BIOS configuration for Lenovo devices

Like most manufacturers, Lenovo provides several tools to automate the BIOS configuration and upgrade. However, apart from WMI interface, these tools require direct access to the device and can be different tools for different devices. Using WMI, not only you’re able access the device remotely but you also get a standard interface that you can leverage to centralize and standardize the BIOS configuration process for all devices. You’ll probably still need different procedures for the BIOS upgrade process depending on each model.

 

Lenovo provides some sample scripts and documentation on how to use WMI that I used as the starting point for this project. The strategy to achieve this goal is to generate CSV files that hold all the data required to set the BIOS settings. Once these CSV files are generated, they can then be manipulated in whatever tool you find suitable. SQL database, Excel or even a text editor. The CSV structure is described in the following table:

 

FieldDescription
Device TypeThe four character code that identifies the device family
Product NameThe name Lenovo gave to the product
ModelThe code given to the device (10 character code beginning with the device type)
Row numberA value, starting with zero, that is incremented for each line
SettingThe BIOS setting description
Setting ValueThe current value for the setting
Setting TypeThe type of values for the setting (unique value, ordered list, etc)
Other ValuesAdditional values that can be used for this setting

 

The scripts can be downloaded from GitHub using this link. The SetSupervisorPassword.vbs can be used to change the supervisor password. This script is the original Lenovo script with an exit code added to be used with Microsoft MDT/SCCM or any other similar tool. The DumpBIOS.vbs is based on Lenovo’s ListAll.vbs and generates the CSV file with BIOS settings for the device (this script does not require the supervisor password). The ApplyBIOS.vbs, based on Lenovo’s SetConfigPassword.vbs, parses the CSV file and applies the settings if possible (some settings depend on others and cannot be set showing the error read-only).

 

When deploying with MDT/SCCM, I use a file based repository for the settings. It easy to develop it with following command script:

@echo off

set XROOT=%HOMEDRIVE%
set XLOG=%XROOT%\bios.log

for /f "tokens=2 delims='='" %%f in ('wmic computersystem get model /value') ^
do set XMODEL=%%f

set BIOSFILE=%2
set BIOSPATH=%ResourceDrive%\Lenovo\BIOS\%XMODEL%
echo ***** BIOS path: %BIOSPATH% ***** >>%XLOG%
if [%2]==[] set BIOSFILE=BIOSConfig.csv
if not exist %BIOSPATH% goto FAILED
if not exist %BIOSPATH%\%BIOSFILE% goto NOCONFIG
if [%1]==[] goto NOPASS

md %XROOT%\bios
xcopy %ResourceDrive%\Lenovo\Scripts\GitHub\ApplyBIOS.vbs ^
%XROOT%\bios\ /E /H /K /Y >>%XLOG%
xcopy %BIOSPATH%\%BIOSFILE% %XROOT%\bios\ /E /H /K /Y >>%XLOG%
%XROOT% >>%XLOG%
cd %XROOT%\bios >>%XLOG%
cscript ApplyBIOS.vbs %BIOSFILE% %1 >>%XLOG%
goto END


:NOCONFIG
echo ***** BIOS config file not found ***** >>%XLOG%
md %XROOT%\bios
xcopy %ResourceDrive%\Lenovo\Scripts\GitHub\DumpBIOS.vbs ^
%XROOT%\bios\ /E /H /K /Y >>%XLOG%
%XROOT%
cd %XROOT%\bios
cscript DumpBIOS.vbs %BIOSPATH% >>%XLOG%
goto END


:FAILED
echo ***** BIOS path not found ***** >>%XLOG%
md %BIOSPATH% >>%XLOG%
if %ERRORLEVEL%==0 goto NOCONFIG
goto END


:NOPASS
echo ***** Missing BIOS password ***** >>%XLOG%

:END
cd %XROOT%\
exit 0

 

This script will check if the current model already has a BIOSConfig.csv in its configuration folder. If not, it invokes the DumpBIOS.vbs script to generate the CSV file in the proper folder. If a BIOSConfig.csv is available, copy the necessary files to the OS disk before executing them. Eventual security policies may not allow code from the network to be executed. Then it will execute the ApplyBIOS.vbs script when BIOSConfig.csv is available. The supervisor password should be provided as the first argument to this command file. As second argument, an arbitrary CSV file may be used.

 

Editing the CSV file

When editing the settings in the CSV file, attention should be given to the Setting Type field. Typical values are “Optional”, “Insert” and “Excluded from boot order”. For “Optional” values, you should set the BIOS Setting Value with one of the values available on the Other Values list. For “Insert”, a formatted value should given regarding the setting, being it a date or time value. In the current ApplyBIOS.vbs script, “Insert” settings are ignored.

The “Excluded from boot order” type requires Setting Value and Other Values list to be edited. This setting value is an ordered list where each value is separated with a colon. Adding a value to the ordered list requires it to be removed from the Other Values list. The values list order is not important, because it will be excluded from the boot order. Only the order in the values list of the BIOS setting is relevant.

 

ZTI notes

When aiming for a zero touch installation, bear in mind that Lenovo devices will ship with significant constraints by default. The devices do not have a password set. For security purposes, you cannot set a password using WMI. You can only change it once it’s already set. You have to order the device to be configured from factory with a default password. It can then be changed during the OS deployment. To change and verify if your secret password is set you can use the following command file (that invokes the modified SetSupervisorPassword.vbs):

@echo off

rem Default password
set BIOS_PASS=secret
set OLD_PASS=password

set XROOT=%HOMEDRIVE%
set XLOG=%XROOT%\bios.log

if [%1]==[] goto DEFAULT_PASS
set BIOS_PASS=%1

if [%2]==[] goto DEFAULT_PASS
set OLD_PASS=%2

:DEFAULT_PASS
echo ***** Set BIOS password ***** >>%XLOG%
cscript.exe %ResourceDrive%\Lenovo\Scripts\GitHub\SetSupervisorPassword.vbs ^
%OLD_PASS% %BIOS_PASS% ascii,us >>%XLOG%
if %ERRORLEVEL%==0 exit 0

echo ***** Test BIOS password ***** >>%XLOG%
cscript.exe %ResourceDrive%\Lenovo\Scripts\GitHub\SetSupervisorPassword.vbs ^
%BIOS_PASS% %BIOS_PASS% ascii,us >>%XLOG%
exit %ERRORLEVEL%

 

Another relevant constraint is the requirement for physical presence when clearing the TPM. Again, this is a setting that needs to be set at the factory if you want it disabled by default. On some models you might be able to successfully change it using WMI, by switching the TPM from version 2.0 to 1.2. However, according to the documentation, this is not possible. So if you ever find this behaviour on any given model, it’s probably a bug on that specific BIOS and can be fixed in the future…

 

Feel free to fork these scripts on GitHub. Lenovo WMI guide available here. Any feedback is appreciated.

Exit mobile version