Keeping BIOS firmware up to date across your managed device fleet is one of those tasks that is easy to overlook but critically important. An outdated BIOS can introduce security vulnerabilities, hardware incompatibilities, and stability issues that are notoriously difficult to diagnose once machines are in production.
Microsoft Configuration Manager (ConfigMgr, formerly SCCM) gives IT administrators a powerful way to deploy BIOS updates at scale, targeting specific hardware models with WMI-based conditions so that only the correct package runs on the correct machine. This guide walks through the entire process for Lenovo ThinkPad devices — from downloading the BIOS package from Lenovo’s support site, through package creation, distribution point deployment, task sequence configuration, and final deployment. The same principles apply to other Lenovo models and can be adapted for Dell or HP hardware.
Before You Begin
- A working ConfigMgr environment with at least one Distribution Point
- Admin rights on the ConfigMgr console
- An existing BIOS Updates task sequence (or a new one to create)
- A network file share for storing package source files
- The exact Lenovo model name — use the Lenovo Recipe Card tool to confirm
Step 1: Download the BIOS Package
Begin by navigating to the Lenovo support site to obtain the latest BIOS update for your specific device model. It is essential that you download the correct package for the correct model, architecture (Intel or AMD), and platform.
1.1 Find Your Model on Lenovo Support
Go to https://pcsupport.lenovo.com and search for your device model number. Once on the model page, navigate to Drivers & Software, then click Manual Update > Select Drivers.
1.2 Select the BIOS/UEFI Driver Category
Filter the driver list by selecting the BIOS/UEFI category. You will see one or more BIOS Update Utility packages listed. Always download the most recent version, and make sure you are selecting the Windows-based update utility — not a bootable ISO or DOS-based flasher — as ConfigMgr deploys within the Windows environment.
1.3 Confirm Intel vs AMD
⚠️ Important: Lenovo produces both Intel and AMD variants of the same chassis model. These require different BIOS packages. Double-check whether your device uses an Intel or AMD motherboard before downloading — the product page will indicate this under the model description or specifications.
Step 2: Extract the BIOS Files
Run the downloaded executable. When prompted, choose the Extract option rather than Install. This unpacks the BIOS update files to a folder of your choice without flashing the local machine.
Copy the extracted files to your designated package source location on your file server. Use a structured folder naming convention, for example:
\\\SCCMSources\OSD\BIOS\Lenovo\\\ Replace the placeholders with values appropriate to your environment. Using version-named subfolders makes it straightforward to maintain multiple BIOS versions side by side when newer firmware is released, and gives you a clean rollback path if needed.
💡 Tip: Keep each BIOS version in its own versioned subfolder. This lets you quickly roll back without needing to re-download from Lenovo.
Step 3: Create the ConfigMgr Package
In the ConfigMgr console, navigate to Software Library > Application Management > Packages and create a new package.
3.1 Package Settings
Configure the package with the following settings:
- Name: Something descriptive, e.g.
BIOS Update - Lenovo ThinkPad [Model] - v[Version] - Description: Include the model, architecture, and BIOS version for easy identification later
- Manufacturer: Lenovo
- Version: The BIOS version number (match the folder name)
- Source folder: The UNC path to the extracted files from Step 2
3.2 Program Settings
When the wizard reaches the Program page, select the radio button for Do not create a program. Because we are deploying this through a Task Sequence step rather than as a standalone program, no program definition is needed. Click through the remaining wizard pages and finish to create the package.
Step 4: Distribute the Package
Right-click the newly created package in the console and select Distribute Content. Add the Distribution Points or Distribution Point Groups that serve the machines you intend to target.
Wait for replication to complete before proceeding. You can monitor distribution status under Monitoring > Distribution Status > Content Status.
Step 5: Configure the Task Sequence
With the package distributed, open your BIOS Updates task sequence in the Task Sequence Editor. If you have an existing step for a previous Lenovo model, duplicate it and modify it for the new package.
5.1 Duplicate an Existing Step
Right-click an existing BIOS update step in the task sequence and select Copy. Right-click elsewhere in the sequence and choose Paste. This creates a duplicate you can edit without affecting the original.
5.2 Update the Step Properties
Click on the new step and update the following:
- Name: Reflect the new model and BIOS version
- Package: Click Browse and select the new package from Step 3
- Command line: Leave the existing command as-is. For Lenovo ThinkPad devices the standard silent install command is:
WINUPTP64.EXE -sThis runs the BIOS update silently without requiring user interaction. On older models you may see winuptp.exe (32-bit) — use whichever executable is present in your extracted BIOS package folder.
💡 Best Practice: Do not use the -r reboot parameter. Allow the task sequence to control the reboot rather than the BIOS installer — this ensures the TS resumes correctly after the restart.
5.3 Set the WMI Condition
Click the Options tab on the step. You will see existing WMI query conditions — these ensure the step only runs on the matching hardware model. Click on the existing WMI query and edit it.
To generate the exact WMI query string for your model, use Lenovo’s Recipe Card tool:
👉 https://download.lenovo.com/cdrt/ddrc/RecipeCardWeb.html
Select your exact model from the list. The tool generates a complete WMI query tailored to that device. Copy and paste it into the task sequence condition, replacing the previous model query. A typical query looks like this:
SELECT * FROM Win32_ComputerSystemProduct WHERE Version LIKE "%ThinkPad T15p Gen 2%"⚠️ Note: Always use the Recipe Card tool to generate the exact query for your model. Lenovo WMI version strings can vary between production batches, and a manually typed query may not match correctly.
Step 6: Deploy the Task Sequence
Once satisfied that the task sequence step is correctly configured, deploy the task sequence to the relevant ConfigMgr collection. Set the deployment purpose to Required to ensure the update is applied automatically without end-user interaction.
Target a collection scoped to the device model in question — ideally a query-based collection that uses WMI to include only devices matching the Lenovo model. The task sequence will only run the BIOS update step on machines where the WMI condition is satisfied, providing an additional safety net even if the collection scope is broader than expected.
⚠️ BitLocker Warning: On machines with BitLocker enabled, a BIOS update can trigger a BitLocker recovery event on the next boot if TPM PCR values change. Add a Suspend BitLocker step before the BIOS update step, and a Resume BitLocker step after it. This is standard practice for enterprise BIOS deployments.
Helpful Videos
The following videos provide useful walkthroughs to complement this guide.
Deploy Hardware Updates (BIOS, Drivers) via SCCM Third-Party Catalog
This video from Prajwal Desai covers deploying hardware updates — including BIOS — for Lenovo, HP, and Dell devices using SCCM’s built-in third-party software update catalog. A solid watch if you want to explore an alternative catalog-based approach alongside the package/task sequence method in this guide.
VSMUG: Best Practices for Dell, HP, and Lenovo Drivers in SCCM
A detailed session from the Virtual Systems Management User Group covering best practices for managing drivers and firmware — including BIOS — across major hardware vendors in ConfigMgr. Covers the third-party catalog, version management, and targeting by model.
Do I need a BIOS supervisor password to deploy updates via SCCM?
Not for standard firmware flashing using the Windows-based BIOS Update Utility (WINUPTP64.EXE). A supervisor password is only required if you are using WMI to change BIOS settings rather than flash firmware. If a supervisor password is set and the Require Admin Password when Flashing BIOS option is enabled, you will need to pass it using the /pass:nnnnnn parameter.
Can I skip BIOS versions, or do I need to flash each one in order?
For most Lenovo ThinkPad devices you can flash directly to the latest version from any older version. The update utility includes internal version checks and will alert you if a prerequisite BIOS version is required before flashing. Always check the Lenovo release notes for the specific model before deploying at scale.
What happens if the wrong BIOS package runs on a machine?
This is precisely why WMI conditions on the task sequence step are critical. If configured correctly the step will simply be skipped on non-matching hardware. Attempting to flash a BIOS package on incompatible hardware could result in a failed update or in worst cases hardware issues. Always test with a pilot collection before broad deployment.
Can I include the BIOS update during OSD (Operating System Deployment)?
Yes. BIOS updates can be included in OSD task sequences. The recommended practice is to run the BIOS update step early in the task sequence ideally in WinPE before disk partitioning. On some Lenovo models running the BIOS update after disk partitioning but before OS installation causes the second phase of a two-phase BIOS flash to be skipped resulting in the BIOS not being updated.
How do I verify the BIOS version after deployment?
Check the BIOS version from within Windows using: wmic bios get smbiosbiosversion. You can also query the ConfigMgr database using the SMS_G_System_PC_BIOS table or create a hardware inventory report in SSRS scoped to the device collection.
Does a BIOS update via SCCM trigger BitLocker recovery?
It can if TPM PCR measurements change during the update. To prevent this add a Suspend BitLocker step before the BIOS update step in the task sequence and a Resume BitLocker step after it. Do not skip this if BitLocker is enabled across your fleet.
What is the Lenovo Recipe Card tool?
The Recipe Card is a web-based utility from Lenovo at download.lenovo.com/cdrt/ddrc/RecipeCardWeb.html that generates the exact WMI query needed to identify a specific Lenovo model in a ConfigMgr task sequence. Using this tool avoids errors from manually constructing WMI strings.
Can this same process be used for HP or Dell devices?
The overall approach is identical: download vendor BIOS, create a package, distribute it, and add a task sequence step with a WMI model condition. However the download locations, executable names, command-line switches, and WMI query structure differ by vendor. Dell and HP both publish their own BIOS deployment documentation and tooling.
Glossary
BIOS
Basic Input/Output System. The firmware interface between a computer’s hardware and its operating system, responsible for hardware initialisation and the boot process. Modern systems use UEFI but the term BIOS remains widely used.
UEFI
Unified Extensible Firmware Interface. The modern successor to traditional BIOS, supporting Secure Boot, GPT disk support, and faster boot times.
ConfigMgr / SCCM
Microsoft Configuration Manager (formerly System Center Configuration Manager). An enterprise endpoint management platform used to deploy software, operating systems, updates, and configurations across managed Windows devices.
Task Sequence
A series of ordered steps defined in ConfigMgr that automate complex deployment processes such as OS imaging, driver installation, and firmware updates.
Package
A ConfigMgr object containing source files (executables, scripts, configuration files). Used for distributing content to managed devices via task sequences or direct deployment.
Distribution Point (DP)
A ConfigMgr site system role that stores and serves content to client machines. Packages must be distributed to one or more DPs before they can be deployed.
WMI
Windows Management Instrumentation. A Windows infrastructure for querying hardware and software configuration on local or remote machines.
WMI Condition
A query written in WMI Query Language (WQL) used as a condition on task sequence steps or ConfigMgr collections to target specific hardware models or configurations.
Collection
A grouping of ConfigMgr-managed resources (devices or users). Collections can be static or query-based. Deployments are targeted to collections.
BitLocker
Microsoft’s built-in full disk encryption for Windows. BIOS updates can affect TPM measurements and may trigger BitLocker recovery if not handled correctly during deployment.
TPM
Trusted Platform Module. A hardware security chip that stores cryptographic keys used by BitLocker and Secure Boot. BIOS changes can alter TPM PCR values, affecting BitLocker unlock behaviour.
OSD
Operating System Deployment. The process of deploying a Windows image to a device using ConfigMgr task sequences.
Lenovo Recipe Card
A Lenovo web tool that generates WMI query strings for specific ThinkPad models, used to accurately target BIOS update task sequence steps to the correct hardware.
WINUPTP64.EXE
The 64-bit Lenovo BIOS Update Utility executable included in extracted ThinkPad BIOS packages. The -s switch runs it silently without user interaction.
Related Guides on TechyGeeksHome
Useful External Resources
About The Author
Post Views: 0
Related
Discover more from TechyGeeksHome
Subscribe to get the latest posts sent to your email.