![CAPTAIN_HAPPY_FACE_by_ekud_thumb9]( "CAPTAIN_HAPPY_FACE_by_ekud_thumb9")
This is so shocking that you won’t believe it: the process to upgrade the BIOS on some Lenovo Thinkcentre series requires a full shutdown (S5) to achieve migration!!?? …Whoot!!..
Yes, that’s no joke, the computer needs to shutdown to initiate the upgrade process. When BIOS has finished patching, it fortunately reboots on his own but that is already way to much to handle for a regular SCCM task sequence, so it will break… as expected !!
If you’ve not yet stepped in the BIOS arena, be aware that it is definitely not an easy topic, It gets even worse if
- you must deal with different vendors
- you must manage older models
Each model whether being Dell, HP or Lenovo always comes with an handset of surprises and Lenovo ThinkCentre is no exception!
So, today, we will try to fix that pesky mandatory shutdown and make our task sequence recovers at next boot. To make this happens I will rely on the
awesome technic discovered by Nick Kallen a.k.a
ZnackAttack. The main idea is to initiate an SCCM reboot with a long enough countdown and in parallel, to fire a command line shutdown to switch the PC off. As far as I understand it, shutting down the PC during the reboot countdown will not break the task sequence and everything will continue peacefully at the next reboot.
Many thanks to Nick for this finding, a really nice tip if you ask me. On my side, I humbly, tried to push his work a bit further by consolidating everything into a single yet modular script, I’ve also gone to a more use case centric approach while I’m nearly sure Nick did his post for the same purpose.
A bit of context before moving on to the details:
Starting with a ThinkCentre PC with legacy BIOS, the goal is to move to UEFI/secure boot and to upgrade the BIOS firmware to the latest version. All those steps will be executed under WinPE and will only involve one reboot!
Requirements
To defeat the ThinkCentre you will need:
- A working SCCM Infrastructure (preferably with MDT integration, but that’s not mandatory).
- A Lenovo Thinkcentre desktop as a test target.
- The latest available firmware update for that desktop (available at Support.Lenovo.com)
- The ThinkBiosConfig.hta utility from Lenovo(the script allow to capture/Set BIOS settings).
- My BIOSUpgradeThinkCentre.wsf script available on GitHub.
All those elements needs to be put together under the form of a package, so create a folder and create two subfolders called Firmware and Settings.
In the Firmware folder, extract the content of the BIOS package. If you don’t have at least a file with a .ROM extension and an exe called Wflash2x64, you’ve not downloaded the appropriate file!!!
In the same folder copy BIOSUpgradeThinkCentre.wsf file and ZTiUtility.vbs from MDT’s Scripts folder. If you have MDT integrated with SCCM you can grab the file from the MDT package, if not, you’ll need to install or extract the file from the installer.
The resulting folder should looks like this:
On the Settings folder, copy the ThinkBIOSConfig.hta and a config file (.INI) for the ThinkCentre your are about to deploy.
The config file is basically a capture of the BIOS parameters that include the necessary settings to activate UEFI, Secure Boot and anything else from TPM to intel virtualization. If you don’t know how to capture a config file, follow this quick and dirty how to:
- Power on a ThinkCentre and go to the BIOS (press F12 and select Enter setup)
- On the Exit tab switch the OS Optimized Defaults to Enabled, This will enable Secure Boot and UEFI.
- Dig in other menus to set BIOS to your own requirements
![10_07_2018 16_49 Office Lens - (1)]( "10_07_2018 16_49 Office Lens - (1)")
- On the Exit tab, press Enter on Save Change and Exit
- Boot to Windows or WinPE if you have no OS installed
- Launch the ThinkBIOSConfig.hta and click on the Export Settings Button. an .INI file should have been created in the same folder.
![image]( "image")
- Grab this file and put it in the Settings folder
Once done, your Settings folder will look like this:
![image]( "image")
Create, import and distribute the package in SCCM. You are now done with the prereqs.
Task Sequence
![image]( "image")
The Task sequence presented here is just a POC, there are plenty of areas in the pre check space that could be added but this is for another time. I will just focus on a simple scenario: a bare metal deployment using a PC with legacy BIOS. Under WinPE, the BIOS will be converted to UEFI and be upgraded to the latest version.
If you plan to use it over an already deployed Windows 10 PC, the script should also works but have not been tested. Report here or on Github if issue occurs. Also, you’ll need to edit the task sequence as partition formatting and booting to WinPE is not necessarily what you want in this case!
The first two steps of the task sequences are the traditional download of the MDT package and the Gather step, there is nothing special here.
The Not UEFI sub group has a condition to check whether or not the disk should be pre-formatted. The condition used is _SMSTSBootUEFI not equals true.
If the condition is verified, the next step will pre format the disk to ‘fake’ UEFI with the special
TSUEFIDrive property described by Microsoft
here.
The purpose of this step, is to manage machines with legacy BIOS. Conversion to full UEFI requires booting from an UEFI media (for example a FAT formatted USB stick) but this can’t happen if we are on legacy as we can only use NTFS formatted media! So one part of the trick is to use this fake UEFI formatting.
Formatting parameters are described here:
The second part of the trick comes after BIOS upgrade with a required reboot. As the reboot is requested to WinPE, a Boot.WIM image will be copied on the hard drive and next boot will occurs on a FAT (UEFI compatible) formatted media. With this, plus BIOS settings changed to support UEFI, all conditions are met to format the system to a standard and supported UEFI.
Note 1: The Variable TSUEFIDrive is mandatory for SCCM to support this process.
Note 2: You may ask about the reboot step not appearing in the task sequence next to the FirmwareUpgrade step. This is normal, the reboot is managed by the
BIOSUpgradeThinkCentre.wsf script using the properties described in
this previous blog post.
Next step will load the new firmware files to a local location and grab the path to a variable called
BiosUpgradePath. There are many ways to make this step dynamic if you manage several models, but this is out of topic. Mick Terrill has an inspiring
blog series to get you started if this is something you care about.
Following step will apply BIOS parameters captured earlier with the command:
cmd.exe /c ThinkBiosConfig.hta “file=BIOS_M800.ini”
Last important step is where I put the special sauce. The command executed is
Cscript.exe BIOSUpgradeThinkCentre.wsf /BiosPath %BiosUpgradePath01%
Behind this single step lies a couple of action:
- The new firmware is applied.
- The WinPE image is installed to the hard drive.
- The reboot to that WinPE image is initiated with a 60 seconds delay
- This delay is then broken with a true shutdown, so firmware upgrade can proceed.
steps coming after that are just common deployment steps so there no need to elaborate on them ! More interesting stuff: what does that script is doing in the background to manage a full shutdown without breaking anything ? This is the next chapter…
What does the script do !
First thing to notice: We are passing the firmware path to the script using /BiosPath %BiosUpgradePath01% argument. BiosUpgradePath01 is the variable generated from the download firmware package step. If you don’t like the naming, your are free to role your own.
The first important block of code is the “Relaunching Script Asynchronously” section:
If the reboot has not yet occurred, the script will install the boot image on the PC’s hard drive (oEnvironment.Item("SMSTSRebootRequested") = "WinPE" ). If we are not under WinPE the script will just reboot, so yes, this should also works under Windows (Not tested yet!!)
Then, the delay is specified ( oEnvironment.Item("SMSTSRebootDelay") = "60" ) and an home made variable is set to tell the script that the reboot is in place ( oEnvironment.Item("IsRebooted") = "true" )
The script will then relaunch itself in another instance while closing the first one:
oShell.Run "Cscript.exe "& wscript.ScriptName & " /BiosPath:"& oUtility.Arguments.item("BiosPath"),0,false
Wscript.Quit
What is happing Now?
As the first instance of the script has exited, SCCM will initiate the delayed reboot, but that’s not all, as the variable IsRebooted is now set, the relaunch section will be skipped in the second instance of the script and will proceed to the next big part: the Bios update!
Once the script has determined that the boot image is in place, It will start to update the BIOS. ![image]( "image")
I’ve used a tips that I noticed from the log files: once the boot image is staged, the SCCM TSUEFIDrive variable is populated.
After seeking for the firmware file, the script will start the update
Everything is ready, let’s finish this by that awaited “savage reboot”:
As you can see again, this should also works if you are not under WinPE.
Before the shutdown occurs, SCCM should have popped the reboot window with the 60 seconds countdown. Feel free to set a higher value if you work on a slower machine.
What will happen next: the PC will Shutdown, after a few seconds, BIOS will upgrade. The machine will reboot on the staged WinPE image and the task sequence will proceed to the next step… sweetness… flowless…
Hope you enjoyed that funny SCCM trickery a much as me, see you next time
