The Think BIOS Config tool

For a while now Lenovo’s business-class ThinkPad, ThinkCentre and ThinkStation products have offered a WMI BIOS Interface for controlling BIOS settings through scripting.  This was a big improvement over the old DOS-based utilities that were unique per model.  Now everything needed to make changes in settings during a deployment is built into the machine. 

A downside to the WMI approach has been that you have to be fairly skilled with scripting to make use of it and you have to know all the values of the settings you want to set.  In our lab we constantly felt the need for a GUI interface that would show us the current settings, what their possible values are, and allow us to set them on a local or remote machine.  While we were at it we also wanted a solution that would allow us to create a profile of settings that we could apply via command line in a deployment task sequence.


And that’s why we created the Think BIOS Config tool.  It has been created as an HTA so the source code is freely visible so it is clear exactly what the tool is doing.  Also, if you’re so inclined, the tool can be extended and modified to suit your needs.

When launched, you will see it appear and then be replaced by a UAC prompt.  This is one of the challenges with working with an HTA.  The code being executed to access the WMI BIOS interface requires admin level privileges.  To accomplish this with an HTA in a standard and secure way, the HTA re-launches itself to trigger the UAC prompt and the elevation of privileges.

The tool will initially show the BIOS settings of the local system if it is running on a Lenovo product that supports it.  In the image below you can see that the settings are implemented as a series of drop-downs offering the possible values for each setting.

2016_08_04_14_41_15_Think_BIOS_Configurator

Any changes made will be indicated in red text.  There are buttons at the top and bottom of the settings list that allow you to save the changes in BIOS, reset back to the current settings, or to apply all the Default settings for the targeted machine.

At the top of the tool are some File actions.  The Export Settings button on the right will create a simple .ini text file that captures all of the current settings of the targeted machine.  This file could later be used on the left side of the tool to load in a set of values that you might want to apply. 

2016_08_04_14_43_33_Think_BIOS_Configurator

The .ini file can also be used in a command line scenario which is useful in a deployment task sequence.  The HTA can be launched in WinPE using an MDT or SCCM boot image without any additions or changes to the boot image.  It can be executed and passed the .ini file to silently set a group of BIOS settings.  There is a user’s guide document included in the .zip for this tool that provides all the details on the command line usage and other features of the tool.

Please try the tool out and let us know how it can be improved.  One item we are working on is driving consistency across the Think Brands.  We are also looking at how to securely support some of the management tasks facing enterprises as they straddle the transition from Windows 7 to Windows 10.  Hopefully more to come on this in the near future.


DOWNLOAD LINK

https://download.lenovo.com/cdrt/tools/tbct111.zip

Changes:
1.11:  Added command line option to change back to default settings - 
Eg. ThinkBiosConfig.hta “default=true” 

Notice: This script is shared AS IS with no implied warranty or support.  If you have questions or suggestions please post a comment to this post.

Comments

  1. Will this do the settings for UEFI as well as legacy BIOS?

    ReplyDelete
  2. This tool leverages our WMI BIOS interface which is accessible in both Legacy and UEFI modes.

    ReplyDelete
  3. Great tool, much appreciated!

    The docs mention that this requires a formatted disk before being able to run. Is it possible to run this tool to set BIOS settings immediately after that?
    In our SCCM task sequences we use the "Pre-provision BitLocker" step just after formatting. Of course, this requires TPM to be enabled beforehand.

    Also, is it possible to set supervisor password with this tool?

    Martin

    ReplyDelete
    Replies
    1. Hi Martin,

      The reason the disk must be formatted first is because SCCM needs a location to download the package containing the .hta and .ini files before the task sequence can run the tool. You may even want to format the disk, run the tool, reboot, then format the disk again before pre-provisioning BitLocker. (I've had issues in the past where a reboot after formatting but before applying the OS caused my drive letters to get mixed up.)

      Info about setting a supervisor password is here: https://forums.lenovo.com/t5/Enterprise-Client-Management/M700-900-Set-Admin-BIOS-password-from-SCCM2012/m-p/3367636#M2250

      Delete
    2. Hi, I was wondering if I can put in a command to load default(as Commandline)? I found that on Lenovo P310 I cant set secure boot. But if I load defaults, secureboot is the default.
      Something like ThinkBiosConfig.hta “config=Load Defaults,Enable” or something?

      Delete
    3. Let us look into that. There is a separate method in WMI for doing that we may be able to leverage.

      Delete
    4. This feature has been implemented starting with version 1.11. The command line call will look like this: ThinkBiosConfig.hta "default=true"

      Delete
  4. I do not see any specific security chip settings. If I create an .ini file with the settings I want, (Discrete T), will this be applied to the target computer even though there is no mention of it in the .ini file?

    ReplyDelete
  5. The Think BIOS Config Tool only works through the WMI interface. It will display the settings that are available to be set through WMI. Changing the TPM is not available through WMI because it is a security setting that could have serious impact if flipped by a malicious script. The SRSETUP tool can change the TPM setting but must be executed from a bootable USB key so that physical presence is required.

    ReplyDelete
  6. Can this this also be used for Lenovo Miix 720 devices ?

    ReplyDelete
    Replies
    1. Do not have a Miix 720 to test this on but I don't believe the Miix 720 models support the WMI BIOS Interface in which case this tool would not be supported.

      Delete
  7. Having issues setting Secure Boot with ThinkCentre M82 model in a task sequence. BIOS is up to date and has worked for ThinkCentre M93 and M93p models in a task sequence.

    Script Error
    An error has occurred in the script on this page
    Line: 909
    Char: 6
    Error: This key is already associated with an element of this collection
    Code: 0
    URL: file://servername/thinkbiosconfig.hta

    ReplyDelete
    Replies
    1. Unfortunately the M92, M82, M72 models did not support enabling Secure Boot using the WMI interface.

      Delete
  8. How would you run this from PowerShell? I can't get it to accept the INI file.

    ReplyDelete
    Replies
    1. To get it to run through PowerShell, you will need to put single quotes around the double quotes. Here is an example: ThinkBiosConfig.hta '"file=C:\W550sConfig.ini"'

      The user guide will be updated when the next version is posted. Hope this helps!

      Delete

Post a Comment