Patching the IFX TPM vulnerability on Think Products with SCCM

Below is a possible workflow on how to fix affected Lenovo Think products in your environment using SCCM. The testing involved was done in a small lab environment and what is proposed in this article is not an “official” one-size fits all solution. I’m sure there’s plenty of other methods to achieve the same outcome, you just need to figure out what’s best for your environment.

What makes this scenario so challenging is all the dependencies needed before the TPM firmware can be updated. The BIOS needs to be updated, Microsoft’s security hotfix needs to be installed, and THEN the TPM can be updated. Of course, not every customer is going to attempt to do this all at the same time to EVERY device that may already have the latest BIOS, or already have the hotfix installed.

What I attempted to do in my lab was to try and simulate a real-world environment. How can I distinguish affected systems from non-affected systems? Which systems need their BIOS updated? Which systems have the MS se…

TPM Firmware Update Utility

ThinkPads which use the Infineon TPM chip have a firmware update available which addresses the weak RSA key generation issue (read more here).  This update is executed by TpmUpdt64.exe (or TpmUpdt.exe on 32-bit OS).  The following details about this utility may be useful if you are implementing this update through SCCM or some other software distribution solution.

Command line options:                "  -s        ... Silent mode\n"                "  -r        ... Reboot after program completed\n"                "  -sp       ... Skip power status check\n"                "  -chk      ... Check current TPM firmware\n"                "  -suc password ... Skip user confirmation at startup\n\n"                " Note: -suc option requires supervisor password.\n"
Return code: RET_SUCC_REBOOTING               0     // Success (will reboot system) RET_SUCC_NOTREBOOTING            1     // Success (no reboot) RET_SUCC_NEED_TO_UPDATE_TPMFW    2    …

SCCM Collections for ThinkPad Docks

In case your organization has a variety of ThinkPad docks, you may want to create a device collection or report that displays all of your ThinkPad's out in the field connected to one.

WQL queries provided in this blog post will be targeting:

OneLink+ Docks

select SMS_R_System.Name, SMS_R_System.IPAddresses, SMS_R_System.LastLogonUserName from SMS_R_System innerjoin SMS_G_System_PNP_DEVICE_DRIVER on SMS_G_System_PNP_DEVICE_DRIVER.ResourceID = SMS_R_System.ResourceId innerjoin SMS_G_System_SYSTEM_ENCLOSURE on SMS_G_System_SYSTEM_ENCLOSURE.ResourceID = SMS_R_System.ResourceId where SMS_G_System_PNP_DEVICE_DRIVER.PNPDeviceID like"USB\\VID_17EF&PID_1019%"and SMS_G_System_PNP_DEVICE_DRIVER.Name ="Generic SuperSpeed USB Hub"and SMS_G_System_SYSTEM_ENCLOSURE.ChassisTypes in ("8","9","10","11","12","14","18","21","30","31","32")
Mechanical Pro Dock (PN: 40A1…

Dynamically Update BIOS on Think Products with SCCM

NOTE: What follows is a brief look at what is possible and not necessarily recommended for everyone.  Hopefully someone finds it useful.

Earlier at MMS this year, a fantastic session on modern driver management in OS deployments was presented by Kim Oppalfens and Tom Degreef.  This method and what it entails can be found here.

I was inspired by their session and wanted to see if this could work with Lenovo's BIOS updates in a similar manner.  The workflow is basically the same, with the key piece being the overridable task sequence variable in the Download Package Content step called OSDDownloadDownloadPackages.

Here's the layout of the Task Sequence:

Creating the Package(s):BIOS(s) You'll need to download the latest BIOS for your model from Lenovo's support site and extract the contents to a source directory.  Here's the folder structure I use in my lab:
<Share>\OSD\BIOS\<first 4 characters of BIOS>\<version>

Return codes for WINUPTP

For Lenovo ThinkPad computers the standard utility to perform a BIOS update is WINUPTP.exe (or WINUPTP64.exe). This utility can be called with a -s parameter to stage a BIOS update silently that will complete when the system is restarted - presumably by your task sequence.

To date, the possible return codes from this utility were not readily available. This post is meant to correct that. Below is a table of possible return codes from WINUPTP.exe:

Return CodeValueDescriptionRET_SUCC_REBOOTING0BIOS update is successful and system will reboot. (normal update)RET_SUCC_NOTREBOOTING1BIOS update is successful and system does not reboot. (silent update)RET_UNDEFINED-1WINUPTP Option is undefined.RET_FAIL_DRIVER_LOAD-2Driver(tpflhlp.sys) failed to load.RET_FAIL_UNSUPPORTEDSYSTEM-3This utility does not support this system or OS.RET_FAIL_NEEDADMINRIGHTS-4This utility requires Administrator privileges to run.RET_FAIL_NOBIOSIMAGEFORSYSTEM-5BIOS image file does not match this system.RET_FAIL_BADECIMA…

How to make the F11 key work in your custom Windows 10 image using SCCM

This post is expanding on someotherguy's KB article on how to make the F11 functionality work again if you're deploying a custom Windows 10 image in your environment. As of this post, SCCM Current Branch 1702 will be covered. (Note: This is only applicable to Windows 10 configured in UEFI mode)

With Think products, pressing the F11 key at boot will launch the recovery utilities. This is available if the system's operating system is preloaded from Lenovo. However, most large enterprise customers re-image the systems with a custom image. Once this happens, F11 will no longer work.

As mentioned in someotherguy's KB, an .efi file must be added to the boot folder in the System partition.

Here are the steps to accomplish this:

1. Download the file. Extract the contents to a source directory on your site server.

2. In your console, create a new Package that will contain the .efi file. Do not create a program.

Distribute the Package to your Distribution Points

3. Edi…


Introduction to DriverGrabberDriverGrabber is a "no install" utility that is aimed at simplifying the task of finding drivers and utilities for Lenovo PC products which an administrator needs to package for delivery through their software deployment solution.  By specifying a Machine Type and an operating system you get a list of available updates which can be selected for downloading. This takes much less time than navigating through the Lenovo support web site.

Beyond just automating the downloading and extracting of packages, DriverGrabber also shows details such as Version, Release date, Extract command, and Silent Install command.  There is even an option to get MD5, SHA-1 and SHA-2 hash values to help verify complete downloads. 
Packages can be selected by clicking the row header.  Hold the Ctrl key down to select multiple packages.  At the bottom of the window specify a download location and then choose to download only or download and extract.  A .CSV file with details…