      Intel(R) Hyper-Threading Technology,Enabled
      Core Multi-Processing,Enabled
      Intel(R) Virtualization Technology,Enabled
      VT-d,Disabled
      TxT,Disabled
      C1E Support,Enabled
      C State Support ,C1C3C6C7C8
      Turbo Mode,Enabled
      Intel(R) Manageability Control,Enabled
      Press to Enter MEBx,Enabled
      Console Type,VT100+
      USB Provisioning,Disabled
      Intel(R) SGX Control,Software controlled
      Intel(R) SIPP Support,Enabled
      CPU CRID Support,Enabled
      Chipset CRID Support,Enabled
      After Power Loss,Last State
      Enhanced Power Saving Mode,Disabled
      ICE Performance Modes,Better Acoustic Performance
      ICE Thermal Alert,Enabled
      Wake on LAN,Automatic
      Wake from Serial Port Ring,Primary
      Wake Up on Alarm,Disabled
      Startup Sequence,Primary
      Alarm Time(HH:MM:SS),[00:00:00][Status:ShowOnly]
      Alarm Date(MM/DD/YYYY),[01/01/2016][Status:ShowOnly]
      Alarm Day of Week,Sunday
      Sunday,Disabled
      Monday,Enabled
      Tuesday,Enabled
      Wednesday,Enabled
      Thursday,Enabled
      Friday,Enabled
      Saturday,Disabled
      User Defined Alarm Time,[05:00:00][Status:ShowOnly]
      Allow Flashing BIOS to a Previous Version,Yes
      Require Admin. Pass. when Flashing,No
      Windows UEFI Firmware Update,Enabled
      Require POP on System Boot,Yes
      Require POP on Restart,No
      Require Admin. Pass. For F12 Boot,No
      Smart USB Protection,Disabled
      Require HDP on System Boot,Auto
      Preboot Authentication,Enabled
      Security Chip,Enabled
      Secure Boot,Disabled
      Network Offline Locker,Disabled
      Chassis Intrusion Detection,Disabled
      Configuration Change Detection,Disabled
      Password Count Exceeded Error,Enabled
      CSM,Enabled
      Boot Mode,Auto
      Boot Priority,UEFI First
      Boot Up Num-Lock Status,On
      Option Keys Display,Enabled
      Option Keys Display Style,Normal
      Startup Device Menu Prompt,Enabled
      OS Optimized Defaults,Disabled
      Primary Boot Sequence,SATA 1:USB KEY:OEM Device 2:OEM Device 4:SATA 2:SATA 3:SATA 4:SATA 5:SATA 6:Network 1:USB HDD:USB CDROM:Other Device

      Delete
    7. We see the problem and will release an update very soon.

      Delete
    8. Is it the Bios or the TBC software ? What update should I be on the lookout for?

      Delete
    9. We'll release a new version of TBC probably tomorrow. I'll update the download link on this blog post.

      Delete
    10. We went through and re-tested the Bios setup with TBC 1.15 on the P320 desktops and are still having issues with it. It will not make any of the changes we are looking to do.

      Delete
    11. The latest version of the tool should fix your issues.

      Delete
  9. ThinkStation P500 gives me 'Invalid Parameter' when attempting to change the boot order. I can do it fine from the BIOS. Any thoughts?

    ReplyDelete
  10. The P500 needs to be added to the list of machines in the .hta file that what I assume includes the [Excluded from boot order] phrase. On line 489,911 and 927. I put mine between P410 and P510

    Or InStr (gTargetComputerModel, "P500")

    Without it, the P500 cannot have it's boot order changed and you get an error saying Invalid.

    Please add this so I don't need to run a special version of the script!

    Thanks

    ReplyDelete
  11. We've released v1.14 that addresses some of the issues seen on ThinkStation and ThinkCentre systems. Please try this new version if you encountered issues.

    ReplyDelete
  12. This appears to be a great tool and appears to be active, however is there any plans to have support added for T470s and M710s models? I'm not seeing any options listed for UEFI/Legacy Boot Mode, UEFI/Legacy Boot Priority or CSM Support options?

    ReplyDelete
    Replies
    1. The tool supports those models; however, the particular settings you mention are not supported by the WMI BIOS interface which the tool relies upon. If you are looking to take a Legacy system with CSM support enabled to UEFI without CSM, then you just need to set Secure Boot to Enabled.

      Delete
  13. I am using v1.14 and the boot order is working as expected, however the Alarm time is not setting. The event, startup sequence and day of the week are all sticking but for some reason the time is not. I have it set on a test machine and exported the ini file so any help appreciated.

    Also, is it possible to set a Administrator password using this utility?

    ReplyDelete
    Replies
    1. Found an issue with the exported string. Fixed in v1.15 which is now released. No, it is not possible to set an Administrator password using this utility. The WMI BIOS interface does not allow it.

      Delete
  14. The ability to use remote targets ("Target Remote") from the UI no longer functions with some models in versions after v1.11.

    v.1.11 displays all supported settings, however v.1.14 and v.1.15 display only "Alarm Time", "Alarm Time", and "User Defined Alarm Time" (or nothing) with several models (e.g., P910, P500, S30, M900, M700, M93p, M73). In testing so far, all affected models have been desktops.

    This tool is great. Thanks for all the hard work!

    ReplyDelete
    Replies
    1. There was a bug that didn't update the style of computer when using the remote feature. This has been fixed in the current release.

      Delete
  15. Thanks for the guide. I'm using the playback utility to configure the bios during SCCM imaging. How can all the settings be reset back to factory defaults including clearing the supervisor password using another task sequence?

    ReplyDelete
    Replies
    1. The workflow for this would likely include applying a password change file to clear the password, followed by a second call to the program with the "default=true" switch.

      Delete
  16. Thank you for sharing such an informative article. I really hope I can see other interesting posts. Keep up the good work!


    Melbourne Web Developer

    ReplyDelete
  17. So i'm using the tool and trying to get it to run during installation in SCCM. I've got it coded out for the T470 and M910q. I've setup the boot image to have HTML (WinPE-HTA) enabled. I put the HTA and the INI files in a package together, and the command line step (pointing at the package):

    cmd.exe /c ThinkBiosConfig.het "file=t470Config.ini"


    But when it gets to this point in the TS, I get the error
    C:\_SMSTaskSequence\Packages\PRI00533\ThinkBiosConfig.hta No Such Interface Supported

    What am I doing wrong here that I can't get it to run?

    ReplyDelete
    Replies
    1. That error really seems to indicate that the boot image that was actually booted does not have the HTA support. When you made the change to the boot image in SCCM did you click "OK" or "Apply". If you click OK then you need to manually go and make sure your Distribution Points are updated. Clicking Apply will go through a wizard that asks if you want the DPs updated automatically. You can click on the Boot Image in SCCM and at the bottom check the Last Modified Date.

      Delete
    2. Ok so I redistro'd out the boot image and it kinda works now. When I get to that point in the TS instead of loading the INI file I created from the another T470 or M910 respectively, in loads the HTA completely like if it want me to manually make the changes and save it or, manually load the INI file. I want it to just load the INI and move to the next step, a reboot, without having to do anything. Thoughts???

      Delete
    3. Usually if that happens, there is an issue with the command line parameters or the file is missing.

      Delete
  18. It does not appear to work on the P50. When launching the HTA, there are no BIOS settings listed. Any idea why? It works on all other devices.

    ReplyDelete
    Replies
    1. Please update the BIOS on your P50. At one of the previous updates the BIOS lost the WMI interface for settings. It has been addressed in the newest BIOS update.

      Delete
  19. Has anyone been able to get the P320 desktops to work with this application? We continue to have issues with tbct 1.15.

    ReplyDelete
    Replies
    1. Please try v1.17. We had to address an issue with the Boot Order on ThinkCentre and ThinkStation models.

      Delete
  20. This tool work great during OSD in a New Computer Scenario, but I tried to add it to a In-Place Upgrade task sequence (rebooting into WinPE after the OS is upgraded), but when I do that it doesn't take the .ini file and instead shows the full GUI (which I don't want during a task sequence). Is there a reason why it wouldn't work in this scenario, even though it's in WinPE when it runs and even using the same Boot Image?

    ReplyDelete
    Replies
    1. Usually that means that the command line has an issue on it or the file is missing.

      Delete
  21. Nope, I was wrong, it does happen even in a new computer scenario as well. This time I made note of the Script Error window that pops up.
    An error has occurred in the script on this page.
    Line: 1271
    Char: 9
    Error: This key is already associated with an element of this collection.
    Code: 0

    So, what am I doing wrong, or not doing to cause this error?

    ReplyDelete
  22. Hello,

    Is there any known issues with T460s/x260 when using this tool?

    Both machines doesn't have any BIOS-password and when I try to change the settings, nothing happens.
    Not even after a reboot..

    BR
    André

    ReplyDelete
  23. Hello,
    Is this script still working? We use W10 1803

    ReplyDelete
    Replies
    1. Yes the tool is still being maintained and updated. If you are having any issues please let us know.

      Delete
  24. Hello,
    Why cant we disable SecureBoot and the PhysicalPresenceForTpmClear in setconfig.vbs or the Think BIOS tool.
    It gives us the error: Invalid parameter, but when we try with Enable it returns success??

    ReplyDelete
  25. The Lenovo Security team requires that any setting which puts the system in a less secure state must be performed with physical presence and cannot be scripted. If the setting makes the system less vulnerable then it is allowed. That is why you can enable Secure Boot by script but you cannot disable it.

    ReplyDelete
  26. Hello,

    Is there such a tool for Lenovo laptops? I'm trying to remotely enable TPM chip in order to have BitLocker in place but some laptops don't have the TPM enabled to do so. Please help since I need to do this to almost 2k-3k laptops (models T460p, T460, T480, etc) Thanks,

    ReplyDelete
    Replies
    1. If the laptop is part of the ThinkPad line, like the T460p, T460, T480, the tool will work.

      Delete
  27. I am using tbct 1.25 to try and change the settings of a T470 and receiving the following script error. Does anyone know how to fix?

    Script Error window that pops up.
    An error has occurred in the script on this page.
    Line: 1362
    Char: 9
    Error: This key is already associated with an element of this collection.
    Code: 0

    ReplyDelete
    Replies
    1. Could you provide the BIOS version you are on? I didn't see that error on 1.53 or 1.54.

      Thanks!

      Delete
    2. In our In-place TS we are using the BIOS Management Tool to update the BIOS to 1.53 and then using the tbct tool to try and enable secure boot and and some other settings we need for W10. We only have 4 models ( T460p, P310, P320 and T470) and have been getting mixed results with all of them in our testing for this process.

      Delete
  28. Would you be able to make a post in this forum:
    https://forums.lenovo.com/t5/Enterprise-Client-Management/bd-p/sa01_eg

    It will be much easier to go back and forth to troubleshoot your issues. Can you provide the list of settings in the post you are trying to change? I haven't been able to recreate your issue yet.

    ReplyDelete
  29. I am trying to control the TPM using this tool but when using Command Line, the settings are not being applied after a reboot.
    Is there a bug with the 1.25 version?

    ReplyDelete
    Replies
    1. Can you please post your issue in our enterprise forum?

      https://forums.lenovo.com/t5/Enterprise-Client-Management/bd-p/sa01_eg

      Delete
  30. Hi!

    Is it possible to deploy this to already existing clients with the .ini file.

    I`m trying to deploy this with PSADT. Copy the .hta and .ini file to the local client (C:\BIOSConfig\). And then run C:\BIOSConfig\ThinkBiosConfig.hta "File=C:\BIOSConfig\P52sConfig.ini"

    When running the script, the files is copied, and it starts the tool, the .ini file is not loaded.

    Is it or will it be possible to do this silent?
    I manage clients with both SCCM and Intune (not hybrid)

    ReplyDelete
    Replies
    1. Hi! Per documentation, cmd.exe /c should be called before executing the .hta when running in the System context. Try changing your command line to cmd.exe /c C:\BIOSConfig\ThinkBiosConfig.hta "File=C:\BIOSConfig\P52sConfig.ini"
      and see if that works!

      Delete
  31. I have a big problems, the Think BIOS Config Tool app can not read passwords in uppercase and lowercase and I always have access denied. So I did a test and I took the same password but in lowercase and it works. Does that mean the capital letters do not match the keys on the keyboards?

    I need help since we are going to migrate our laptops and workstations to Windows 10 (Legacy to UEFI).

    Thank you for the help.

    ReplyDelete
    Replies
    1. Hi, ThinkCentre and ThinkStation accept uppercase and lowercase characters. ThinkPad only allows lowercase. Make sure your ThinkPad password is all lowercase first and re-test to confirm the results are expected.

      Delete
    2. Indeed the Think BIOS Config Tool for ThinkPad works with lowercase letters only. All of my 200 ThinkPad notebooks have the password in uppercase and lowercase letters. I will not be able to use this tool. Well understood thank you.

      Delete
    3. Hi Jim,

      Could you let me know what model and BIOS version you have? I would like to try to recreate your issue with the tool and see if we can get you a working solution.

      Thanks!

      Delete
    4. I have ThinkPad X240 BIOS GIET77WW (2.27) and X270 ROIET56W 1.34)

      The two samples with their age differences and both gives me the same result

      Delete
    5. Awesome, thanks for the reply! I'll see if I can reproduce what you are seeing.

      Delete
    6. I was able to get a X270 with the same BIOS as you have. In my testing, having uppercase and lowercase characters hasn't produced any issues. If my password I entered in to the BIOS was 'PASSWORD', I could use any combination of uppercase and lowercase as long as it spelled 'password'.The password is converted to scancode once it is through the WMI provider so uppercase and lowercase should be converted to the same value.

      Are there any other settings that you think might be causing your issue? I'll keep testing to try to get some Access Denied errors but this is the info I have found out so far.

      Delete
    7. When I was trying to change settings in bios via the utility Think Bios Config Tool, in the logs of this tool, it indicated me an access denied at the level of the supervisor password. When I changed the password in lowercase, it worked but as soon as I put a password upercase and lowercase I received an access denied, both with the old laptop and the most recent.

      Delete
    8. Hi Jim
      If you have further issues it would be best to start a new thread in the enterprise client forums.

      https://forums.lenovo.com/t5/Enterprise-Client-Management/bd-p/sa01_eg

      Delete
  32. So if I understand this correctly I should be ableto enabled secure boot and related uefi pxe support but NOT work with TPM, correct?

    Also is there a common command variable for enabling secure boot across all the platforms so we would not have to remember that this t460 is different from a t480 which is completely different from thinnkcentres entirely.

    All we are looking for is a std way to enable secure boot, Viriualizaion options and enable/Activeate TPM for lenovo devices. I have virtually every lenovo device since the t410 to contend with and its a nightmare tyring to figure all of them out.

    Thanks in advance!

    ReplyDelete
    Replies
    1. What you could do is export the settings from each model you are trying to change the settings for and combine them into a single settings file. Take secure boot for example, ThinkCentre/Thinkstation use "Secure Boot,Enabled" while ThinkPad use "SecureBoot,Enable". If you put both in an ini file, only the applicable settings will be applied, meaning ThinkPads won't attempt to set "Secure Boot,Enabled" since the setting name is "SecureBoot". You can do the same thing with the rest of the settings you want to change.

      Hope this makes sense!

      Delete
    2. you guys know you are about 10 years behind Dell and HP with your Bios and associated tool right? having to go trough hoops like this for different models where others have a standard template across all their models. I find this unacceptable from one of the big 3 OEMS...

      Delete
  33. Does anybody know why I am getting an error 9009 during task sequence with this tool?

    I am using this tool for T580, X280, X380 etc. and now I need this for a P520c, so i installed Windows 10, ran the tool, exported the .ini file and put it in a package with ThinkBiosConfig.hta "file=P520cConfig.ini" "pass=pass"

    The result is a 9009 error code during OSD.

    ReplyDelete
  34. When i test the script it keeps saying Invalid Parameter. I'm using the tool for an t480 and it doesn't matter if there is an old 2018 or the newest 1.24 (2019) bios is installed

    config=Bootorder,NVMe1:NVMe0:PCILAN
    pass=*****************

    Making a single change
    Setting Bootorder to NVMe1:NVMe0:PCILAN: Invalid Parameter

    fileLocation=./T480Config.ini
    pass=****************

    Finished gathering settings.
    Parsing config file
    Setting BIOSPasswordAtUnattendedBoot to Enable: Invalid Parameter
    Setting BIOSPasswordAtBootDeviceList to Enable: Invalid Parameter
    Setting BootOrder to NVMe1:NVMe0:PCILAN: Invalid Parameter

    The supervisor password is set by hand. before the ThinkBios script will run.





    ReplyDelete
  35. Good Day

    I am getting the script error when running the hta in WinPE.
    This is occuring on X270 and T570 models.

    The error is:
    An error has occurred in the script on this page.
    Line: 1362
    Char: 9
    Error: This key is already associated with an element of this collection.
    Code: 0

    I am using version v1.25 of the tool and the T570 with the error has BIOS version 1.32.
    The command line I am using is .
    The config File contains the following:



    Secure Boot,Enabled
    SecureBoot,Enable
    CSM,Disabled
    Boot Mode,UEFI Only
    Boot Priority,UEFI First
    VirtualizationTechnology,Enable
    Intel(R) Virtualization Technology,Enabled
    VTdFeature,Enable
    VT-d,Enabled
    Security Chip 2.0,Enabled
    Security Chip 1.2,Active
    SecurityChip,Enable
    VirtualizationTechnology,Enable
    Discrete TPM FW Switch,Discrete TPM 2.0
    Security Chip,Enabled
    Intel VT for Directed I/O (VT-d),Enabled
    TCG Security Feature,Enabled

    The reason some of the setting appear to be duplicated is because the same config file is being used for over 10 varying Lenovo models (desktops and laptops)>
    We have seen success with the script as it currently is, except on the T570 and x270.

    Please help?

    ReplyDelete
    Replies
    1. SOLVED!

      There was a duplicate line entry in my config file
      VirtualizationTechnology,Enable

      Removing this resolved the issue on both models, in case anyone else might have the same issue.

      Thanks

      Delete
  36. I am having troubles applying the configuration with a BIOS password that is set already. What would my command line look like in order to apply the configuration with the password set already?

    ReplyDelete
  37. Hello,

    There is a bug in your ThinkBiosConfig.hta where every time the bios configuration setting on the first line of the .ini file is different then that current setting on the target computer, and you try to use the config file through the command line, it will crash with error:

    "This key is already associated with an element of this collection." on line 1362.

    The bug is not present when you apply the config file through the GUI, I believe because the variable gRefresh has a change to be set to true. If gRefresh stays false (which, it does when using the command line to apply a BIOS config file) the logic in parseFile the will trigger this error, given the conditions articulated above regarding the current BIOS settings / first line of ini conditions are met.

    Example:

    Settings in .INI config file:

    WakeOnLANDock,Enable
    WakeOnLAN,ACandBattery
    USBBIOSSupport,Enable
    SecurityChip,Enable
    SecureRollBackPrevention,Enable

    Current BIOS Settings of Computer retrieved via WMI with ThinkBiosConfig.hta:

    WakeOnLANDock,Disable
    WakeOnLAN,ACandBattery
    USBBIOSSupport,Enable
    SecurityChip,Enable
    SecureRollBackPrevention,Enable

    Will cause the duplicate key error. The first line of the .ini is all that matters, subsequent differences between current settings vs. config file settings will not cause the duplicate key error.

    ReplyDelete
    Replies
    1. Thanks for the info. Can you let me know what version of the HTA you are using and what model you are experiencing the issue on? I tried on a P72, T490s, and will try another couple machines.

      Here is what I tried to reproduce your issue, let me know if any of this is wrong-
      Export settings the current settings
      Changed the first one to the opposite value of what I currently have.
      Apply via the command line using ThinkBiosConfig.hta "file=P72Config.ini"

      Delete
    2. Hey there. I won't be back into my enterprise lab until tomorrow. I will run more tests tomorrow, but I took a look at the code again and it appears there is one more condition needing to be met, that I wasn't considering because all of our BIOS have passwords:

      There is also this condition in parse file:

      ElseIf (passkey <> "" And InStr(encrypted, ",") > 0) Then

      That is the last step into the logic that is needed to produce a duplicate key.

      Try again with the same conditions I listed above, but this time, make sure the BIOS has a password, and feed the command line argument:

      cmd.exe /c "ThinkBiosConfig.hta "file=P72Config.ini" "pass=ThePassword""

      The issue should replicate on all models. I'll confirm this tomorrow once I'm back in my lab.

      I am using the current 1.25 version on a T580 laptop, and reproduced the same results previously also on a M920t.

      Delete
    3. Ah i see what the issue is now. I'm going to test a new build of the tool today and hopefully get it out tomorrow. Thanks for the info and your patience.

      Delete
  38. Hello, tell me please, I can not turn on the Charge in Battery Mode item in the BIOS of Lenovo X1 Carbon. I did not find it in the list of all available parameters, is this parameter supported in this program? I use Think BIOS Config tool v1.25

    ReplyDelete
    Replies
    1. I don't believe that setting is exposed in WMI but I will check the X1 Carbon machines I have available.

      Delete
  39. Is it possible to set a supervisor password when there is no password set in default? I need to set a supervisor password on machines where no password is set atm.

    ReplyDelete
    Replies
    1. Hi, no this is not possible as this would pose a security risk.

      Delete
  40. Hi,

    We currently have the new Yoga x390 and L490 which are failing to configure a couple options via the ThinkBiosConfig tool with a .ini file;

    Setting PhysicalPresenceForTpmClear to Disable: Invalid Parameter
    Setting DeviceGuard to Enable: Invalid Parameter
    Setting SecureRollBackPrevention to Disable: Invalid Parameter

    When you run the tool the settings can be read and the corresponding value returned (enabled or disabled).

    We combine all our ThinkPad settings in one .ini and have double checked the password for the BIOS and encryption key.

    Any ideas? All other settings are applying fine.

    ReplyDelete
    Replies
    1. Hi Ryan,

      I was able to set PhysicalPresenceForTpmClear and SecureRollBackPrevention to disable using a config file. Usually if you have a bad password, it will return Access Denied so I'll look into this a bit more.

      Could you try to apply the config file in the hta just to double check if it will work that way? Thanks!

      Delete
    2. Hi,

      Tried with the config file via hta both using its GUI and the cmd line from within Windows. Same problem again.

      I've also noticed the hta tool doesn't detect Device guard and ignores the setting completely when specified in the ini file.

      FYi, only tested with the X390 Yoga, the other unit is out for UAT

      Delete
    3. DeviceGuard is missing on my machine as well so I will figure out what is going on there.

      What BIOS is your machine at?

      Delete
    4. Hi,

      Its 1.67 - N2LET67W

      FYI, also noticed on the T590 the option to switch the bios from a graphical interface to simple text seems to be ignored. However only seen this recently after we updated the bios, so I will test some more to confirm.

      Delete
    5. Still testing the X390 Yoga. Are those the only settings you are trying to apply or are there other ones? When I just do those 2 (since DeviceGuard is missing), it runs successfully. I'm wondering if changing something else is conflicting with it.

      As for the T590, at 1.49 I couldn't change the interface but on 1.52, I was able to modify the setting.

      Delete
  41. Hi,

    We also currently have the new x390 Yoga and it seems that ThinkBiosConfig tool has some issues to access DeviceGuard paramenter. When tool is runned it cannot find "DeviceGuard,Enable" or "DeviceGuard,Disable" row at all. It will also not add it to the ini file.

    Also when ThinkBiosConfig tool is opened and it connects to the WMI it is unable to recognice that there is a Supervisor password set in the BIOS. We tried to remove the password and add it again but same issue.

    We have currently 24 other Lenovo models where everything works fine for enabling DeviceGuard with this tool so there is nothing wrong in our configuration. Example the normal x390 works fine that we tested last week.

    Any ideas regarding this issue?

    ReplyDelete
    Replies
    1. Hi again,

      Update to our problem. ThinkBiosConfig started to notice the BIOS password when we tested the newest BIOS version in the computer but still it is not able to access DeviceGuard paramenter.

      I also tested previous version of ThinkBiosConfig tool and both had the same issue before and after BIOS update.

      Delete
    2. Not being able to see if the BIOS password is set was a bug in the original release. Please update the EC firmware then apply the new BIOS to your machines to restore this function.

      As for DeviceGuard, I don't see it either so I will figure out what happen in this case.

      Delete
    3. Hi,

      We had already a newer version of the EC firmware (1.12) then what is visible on Lenovos driver page (1.10), computer was shipped to us with this version. I was aware that there was a EC problem so therefore I checked what version computer had before updating the BIOS.

      Strange that it did not recognize password correctly in the older BIOS version (1.65) dispite EC firmware had already the fix applied. Password part in tool worked fine when latest BIOS version (1.67) was installed to the computer.

      Please update us when you figure out why DeviceGuard parameter is not visible so we can take necessary steps to get or installations working in this model.

      Delete
    4. The DeviceGuard issue has been passed on to the appropriate team. I'm waiting to hear back on what is going on.

      Delete
  42. Any updates on the DeviceGuard issue...we have it on X390 Yoga.

    ReplyDelete
    Replies
    1. The issue is scheduled to be fixed in the next BIOS update which should be released this month. Sorry for the delay.

      Delete
  43. Any updates on this issue? It is almost 1,5 months then we reported this.

    ReplyDelete
    Replies
    1. Sorry for the delay but I just heard back about the issue. It is scheduled to be fixed in the next BIOS update which should be released this month.

      Delete
  44. Hello, we are experiencing the same. On X1 Tablet and T480s devices. When we try to disable the setting, we get Invalid Parameter. I can confirm that it has nothing to do with BIOS version. Tested on all available BIOSes and also TBCT 1.26 and 1.28. As for our case - all settings work and are applied, except "PhysicalPresenceForTpmClear ".

    ReplyDelete
    Replies
    1. To clear that setting, you need to have a supervisor password set.

      Delete
  45. I can't seem to change the Alarm Power On paramaters, I just get "Invalid Parameter" no matter what date/times I put in. I've tried saving the changed parameters to the ini file and pushing them that way but the settings don't apply. Any ideas?

    ReplyDelete
    Replies
    1. Can you provide the model that you are experiencing these issues on?

      Delete
  46. I'm not sure if this is the right place to report this, but the top Google result for "think bios config tool" is a page on Lenovo's site that doesn't actually link to the tool: https://www.lenovo.com/ww/en/solutions/software/think-bios-config-tool

    ReplyDelete
  47. Hi! Is there a cmd line for extracting single/multiple BIOS settings from multiple machines to generate a report? This would be very helpful for tracking & audit purposes.

    ReplyDelete
  48. Does this work with X280 2018(years), to set default settings. There is supervisor password on bios.

    ReplyDelete
  49. It has Supervisor password. I have forgotten and lost my written key. Possible to reset the password to default settings?

    ReplyDelete
    Replies
    1. Unfortunately, no. You'll need to replace the board if you don't know the Supervisor password.

      Delete
  50. I get Host Unreachable on target systems.
    The tool works localy and I also tried setting up a supervisor password but nothing seems to work.

    Am I missing something to get the Target Remote to work?

    ReplyDelete
    Replies
    1. Are you able to successfully connect to the target machine using wbemtest?

      Delete
  51. I believe I have discovered a bug when applying an exported configuration file using the .HTA file on a P320 Tiny (M/T 30C).

    When the exported file is created, the following settings are not shown correctly:
    Alarm Time(HH:MM:SS),00:00:00][Status:ShowOnly
    Alarm Date(MM/DD/YYYY),01/01/2016][Status:ShowOnly
    User Defined Alarm Time,00:00:00][Status:ShowOnly

    They should be:
    Alarm Time(HH:MM:SS),[00:00:00][Status:ShowOnly]
    Alarm Date(MM/DD/YYYY),[01/01/2016][Status:ShowOnly]
    User Defined Alarm Time,[00:00:00][Status:ShowOnly]

    ReplyDelete
    Replies
    1. Thanks for letting us know! We'll figure out what is going on and posted a new version when it is fixed.

      Delete

Post a Comment