Provide general information around deploying BIOS updates using Lenovo Patch.
General BIOS Update Information
BIOS updates, when applied are executed in 2 phases. The first phase is in Windows, when the update is loaded into the BIOS Inbox and a flag is set to execute the second phase on the next boot. The second phase executes, applying the BIOS update and, if applicable, EC Firmware. Updates provided via Lenovo Patch are designed to suppress reboots. BIOS Updates rely on Configuration Manager settings or your end users to initiate system reboots.
If the Supervisor password is set, the BIOS can still be updated without requiring the password to be entered if default settings are used. In the following two cases, the BIOS password will be required which will prevent the update from working through Lenovo Patch.
1. ThinkPad laptops – in the BIOS, under Security, is the Flash BIOS Updating by End-Users If this setting is set to Disabled AND a Supervisor password IS set, Lenovo Patch and Configuration Manager cannot update the BIOS.
2. ThinkCentre desktops – in the BIOS, under Security, is the Require Admin Password when flashing if this setting is set to YesAND a Supervisor password IS set, Lenovo Patch and Configuration Manager cannot update the BIOS.
Since the BIOS Updates are required to execute silently there is no mechanism to securely pass in the password.
Additional Setting That Prevents BIOS Update
A setting in the BIOS can prevent a BIOS update from executing. In both ThinkPad and ThinkCentre BIOS, under Security, is the Windows UEFI Firmware Update setting. If this setting is Disabled, Configuration Manager cannot update the BIOS. This setting enables or disables the ability to update the BIOS through Windows, which is where Configuration Manager initiates the BIOS update.