Deploying ThinkPad BIOS Updates With Intune
This article has moved to https://blog.lenovocdrt.com/#/2019/intune_bios_deploy
App Conversion
Create a working folder where the Win32 App Packaging Tool and BIOS packages will reside. Download the latest BIOS for your model system and save it to the working folder. In a PowerShell or Command Prompt, run the IntuneWinAppUtil.exe and follow the prompts to:
- Specify the source folder - This is the location where the BIOS package downloaded from the web is saved.
- Setup File - The BIOS package file name, i.e. r0suj16w.exe
- Output folder - Location where the converted app will drop.
Add the App
Login to Intune and navigate to Client Apps > Apps and click the Add button to add a new app. You'll need to choose Windows app (Win32) from the list
Select the newly created .intunewin file to upload
Fill out the required app information or any optional fields.
Under Configure Program, this is where you'll specify the install/uninstall commands. ThinkPad BIOS is wrapped with Inno Setup using a template that takes the /PARAM parameter and passes it to what is executed normally (Winuptp.exe -s). This is how BIOS updates are done in the Lenovo Updates Catalog for SCUP. This uninstall command is required but in this case, not necessary since you can't uninstall a BIOS update.
packagename.exe /VERYSILENT /PARAM="-s"
For Requirements, set the Operating System architecture and Minimum OS, which are required.
Detection Rules can be handled in several different ways. In this example, I'm choosing to look at the BIOSVersion value in the registry. The value in the screenshot below is after installing the latest BIOS update for my test system. This is what will be evaluated at the time of install, so if the client has an older BIOS installed, it should evaluate as False and proceed with the install.
(Note: This detection method assumes a newer BIOS version is being deployed to a system with an older version. If you're attempting to deploy an older BIOS version, the rule will still evaluate as false and attempt to install the older version. If for some reason you're deploying an older BIOS version, make sure the Secure Rollback Prevention BIOS setting is disabled.)
Key path:
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS
Value name:
BIOSVersion
Assign the App
Specify a group for app assignment. If you're going to deploy multiple BIOS updates to different models, it may be a good idea to create a dynamic device group for each model and deploy its own BIOS to that group. Since I was testing on an X380 Yoga, the below query is what would be used for an X380 Yoga dynamic device group. (Note: Per MS docs, available deployments to device groups are not supported, only user groups. )
(device.deviceModel -startsWith "20LH") -or (device.deviceModel -startsWith "20LJ")
Client Side Experience
Once the app has been deployed, open the Company Portal on the client (if deployed as available) and choose to install the newly delivered app.
You can trace the workflow in the IntuneManagementExtension.log located under C:\ProgramData\Microsoft\IntuneManagementExtension\Logs. Highlighted below is during the app detection step and installation using the install commands specified. You'll also see exit code 1 and that it's defined as Soft Reboot.
Once complete, there should be toast notification prompting the user to reboot the system to complete software installation. This can also be seen in the Company Portal
Notes:
If your laptops are encrypted with BitLocker, this needs to be taken into consideration. It's a best practice to suspend BitLocker prior to flashing the BIOS. ThinkPad BIOS has this check built into Winuptp so if the system is encrypted, Winuptp will suspend encryption behind the scenes once a reboot is triggered. As always, test test test.