ThinkPad

Lenovo BIOS Manipulation: Getting Pretty Data

I touched on this subject previously as I worked through a strategy to reconfigure our Lenovo machines from Legacy BIOS to UEFI.

Lenovo has different engineering teams for the various hardware they have and they’ve all taken different approaches to how they expose and allow you to manipulate the BIOS via WMI.  I really like what the ThinkCentre team did with the M900:  Not only do they allow you to view and set various BIOS options but they also let you see what the valid values are for said options!  It’s a thing of beauty and a stroke of genius.

I hope one day Lenovo gets the various teams together to take the best of the best and normalize the BIOS across the board.

Subtle.

I wrote a small PowerShell script to query the BIOS and display it in a manner I hope anyone will appreciate.  Although it works on ThinkPads, it really shines when executed from a recent ThinkCenter, like an M900, as it will also display the valid values for said BIOS option.

$tmpBIOSSetting = @()
$BIOSSetting = @()
gwmi -class Lenovo_BiosSetting -namespace root\wmi | % { if ($_.CurrentSetting -ne "") { $tmpBIOSSetting += $_.CurrentSetting } } 
Foreach($tmpBIOSSetting in $tmpBIOSSetting)
    {
        [string]$Setting = $tmpBIOSSetting.SubString(0,$($tmpBIOSSetting.IndexOf(',')))
        if($tmpBIOSSetting.IndexOf(';') -gt 0) { [string]$CurrentValue = $tmpBIOSSetting.SubString($($tmpBIOSSetting.IndexOf(',')+1),$tmpBIOSSetting.IndexOf(';')-$($tmpBIOSSetting.IndexOf(',')+1)) }
        else { [string]$CurrentValue = $tmpBIOSSetting.SubString($($tmpBIOSSetting.IndexOf(',')+1)) }

        if($tmpBIOSSetting.IndexOf(';') -gt 0) { [string]$OptionalValue = $tmpBIOSSetting.SubString($($tmpBIOSSetting.IndexOf(';')+1)) } 
        Else { [string]$OptionalValue = 'N/A' } 
        [string]$OptionalValue = $OptionalValue.Replace('[','').Replace(']','').Replace('Optional:','').Replace('Excluded from boot order:','')

        $BIOSSetting += [pscustomobject]@{Setting=$Setting;CurrentValue=$CurrentValue;OptionalValue=$OptionalValue;}
        Remove-Variable Setting,Currentvalue,OptionalValue 
    }

$BIOSSetting = $BIOSSetting | Sort-Object -Property Setting
$BIOSSetting

Reminder: This just displays the data and doesn’t actually set anything.  Stay tuned for a future post on that subject.

 

Good Providence!

Preparing for Windows 10: Switching to UEFI on Lenovo ThinkPad & ThinkCentre

think this has been talked about elsewhere but I don’t have the direct link/s(?) anymore so … sorry if you think I’m stealing thunder.

You know how people say “Oh I hate that” when they really don’t really hate it?  Well I truly abhor the idea of people doing things that could be automated.  I’m not trying to put people out of a job here!  But our time is expensive and better suited for more important tasks like putting out the occasional fire, providing excellent customer service and just contributing to IT being an agile and proactive entity in the organization.

As we prepare to pilot Windows 10, we need to go from Legacy BIOS to UEFI on our fleet of Lenovo workstations and, to help our teams on the ground make this transition as smooth as possible, I started exploring how to go about doing this.

When I initially looked at Lenovo hardware a handful of years ago now I learned that Lenovo provided some sample VBScripts to help configure the BIOS on various hardware.  I leveraged those scripts to enable TPM on our demo ThinkPads and ThinkCentres and set boot order.  Fortunately it was nothing but a bunch of WMI calls making it easy to manipulate in VBScript.  Now that I’m on the PowerShell boat, it’s even easier.  (That isn’t to say there aren’t challenges because there’s always a challenge!)

TL;DR

In its simplest form,  you can query the BIOS on a Lenovo via:

gwmi -class Lenovo_BiosSetting -namespace root\wmi | % { if ($_.CurrentSetting -ne "") { $_.CurrentSetting } }

And you can set a BIOS setting on a Lenovo via:

(gwmi -class Lenovo_SetBiosSetting -namespace root\wmi).SetBiosSetting("$Setting,$Value")

At the moment, we have several models of machines in different families (ThinkPad, ThinkCentre and ThinkStation) spanning anywhere from 1 to 4 generations.  To further complicate things, each of those families, and the generations within, don’t necessarily have the same BIOS options or BIOS values which makes figuring things out a little tricky.

The good news is that once you figure out what needs to change it’s easy.
The bad news is that you have to figure out what needs to change, and that includes order of operations.

Bare Bones Config

I could be mistaken, but I do believe that the X240’s and T440’s and up share similar BIOS options which means if you get one working, you pretty much have them all working.  Still, once you think you have it sorted, I’d do a quick query to verify the settings and values match up across them all.

You’d be forgiven for thinking that you could enable UEFI  on a ThinkPad system via something like:

(gwmi -class Lenovo_SetBiosSetting -namespace root\wmi).SetBiosSetting("Boot Mode","UEFI Only")
(gwmi -class Lenovo_SetBiosSetting -namespace root\wmi).SetBiosSetting("Boot Priority","UEFI First")

Turns out those options are not exposed because, well, that would make sense so of course they’re not there.  Instead you have to enable ‘Secure Boot’ which flips those bits for you:

(gwmi -class Lenovo_SetBiosSetting -namespace root\wmi).SetBiosSetting("SecureBoot","Enable")

Ok semi smart!  So you mosey on over to your ThinkCentre, like an M900, and try to do the same but that doesn’t work either.  Why would it – that would be too easy.

Reminds me of one of my favorite scenes in Groundhog Day.

As it turns out the ThinkCentre is the complete opposite of the ThinkPad:
You can set the ‘Boot Priority’ and ‘Boot Mode’ but you cannot set ‘Secure Boot’.

(gwmi -class Lenovo_SetBiosSetting -namespace root\wmi).SetBiosSetting("Boot Mode","UEFI Only")
(gwmi -class Lenovo_SetBiosSetting -namespace root\wmi).SetBiosSetting("Boot Priority","UEFI First")

*Le sigh*

It’s completely nonsensical but that’s what happens when you have siloed engineering teams working on different, but similar, products.

At the moment, I don’t have an answer for enabling Secure Boot on ThinkCentre’s but it will likely require using SRWIN or SRDOS, and I believe it may require human intervention whereas the WMI calls do not.  If I find a solution, you’ll be the second to know. 🙂

 

Good Providence!