Since 2011 when Lenovo introduced the Sandy bridge based ThinkPads they have replaced the legacy BIOS with the newer UEFI to support modern features, such a secure boot. UEFI is in itself a small operating system containing it own set security issues and bugs, which is you would want to keep it updated. Previously I have been updating to the newest version each time a computer is re-imaged. However with the Semi-annual servicing model introduced in Windows 10 I want to up the frequency to at least twice a year in step with the Windows feature updates.
In order to accomplish this and be able to report compliance I’ve created the BIOS update as an application to be able to update both during OSD and on already deployed computers.
Instead of creating one application for each model and version, I’ve only created one generic application for all models. In that application I then add each Model as a deployment type, which lets me easily add or remove models as needed.
To be able to identify each specific model I’ve created a Global Condition based on a WQL query. On Lenovo systems I use the following Global Condition, for HP and Dell you would use the win32_ComputerSystem instead.
Next up I add this global condition as a requirement for each deployment type, the requirement for the newest ThinkPad T-series looks like this:
After downloading and unpacking the latest UEFI verison to my application network share, I point SCCM to the flash utility with the silent parameter: WINUPTP64.EXE /S.
For the detection method use a powershell script to detect the version:
$target = “1350”
$Version = (get-wmiobject win32_bios).Version.Trim(“LENOVO – “)
if($version -ge $target)
The target number is expanded from Lenovo’s support site for the specific model ThinkPad T470s and open the readme to find the version numbers, which corresponds to the version on my system before the update.
Final note on the installation, when run with the silent parameters Lenovo’s Flash utility requests a reboot using return code 1. In order to accomodate this I need to add the return code 1 as a soft reboot under the deployment type.
This will make the SCCM client request a reboot after a success and have the actual flash process take place the next time the computers boots.
Using this approach I’m able to use the same application in OSD as well as deploying it to already deployed computers with little user interruption. When new UEFI version for a model is released, I only need to edit the corresponding deployment type, updating the version number and pointing the the newly downloaded binaries.
Replaced detection method to allow greater than comparison, credit to https://twitter.com/Brien_Bohmann