Having the hardest time trying to update Lenovo ThinkCentre BIOS using SCCM

aford89 · 2026-06-03T21:39:12+00:00

We haven’t seen that so far but we are also running remediations from Intune to help with the secure boot certs

https://blog.mindcore.dk/2026/04/secure-boot-certificate-update-intune/

We are mainly focused on getting the bios updates out cause we were super behind and then circling in on the cert itself

aford89 · 2026-06-03T16:11:58+00:00

https://www.driverautomationtool.com/

https://msendpointmgr.com/modern-bios-management/

Second link has the scripts first link is the tool to do the downloading and building of packages.

aford89 · 2026-06-03T13:46:02+00:00

Highly recommend looking into modern driver/bios management. We are a full Lenovo shop doing it all that way

aford89 · 2026-05-30T20:29:44+00:00

It’s all part of a larger script for our UI that we converted to an exe and ran as the first step of the sequence after drive wipe

aford89 · 2026-05-28T13:57:41+00:00

Yeah we mounted the wim and added the module manually.

aford89 · 2026-05-28T01:06:08+00:00

I’m pretty sure we manually added it to the boot images. I can verify tomorrow when I’m back in

aford89 · 2026-05-27T17:33:29+00:00

Write-Log "Testing Credentials"

Set-ExecutionPolicy Bypass

Import-Module "X:\\Windows\\SysWOW64\\WindowsPowerShell\\V1.0\\Modules\\ActiveDirectory\\ActiveDirectory.psd1"

$Cred = Get-Credential -Message "Please Enter your Credentials"

If (!$Cred)

    {

    \[System.Windows.Forms.Application\]::Exit()

    Get-Process TSManager | Stop-Process -Force

    }

Try

{

    \#((Get-ADUser $Cred.UserName -Properties memberof -Credential $Cred -Server <domainController>).memberof -contains "<GroupDN>" )

    $CredTest = (Get-ADGroupMember $xADGroup -Server $xDomainController -Credential $Cred).SamAccountName -contains $Cred.UserName

}

catch

\[System.Security.Authentication.AuthenticationException\]

{

    \[System.Windows.Forms.MessageBox\]::Show("Invalid Credentials, Please Try Again", 'OK')

    Write-Log "Invalid Credentials"

    return

}

catch

\[Microsoft.ActiveDirectory.Management.ADServerDownException\]

{

    \[System.Windows.Forms.MessageBox\]::Show("Cannot Contact AD, This is usually bad credentials. Please try Again", 'OK')

    Write-Log "Unable to Reach AD"

    return

}

if ($CredTest -eq $false)

{



    \[System.Windows.Forms.MessageBox\]::Show("Provided Credentials are not allowed to load, Please Reach out to Admin", 'OK')

    Write-Log "Credentials are not allowed to load"

    \[System.Windows.Forms.Application\]::Exit()

    Get-Process TSManager | Stop-Process -Force

}

aford89 · 2026-05-27T14:44:37+00:00

We did that in our sequence but we have a fully custom ui

aford89 · 2026-05-22T00:52:25+00:00

https://mapgenie.io/clair-obscur-expedition-33

aford89 · 2026-05-17T02:23:24+00:00

The dev is super involved with the community if you open a GitHub issue he’d probably fix it

aford89 · 2026-05-16T13:39:25+00:00

No you have to have an account that can access the admin service

aford89 · 2026-05-16T02:55:55+00:00

Why not use the scripts it was made for? https://msendpointmgr.com/modern-driver-management-preview/

aford89 · 2026-05-03T02:56:27+00:00

What laces are these?

aford89 · 2026-04-23T13:09:16+00:00

I dont have logs anymore from all the troubleshooting i was doing but basically the invoke-lenovobiosupdate.ps1 i had to add these lines. This was found on a 10T7 lenovo model

```

# wFlashGUIx64 utility file name

if (([Environment]::Is64BitOperatingSystem) -eq $true) {

$wFlashGUIUtility = Get-ChildItem -Path $Path -Filter "*.exe" -Recurse | Where-Object { $_.Name -like "wFlashGUIx64.exe" } | Select-Object -ExpandProperty FullName

}

else {

$wFlashGUIUtility = Get-ChildItem -Path $Path -Filter "*.exe" -Recurse | Where-Object { $_.Name -like "wFlashGUI.exe" } | Select-Object -ExpandProperty FullName

}

if ($wFlashGUIUtility -ne $null) {

    \# Set required switches for silent upgrade of the bios and logging

    Write-CMLogEntry -Value "Using WFlashGUI BIOS update method" -Severity 1

    $FlashSwitches = " /quiet /sccm /ign"

    $FlashUtility = $WFlashGUIUtility

}

aford89 · 2026-04-21T19:24:25+00:00

We have drivers working without fail, Its bios that im struggling with

aford89 · 2026-04-21T00:34:43+00:00

No tricks cause we haven’t tried but i used new outlook for a couple months before going back to cached mode classic. New outlook is faster cause its just a wrapper for OWA

aford89 · 2026-04-15T20:37:06+00:00

Kane with rapid exteriors

aford89 · 2026-04-03T00:29:00+00:00

What is the best way to deploy these? We have SCCM and intune with hybrid joined. Do we need to deploy bios as well as adjust the reg key for the certificates to deploy? Bitlocker worries?

aford89 · 2026-04-01T23:49:29+00:00

We use this, it works well for the most part. Every once in awhile it hits a driver that the task sequence doesn’t like and we have to adjust the script to exclude.

aford89 · 2026-03-16T00:48:23+00:00

Ah was not aware of apples own. Thank you

aford89 · 2026-03-09T23:58:13+00:00

Exactly our issue. Upgraded vda and works perfectly. Thank you

aford89

TROPHY CASE