Update BIOS Using PowerShell and SCCM


This is a quick and dirty script for PSADT (http://psappdeploytoolkit.com/) to deploy BIOS updates relating to Intel’s Meltdown/Spectre vulnerability.

PSADT is designed to be used in SCCM deployments, however, it is agnostic enough that it should be able to be used with any software management solution such as PDQ Deploy.

Main drivers in this script:

  • Get-WmiObject Win32_ComputerSystem
  • Get-WmiObject Win32_BIOS

Using a Lenovo M900 as an example:

PS C:\_PUBLIC_REPO> Get-WmiObject Win32_ComputerSystem

Domain              : XXXXXXXXX
Manufacturer        : LENOVO
Model               : 10FM0026US
Name                : XXXXXXXXX
PrimaryOwnerName    : ACME
TotalPhysicalMemory : 8478724096

PS C:\_PUBLIC_REPO> Get-WmiObject Win32_BIOS

Manufacturer      : LENOVO
Name              : FWKT86A  
SerialNumber      : XXXXXXX
Version           : LENOVO - 1860

Stepping through the code:

$FirmwareUpdateRan = 'FALSE'

Set initial status of $FirmwareUpdateRan to FALSE

$ComputerModel = (Get-WmiObject Win32_ComputerSystem).Model

Set $ComputerModel to 10FM0026US as given for the M900 example above.

$BIOSVersion = (Get-WmiObject Win32_BIOS).Name

Set $BIOSVersion to FWKT86A as given for the M900 example above.

if (($ComputerModel -eq '10FM0026US') -and ($FirmwareUpdateRan -eq 'FALSE') -and ($BIOSVersion -lt 'FWKT86A'))

Once we run one at least one block of firmware update code, $FirmwareUpdateRan will be set to TRUE. Setting this flag will prevent the restart prompt later on if we didn’t run any update code. $BIOSVersion should compared against the version of the BIOS you want to update to. Easiest way of getting this is just running Get-WmiObject Win32_BIOS on the test computer after you run the current BIOS update.

{ $Response = Show-InstallationPrompt -Message 'Executing BIOS update...please close all apps' -ButtonRightText 
'Cancel' -ButtonLeftText 'Continue' -Timeout 600
if ($Response -eq 'Cancel') { exit 12345 }

Show a prompt to end user. The majority of the BIOS updates will force a reboot right away without any warning, thus we display a message to the end user and allow them to cancel it.

New-Item -Path HKLM:SOFTWARE -Name ACMEDesktop -Force
Set-ItemProperty -Path HKLM:SOFTWARE\ACMEDesktop -Name MeltdownFirmwareFix -Value "Yes" -Type String

This is useful for satisfying the detection rule for SCCM. There’s no clean way of determining whether there is a failure of the BIOS update, other than running a compliancy report in your software/hardware inventory reporting tool to make sure the update happened.

set-location $dirfiles\M900

Lenovo’s flash utility doesn’t accept absolute paths: we have to run it from the current directory, so we use set-location to force the location folder.

start-process flash.cmd -ArgumentList '/quiet' -Wait -PassThru

Run the BIOS update

Show-InstallationRestartPrompt -Countdownseconds 600 -CountdownNoHideSeconds 60

This is only shown if the BIOS update didn’t force a reboot. Currently, I only found the T460S and Yoga S1 laptops do not force a reboot. Since reboot isn’t forced, we force one with a 10 minute countdown.

Suspend-BitLocker -MountPoint C: -RebootCount 1 -Confirm:$false

Suspends BitLocker for one reboot, otherwise laptop will go into recovery mode. Note this command is supported for Windows 8 and later only. For Windows 7 you will need to use manage-bde: Manage-bde.exe –protectors –disable c:. I didn’t see any -rc option, so you will need to do something such as a scheduled task to turn it back on.

  • Soli Deo Gloria

5 Replies to “Update BIOS Using PowerShell and SCCM”

  1. Awesome post, Adam! Nice automation! This will be very nice to update machines with this latest vulnerability that requires us to upgrade every machine.

    In addition, for OSD, I’m a Dell shop and aside from a couple of personal customization’s I use Gary Blok and Mark Godfrey’s solution to automatically update the Dell BIOS during the TS as well:


    Every machine built will automatically be updated to the latest stable BIOS revision available during deployment.

  2. Hello admin,
    This is wonderful, thank you.
    I want to ask you is there a way to update bios silently without asking anything? So I don’t have to go to each computer and press continue to update.
    As I see my computers have BIOS version 1.5 and I have downloaded the update for Lenovo to 1.9E on a stick and was using that (manual update on each pc which takes forever), this bios update will automatically pull the latest one available or do I have to create a path on the server where I have this update saved and deploy it by specifying where the packages are?
    If you have time to read this and reply, can I please ask to email me the answers?
    Thank you again for this automation and for the effort you put into this.

    1. You will need to download the BIOS updates (exe) every time there is an update from the manufacturer. Ideally, you don’t update BIOS firmware unless there is a very good reason to. If you don’t have SCCM, you can try the free version of PDQDeploy which essentially is a poor man’s SCCM. It basically installs a service remotely and then uses that service to install the software and then removes the service when it’s done.

      1. In terms of an installation prompt: it’s already running silently. Just comment out the line Show-InstallationRestartPrompt -Countdownseconds 600 -CountdownNoHideSeconds 60. Be very, very careful though. You don’t want to apply a BIOS update when a user is shutting their computer down.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.