Access Keys:
Skip to content (Access Key - 0)

SCCM - Lenovo BIOS Update for Meltdown & Spectre via SCCM

This article covers how to install a BIOS update from Lenovo to patch Meltdown and Spectre CPU hardware vulnerabilities using an SCCM Task Sequence.

It is highly recommended all files are backed up prior to updating the BIOS on any computer!

If you have any questions, please contact endpointmanagement@mit.edu.

Computer Requirements

Supported OS: Windows 7 or Windows 10 (64 Bit)

The computer must be actively enrolled in SCCM on the WIN Domain and connected to MITnet via MIT Secure or Ethernet on campus.

Only this one task sequence is needed to deploy BIOS updates to all currently supported Lenovo computers listed below. The task sequence will only install the correct BIOS to the related model.

This task sequence is only set to work on Lenovo computers. If it gets deployed to a different vendor nothing will actually install. You may see an error message that the task sequence failed as the computer is not supported. If you have multiple vendors in your department you can exclude the non-Lenovo computers when deploying this task sequence to your collection.

If the task sequence is deployed to a Lenovo computer that is not currently supported for a BIOS upgrade, BitLocker will be suspended if enabled, the computer will restart, and BitLocker will be re-enabled if previously suspended. A BIOS update will not be completed since a BIOS file does not exist. Again these computers can be excluded from the collections you are deploying the task sequence to.

Lenovo Supported Models as of (May 3, 2018):

LAPTOPS

ThinkPad Models:

X1 Carbon 4th Generation - BIOS 1.36

X1 Carbon 5th Generation - BIOS  1.31

X1 Carbon 6th Generation - BIOS 1.15

X1 Yoga 1st Generation - BIOS 1.36

X1 Yoga 2nd Generation - BIOS 1.26

E460 - BIOS 1.33

P50 - BIOS 1.50

P70 - BIOS 2.23

P71 - BIOS 1.21

T550 - BIOS 1.20

T560 - BIOS 1.25

T570 - BIOS 1.32

T440 - BIOS 2.48

T440s - BIOS 2.48

T450 - BIOS 1.32

T450s - BIOS 1.32

T460s - BIOS 1.34

T470p - BIOS 1.22

T470s W10DG - BIOS 1.25

T470s - BIOS 1.25

W540 - BIOS 2.35

X250 - BIOS 1.31

X260 - BIOS 1.37

X270 - BIOS 1.30

Note: Additional models will be added as the become available from Lenovo.

Important Notes

The update requires a restart which will happen automatically (60 second countdown before restarting).

If your computers have a BIOS password set it will need to be cleared before deploying this task sequence. If a BIOS password is in place the task sequence will fail.

Best Practices for Laptops: Remove them from docks and ensure they are connected to a power supply before updating the BIOS.

BitLocker Considerations:

The task sequence will automatically suspend BitLocker and re-enable it after the BIOS update is successfully completed when necessary. It does not de-crypt the drive. BitLocker is just temporarily disabled so the BIOS update can complete. This is for computers with Drive C: system drives only. If your computer has an encrypted drive used for its system other than Drive C: and/or has additional volumes encrypted (i.e. Data drives such as D: E: etc.) you will want to suspend BitLocker on all drives and update those computer BIOS' manually rather than using this task sequence in SCCM.

Note on re-enabling BitLocker: Windows 10 computers will re-enable BitLocker automatically after restarting. On Windows 7 computers you may see a message to click a box to re-enable BitLocker upon first logging in after the BIOS update. You may click that box or once the computer reconnects to the SCCM client it will re-enable BitLocker automatically for you.

Computers which are not encypted with BitLocker remain that way. The task sequence will not try to encrypt the drive. You may note some BitLocker errors in the log files related to non-encrypted computers that are expected and can be ignored. The task sequence is set to continue with these errors.

Log Files:

There is a log file created during this process. The file is located on the computer being updated under C:\Windows\CCM\Logs and is called: smsts.log - This will provide details on the Task Sequence in SCCM.

BIOS Downgrades:

Downgrading a BIOS to a lower version is not recommended. By default Lenovo computers will not allow a downgrade. If attempting to run the task sequence on a computer that has the same or a newer BIOS version the computer will restart, you will see a message that the BIOS is already applied, and BitLocker will be re-enabled if necessary.

Queries are available to check BIOS versions in SCCM to exclude already patched computers. You can also obtain the currently installed BIOS locally on the computer under System Information prior to installing through Software Center.

Deploying the Task Sequence

It is highly recommended all files are backed up prior to updating the BIOS on any computer!

The task sequence is called EPM - Lenovo BIOS Update.
It is located under Software Library / Operating Systems / Task Sequences / MIT Task Sequences
To deploy to a collection click the Deploy button or right click the Task Sequence and select deploy.

The Task Sequence can be scheduled to run automatically at a specific date/time or it can be deployed as Available through Software Center. Deploying through Software Center is generally recommended for these types of updates.

If deployed to Software Center, a user will be able to install the BIOS update under Operating Systems and will be given a warning before installing.

After the computer logs out of the Operating System you will be presented with similar screens while the BIOS update completes:

IMPORTANT: As noted DO NOT turn off the computer during the update!

When completed it will note the update was successful and the computer will restart back to your normal Windows log in screen. BitLocker will be re-enabled if necessary and the task sequence is complete.

Known Issues

As with any BIOS update there can be new issues introduced. These can range from performance issues to system instability. It is best to test BIOS updates on a few select machines before deploying updates to entire collections.

Currently there are no reported known issues for the machines listed above.

Additional Resources

Related pages:

Should a system become unresponsive due to power loss etc. while trying to update the BIOS the following support link from Lenovo may offer some suggestions for recovery:

https://support.lenovo.com/us/en/

Meltdown and Spectre Detection and Remediation

If you have any questions, please contact endpointmanagement@mit.edu.

IS&T Contributions

Documentation and information provided by IS&T staff members


Last Modified:

May 04, 2018

Get Help

Request help
from the Help Desk
Report a security incident
to the Security Team
Labels:
sccm sccm Delete
endpoint endpoint Delete
management management Delete
c-sccm c-sccm Delete
meltdown meltdown Delete
spectre spectre Delete
lenovo lenovo Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.
Feedback
This product/service is:
Easy to use
Average
Difficult to use

This article is:
Helpful
Inaccurate
Obsolete
Adaptavist Theme Builder (4.2.3) Powered by Atlassian Confluence 3.5.13, the Enterprise Wiki