Deploying ThinkPad BIOS Updates With Intune


This walk-through will cover deploying ThinkPad BIOS updates with Intune.  As you're aware, these are provided as standalone executables so adding these as a Win32 client app will involve converting them to the .intunewin format using the Win32 App Packaging Tool

App Conversion
Create a working folder where the Win32 App Packaging Tool and BIOS packages will reside.  Download the latest BIOS for your model system and save it to the working folder.  In a PowerShell or Command Prompt, run the IntuneWinAppUtil.exe and follow the prompts to:
  • Specify the source folder - This is the location where the BIOS package downloaded from the web is saved.
  • Setup File - The BIOS package file name, i.e. r0suj16w.exe
  • Output folder - Location where the converted app will drop.   
Once this information is entered, you will see the tool validate the package parameters, encrypt the content, and generate the detection XML file.  You'll now have a new file in the .intunewin format, which will need to be uploaded into Intune.


Add the App
Login to Intune and navigate to Client Apps > Apps  and click the Add button to add a new app.  You'll need to choose Windows app (Win32) from the list


Select the newly created .intunewin file to upload


Fill out the required app information or any optional fields.


Under Configure Program, this is where you'll specify the install/uninstall commands.  ThinkPad BIOS is wrapped with Inno Setup using a template that takes the /PARAM parameter and passes it to what is executed normally (Winuptp.exe -s).  This is how BIOS updates are done in the Lenovo Updates Catalog for SCUP.  This uninstall command is required but in this case, not necessary since you can't uninstall a BIOS update.


packagename.exe /VERYSILENT /PARAM="-s"


For Requirements, set the Operating System architecture and Minimum OS, which are required.

  
Detection Rules can be handled in several different ways.  In this example, I'm choosing to look at the BIOSVersion value in the registry.  The value in the screenshot below is after installing the latest BIOS update for my test system.  This is what will be evaluated at the time of install, so if the client has an older BIOS installed, it should evaluate as False and proceed with the install.  

(Note: This detection method assumes a newer BIOS version is being deployed to a system with an older version.  If you're attempting to deploy an older BIOS version, the rule will still evaluate as false and attempt to install the older version.  If for some reason you're deploying an older BIOS version, make sure the Secure Rollback Prevention BIOS setting is disabled.)

Key path:
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS

Value name:
BIOSVersion


 I did my testing on an X380 Yoga, so the values will vary across models.  You'll see this data in the registry.


 Return Codes isn't a required property to configure but we'll need to add an additional code to verify a successful installation.  Click Add and set the value to 1 and make sure Soft Reboot is selected for the code type.  For ThinkPad BIOS, a return code 1 indicates a successful BIOS update and no reboot (a silent install).  You can find a list of Winuptp return codes here.


Assign the App
Specify a group for app assignment.  If you're going to deploy multiple BIOS updates to different models, it may be a good idea to create a dynamic device group for each model and deploy its own BIOS to that group.   Since I was testing on an X380 Yoga, the below query is what would be used for an X380 Yoga dynamic device group. (Note: Per MS docs, available deployments to device groups are not supported, only user groups. )

(device.deviceModel -startsWith "20LH") -or (device.deviceModel -startsWith "20LJ")
  
Client Side Experience 
Once the app has been deployed, open the Company Portal on the client (if deployed as available) and choose to install the newly delivered app.  



You can trace the workflow in the IntuneManagementExtension.log located under C:\ProgramData\Microsoft\IntuneManagementExtension\Logs.  Highlighted below is during the app detection step and installation using the install commands specified.  You'll also see exit code 1 and that it's defined as Soft Reboot.



Once complete, there should be toast notification prompting the user to reboot the system to complete software installation.  This can also be seen in the Company Portal

 Notes:
If your laptops are encrypted with BitLocker, this needs to be taken into consideration.  It's a best practice to suspend BitLocker prior to flashing the BIOS.  ThinkPad BIOS has this check built into Winuptp so if the system is encrypted, Winuptp will suspend encryption behind the scenes once a reboot is triggered.  As always, test test test.