Updating Lenovo ThinkPad/ThinkCentre BIOS as SCCM application

Updating BIOS is no easy task. You probably have several models with differing BIOS versions. Also, the update requires a restart making it difficult to deploy without interrupting work. In this case, user interaction is recommended if a user happens to be logged on during deployment. This is where PSADT comes in to play.

Goal of this guide is to help you create a repository of Lenovo BIOS updates and automate updates using a single application in SCCM. User interaction is made possible by PSADT.
This repository may also be used during OSD. I’ll show this in an upcoming post.

Disclaimer: This has been tested on L/T/X series ThinkPads for *30-*70 generation. For ThinkCentres we only have M900. So adjust and test accordingly.

Getting latest BIOS
An easy way to get the latest BIOS is to download it from Lenovo. Let’s take a ThinkPad L460 as an example. The URL for downloads is: https://pcsupport.lenovo.com/us/en/products/laptops-and-netbooks/thinkpad-l-series-laptops/thinkpad-l460/downloads. Here you can find the BIOS section. You want to download the BIOS update utility pack. For other models, you can easily modify the URL.

After download, extract the update (run the .exe to extract, but don’t run utility afterwards) to a folder with the model name, in this case a folder named L460. Do this for all your models.

Next, create a .txt file called biosversions.txt. Here, create tab delimited headers ‘Model’ and ‘Version’. Then enter all your models and the latest BIOS version you downloaded. As such:

Model Version
L530 2.67
L450 1.25
M900 7FA

Later on, we’ll use this text file in conjunction with our detection method. Here’s a template if you want: biosversions.txt

You may have noticed the differing versioning for ThinkCentre M900. For some reason Lenovo doesn’t use conventional version numbers for ThinkCentre, but instead hexadecimal(?). The complete version number for M900 is FWKT7FA. The FWKT characters are constant, but the three last characters change between versions, and the version is ascending in hexadecimal value if you watch the changelog from previous version.

Folder structure/placement
As mentioned, we’ll use PSADT for this setup.
So, copy all the folders for the models under the PSADT Files folder. Also copy biosversions.txt to the root of the PSADT folder. Finally, get a copy of 32-bit ServiceUI.exe from MDT and place it in the root folder (this allows for user interaction in “Whether user logged on or not” scenario).


Inside the files folder:

Disregard SCCM-UpdateBIOS.ps1 and ServiceUI64.exe until the next blog post…

Make the contents of the PSADT and subfolder readable and executable for Domain Computers on a server. In our case, we keep it on the SCCM server. We do this so the client doesn’t need to download all BIOS updates. The script will see to it that the client only copies the applicable update. If you want to perform BIOS updates in WinPE during OSD (wait for next post!), you should give read/execute permissions to the Everyone group. Additionally, for anonymous access (WinPE), you need some more tweaking, see this guide: https://vitoriodelage.wordpress.com/2016/04/07/creating-an-anonymous-smb-network-share/

Installation script
Here’s the code for the pre-install phase, i.e. insert the code under pre-install phase in Deploy-Application.ps1.
In a nutshell, check for AC power and show prompt if anyone is logged on.

Here’s for the installation phase (thanks for bug report from /u/davidnait over on reddit):

And lastly, post-install phase. Note that ThinkCentres require a shutdown.

Full Deploy-Application.ps1 here: https://www.dropbox.com/s/nfadi4q4mobembv/Deploy-Application.ps1

Create application in SCCM
Create application as you normally do. For deployment type, select Script Installer.
Leave content empty.
For installation program command, use ServiceUI.exe Deploy-Application.exe in conjunction with Installation start in containing the path to the location of the contents. Lastly, check to run in 32-bit.

Detection method
Next up, detection method. Use custom script of type PowerShell. Remember the temporary registry key from the script? Here we’ll check for it and remove it.
Make sure you have the correct network location for the biosversions.txt file.

Lastly, you may deploy the app. You may set it to run as whether user is logged on or not. This will allow automatic updating of BIOS if PC is on, but no user logged on. Wake-on-LAN is to recommend in this scenario.

Remember to test thoroughly before deploying to production.

Leave a Reply

Your email address will not be published. Required fields are marked *