The solution provides general information about deploying BIOS updates using Lenovo Patch.
General BIOS Update Information
BIOS updates, when applied are executed in 2 stages. The first stage is in Windows, when the update is loaded into the BIOS inbox and a flag is set to execute the second stage on the next boot. The second stage executes, applying the BIOS update and, if applicable, EC Firmware. Lenovo BIOS updates provided via Lenovo Patch are designed to suppress reboots. BIOS updates rely on Configuration Manager settings or your end users to initiate system reboots.
Supervisor Passwords
If the Supervisor password is set, the BIOS can still be updated without requiring the password to be entered if default settings are used. In the following two cases, the BIOS Supervisor password will be required, which will prevent the update from working through Lenovo Patch.
1. ThinkPad laptops – in the BIOS, under Security, is the Flash BIOS Updating by End-Users. If this setting is set to Disabled AND a Supervisor password IS set, Lenovo Patch and Configuration Manager cannot update the BIOS.
2. ThinkCentre desktops – in the BIOS, under Security, is the Require Admin Password when flashing. If this setting is set to Yes AND a Supervisor password IS set, Lenovo Patch and Configuration Manager cannot update the BIOS.
Since the BIOS Updates are required to execute silently, there is no mechanism to securely pass in the password.
Additional Setting That Prevents BIOS Update
A setting in the BIOS can prevent a BIOS update from executing. In both ThinkPad and ThinkCentre BIOS, under Security, is the Windows UEFI Firmware Update setting. If this setting is Disabled, Configuration Manager cannot update the BIOS. This setting enables or disables the ability to update the BIOS through Windows, which is where Configuration Manager initiates the BIOS update.