:::: MENU ::::

Deploy Lenovo BIOS Settings

“How to deploy Lenovo BIOS settings”

Background

When it comes to BIOS settings deployments, you are typically going to be at the mercy of the PC manufacturer. For most Dell shops, this isn’t a problem because Dell has created a “Client Configuration Tool Kit” (CCTK) which can be used to deploy BIOS settings en masse. Intel’s answer to this problem is “Active Management Technology” (AMT) for vPro enabled chips. If you are fortunate enough to have an environment which is comprised of these AMT capable computers, it is possible to deploy BIOS settings using SCCM or something similar, regardless of make or model.

But this post isn’t about Dell or AMT, it’s about a problem I’ve encountered when trying to deploy Lenovo BIOS settings. Unlike Dell, Lenovo has not made a client configuration utility. Apparently, when it comes to Lenovo systems, you have to script the BIOS settings using something like VBS or Powershell. Now, to Lenovo’s credit, they’ve provided some documentation on how to do this. In essence, there’s a lenovo_biossetting WMI object which has a setbiossetting method that Lenovo expects you to use. You are supposed to feed the setbiossetting method strings of text, with each string representing a configurable BIOS setting.

Problem

The problem is that although these strings of values are documented, these values differ between models of Lenovo computers; and some settings that are not of the simple enable\disable\Boolean type are not documented well enough. If you were to, say, mistype the boot order and feed it to the setbiossetting, it would simply fail. So how are you supposed format the strings correctly even when there’s no documentation at all?

Solution

The crux of this solution is to simply let the computer format your strings for you. This can be done by first manually configuring the BIOS on a test Lenovo PC, then pulling those settings from WMI, saving them to a text file. On the text file, all of the BIOS settings for this particular model of Lenovo PC are written down with proper formatting.

For your convenience, I have created two PowerShell Functions to make this method even easier: Get_LenovoBIOSSettings and Set_LenovoBIOSSetings.

To deploy Lenovo BIOS settings:

  1. Configure the BIOS Settings by hand on a test Lenovo computer, reboot when finished.
  2. Use Get_LenovoBIOSSettings to dump all of the available BIOS settings on that test computer to a text file.

Get-LenovoBIOSSettings -ComputerName 'Test-Lenovo-PC'

  1. Open the text file named “GetLenovoBIOSSettings_(%DATE%).log” that is located under C:\windows\logs and copy the BIOS settings you would like to deploy.

LogFile

  1. Each setting on the log file is in its own line. Copy each line\setting that is of interest, and add it as a string to a list in the deployment script. Send the list to the Set_LenovoBIOSSettings function.

In the example below, the only settings to deploy are the PXE boot setting and the BIOS flash setting. The first 165 or so lines are just the set_lenovobiossettings function copied to the top of the script. And the bulk of that is just for logging and help text. It’s the last 5 lines that actually make use of the function and apply the settings of interest. To get this running quickly, just edit line #167 with your choice of settings. Also, change the computername on 170 to the name of the target machine i.e. instead of “lenovo-pc” make it: “pc-lab1”.

NOTE: It’s important to note that the values you find may only apply to specific models. For example, the settings in the sample above might only work for a T440s and not for an M93p. So you may have to use if\then conditionals, applying the list of values dependent upon the model of Lenovo PC. Or keep track of different .ps1 scripts, running them on a per model basis.

btw, this assumes no password is set on the bios.

Conclusion

So, to reiterate, use Get-LenovoBIOSSettings to discover the proper format of all BIOS settings on a properly configured Lenovo PC. On the deployment script, create a list containing some of those settings and send this list to the Set-LenovoBIOSSettings function. Leave comments below if you have any questions.


Script(s) Used in This Post:

Get_LenovoBIOSSettings (//adameyob.com/works/get-lenovo-bios-settings/)

Set_LenovoBIOSSetings (//adameyob.com/works/set-lenovo-bios-settings/)



12 Comments

  • Reply Naz |

    Sorry I’m a noob to powershell, cannot believe this is the method Lenovo wants you to use – mind boggles…
    Anyway, I don’t understand your explanation above, do I need to create a ps script PS1 file to run on the pc to both get and set the BIOS? I’m sorry your instructions presume a bit of fore-knowledge, please clarify.

    • Reply Adam |

      hey naz

      I plan on re-writing this article and cleaning up the code as best I can. I slapped this together quickly and I feel its a bit overengineered. Though it works fine and has worked fine for me for as long as I’ve used it. Yes this presumes knowledge of PS. Its just a function that you use in a script.

      I recently discovered this tool: http://support.lenovo.com/us/en/downloads/ds014169 I suggest you try this first before venturing into wmi. It may just work for you, though I have yet to encounter any tool from Lenovo that actually works 100% Things like thinkvantage update retreiver, thininstaller, system update, wireless nav utility are all trash.

    • Reply Adam |

      Thats great, and about time! Hopefully it actually works. As I’ve said above, every single tool I’ve used from Lenovo has had problems\is buggy. Even their firmware upgrade packages are all done in different ways. No standardization at all. lmk how it works out for you. It could prove useful for password protected bioses.

  • Reply CIS |

    I am having a slight issue. The script works well, but I can;t get it to disable the option booting from a cd. It allows me to disable usb cd/dvd boot drives. but I cant find the setting to keep regular SATA cd drive from being in the boot list.

    • Reply Adam |

      If you want to change the boot order:
      go to the target pc and set it manually. Then use get_lenovobiosesettings to get setting exactly as it should be written down. Then edit the script with that setting. If you are talking about a different setting that just outright disables booting from cds, the process is the same. You have to read thru the log and recognize the setting that you need. sometimes the strings of text are not very intuitive.

      Finally, there are some settings that are not remotely administrable, such as the bios password. This really comes down to lenovo and how theyve implemented the wmi objects.

  • Reply Sebastian |

    Question: how can I run it with Supervisor password enabled. I know th epassword is there a string I can add to run Set-LenovoBiosSettings to include the pass?

    • Reply Adam |

      There is a parameter on one of the objects. It’s been years since I have configured this. I am sure it’s just a matter of throwing the parameter in one of the objects\cmdlets in the script. Keep in mind that your password would be in clear text, in the script itself. There are ways to input secure strings in ps, but the only way to guarantee a some level of confidentiality is to use a machine key. Problem with that is that the key is tied to the machine itself, so the script won’t execute properly on remote machines.

      Furthermore, you cannot implement a bios password via script (at least initially). You have to manually input the first bios password by hand. Then you could in theory run scripts remotely referencing that password, including changing the password.

      I don’t bother with this. I just implement Bitlocker with PCR 0 enabled. That way the bios is viewable, but the OS won’t boot if the bios had been tampered with. You could pair that with 802.1x to keep rogue machines off the network. Way easier to manage.

  • Reply Jason |

    Hi

    I am currently struggling to change the boot order on roughly 4k lenovo all in one machines. Is there a way to utilize this for multiple computers using a csv file perhaps? I have used the think bios config tool and it only allows one computer at a time… any feedback would be awesome

    • Reply Adam |

      NVM, I misread your question. The answer is yes, you can use a csv file. You can use Import-Csv and select the column of computer names.

      Then you can just iterate through that list with a foreach loop, calling set_lenovobiossettings for each name. All of this would be replace line 170. Something like :

      $pcnames = Import-Csv c:\pcnames.csv
      foreach ($name in $pcnames) {Set-LenovoBIOSSettings -ComputerName $name.ColumnName -SettingsToBeApplied $Settings}

      where ColumnName is the name of the column that holds the pc names.

      Problem though is that this is not the best way to run scripts, as some machines may be off, asleep, unable to process during the time you run this, or can suddenly reboot etc…. Also, this is not very efficient and will run 4,000 times from your technician pc over rpc to all target machines. It is best to run the script using gpo, pdq deploy, or something else

  • Reply Jason frazee |

    yes when the computers are not pingable the script ends. I wonder if there is a way to have the script overlook that?? i am looking into running it through gpo or other options like you recommended. I work at a school and we have some computers that do not have bios passwords set… so you can imagine what we have been dealing with haha

  • Reply Jason frazee |

    pdq deploy is clutch… Sorry I am a student as well as new to system administration so I ask alot of questions! However I learn a significant amount of information from websites such as yours as well as youtube etc… Thank for your advise!

So, what do you think ?