Configuring Lenovo Vantage with an MDM

by Phil Jorgensen OverviewLenovo Vantage contains some features which may not be appropriate for enterprise users. Please read this section carefully to understand these features and consider whether they should be disabled in your specific environment.

Lenovo Software and Driver Updates – One of the features of Lenovo Vantage, called System Update, will automatically install updates for Lenovo software and drivers. Some IT organizations will want to disable this.

Ads, messaging, and metrics data collection – Lenovo Vantage tells users about special offers from Lenovo through in-app and toast messages. Lenovo Vantage also collects metrics/telemetry data about how users interact with the application. These things can be disabled.

This guide will demonstrate how to control parts of the Lenovo Vantage User Interface that is displayed to the user and how to deploy the configuration with MobileIron Cloud with Bridge or Microsoft Intune.

Deployment from MobileIronLog into MobileIron Cloud, …

Expert Level Integration of ThinInstaller with SCCM

Identifying Missing or Down-level Drivers and Hardware Applications on Think Products with ThinInstallerThis post is mainly for anyone using Update Retriever/ThinInstaller in their environment alongside SCCM (Current Branch).

If you use ThinInstaller to install drivers and hardware apps on your client systems, a recently added action called "SCAN" can be used in the command line when calling ThinInstaller.

An example of its use will look like this:

ThinInstaller.exe /CM -search A -action SCAN -repository \\<RepoShare> -noicon -includerebootpackages 3 -noreboot
What this will do is search your Update Retriever repository and find all applicable content for the system but not install anything.  A second log will be generated when using the SCAN switch titled "Update_ApplicabilityRulesTrace.txt" along with the expected "Update_log_<CurrentTimeStamp>.txt" that gets created any time ThinInstaller is executed.

A quick look inside the Update_Applicabilit…

Patching the IFX TPM vulnerability on Think Products with SCCM

Below is a possible workflow on how to fix affected Lenovo Think products in your environment using SCCM. The testing involved was done in a small lab environment and what is proposed in this article is not an “official” one-size fits all solution. I’m sure there’s plenty of other methods to achieve the same outcome, you just need to figure out what’s best for your environment.

What makes this scenario so challenging is all the dependencies needed before the TPM firmware can be updated. The BIOS needs to be updated, Microsoft’s security hotfix needs to be installed, and THEN the TPM can be updated. Of course, not every customer is going to attempt to do this all at the same time to EVERY device that may already have the latest BIOS, or already have the hotfix installed.

What I attempted to do in my lab was to try and simulate a real-world environment. How can I distinguish affected systems from non-affected systems? Which systems need their BIOS updated? Which systems have the MS se…

TPM Firmware Update Utility

ThinkPads which use the Infineon TPM chip have a firmware update available which addresses the weak RSA key generation issue (read more here).  This update is executed by TpmUpdt64.exe (or TpmUpdt.exe on 32-bit OS).  The following details about this utility may be useful if you are implementing this update through SCCM or some other software distribution solution.

Command line options:                "  -s        ... Silent mode\n"                "  -r        ... Reboot after program completed\n"                "  -sp       ... Skip power status check\n"                "  -chk      ... Check current TPM firmware\n"                "  -suc password ... Skip user confirmation at startup\n\n"                " Note: -suc option requires supervisor password.\n"
Return code: RET_SUCC_REBOOTING               0     // Success (will reboot system) RET_SUCC_NOTREBOOTING            1     // Success (no reboot) RET_SUCC_NEED_TO_UPDATE_TPMFW    2    …

SCCM Collections for ThinkPad Docks

In case your organization has a variety of ThinkPad docks, you may want to create a device collection or report that displays all of your ThinkPad's out in the field connected to one.

WQL queries provided in this blog post will be targeting:

OneLink+ Docks

select SMS_R_System.Name, SMS_R_System.IPAddresses, SMS_R_System.LastLogonUserName from SMS_R_System innerjoin SMS_G_System_PNP_DEVICE_DRIVER on SMS_G_System_PNP_DEVICE_DRIVER.ResourceID = SMS_R_System.ResourceId innerjoin SMS_G_System_SYSTEM_ENCLOSURE on SMS_G_System_SYSTEM_ENCLOSURE.ResourceID = SMS_R_System.ResourceId where SMS_G_System_PNP_DEVICE_DRIVER.PNPDeviceID like"USB\\VID_17EF&PID_1019%"and SMS_G_System_PNP_DEVICE_DRIVER.Name ="Generic SuperSpeed USB Hub"and SMS_G_System_SYSTEM_ENCLOSURE.ChassisTypes in ("8","9","10","11","12","14","18","21","30","31","32")
Mechanical Pro Dock (PN: 40A1…