This walk-through will cover deploying ThinkPad BIOS updates with Intune. These are provided as standalone executables so adding them as a Win32 app will involve converting them to the .intunewin format using the Win32 Content Prep Tool.
The SMBIOS Specification was updated again this year to add new enclosure type values that affect the IsDesktop, IsLaptop, and IsServer variables in MDT. These variables are populated by ZTIGather.wsf. To ensure your IsDesktop, IsLaptop, IsServer variables are accurate you should upgrade your MDT environment to version 8456.
Due to customer feedback, Lenovo is introducing a couple of new features focused on tracking updates. Traditionally, updates installed on the client were logged in the Updates_log(timestamp).txt.
Admittedly, parsing through the log to find out which updates were skipped, installed, or failed is not that easy. If you're deploying a task sequence to your Lenovo systems that runs Thin Installer, you can only see if Thin Installer runs or not. How do you tell which updates installed without logging into each system and checking the logs?
A new switch can now be added to your Thin Installer command line that will do the following upon execution:
There may be a need to run a report on your Think products to check which BIOS settings are enabled or disabled, or if there is even a BIOS supervisor password set.
This post will walk through creating a simple custom report in ConfigMgr that will display the following:
Now that your Windows 7 to 10 migration is complete, you may want to upgrade the TPM Spec version from 1.2 to 2.0 to take full advantage of Windows 10's security features, like Device Guard and Credential Guard.
This article will cover the TPM Firmware Switch Tool that was released to remedy affected ThinkCentres described in the LEN-15552 Security Advisory.
What follows is a brief look at what is possible and not necessarily recommended for everyone. Hopefully someone finds it useful.
Earlier at MMS this year (2017), a fantastic session on modern driver management in OS deployments was presented by Kim Oppalfens and Tom Degreef. This method and what it entails can be found here.
There are some definite advantages to pre-provisioning BitLocker. Pre-provisioning the disk will encrypt only used space, so when this step executes, the drive will be encrypted before the operating system has been laid down to the client, saving a ton of time.
The catch here is that in order for pre-provisioning to work, a TPM has to be present on the system AND enabled, as stated in the Pre-provision BitLocker step.
A new Task Sequence Variable, TSUEFIDrive, was introduced in Configuration Manager Current Branch version 1610. This variable will prepare the hard drive for transition to UEFI from legacy BIOS, in one task sequence. This is extremely helpful if you're migrating systems from Windows 7 to Windows 10 in a refresh scenario.
A detailed walk-through by the Microsoft team on how to configure your Task Sequence for use with this variable can be found here. We want to focus on step 5 from this guide: