Proactive Remediation script: Automatically update Lenovo BIOS to the latest version directly from Lenovo website

In this post I will show you how to use Endpoint Analytics Proactive Remediation script to detect if a new BIOS version if available and installed it if yes.


- You have Lenovo devices

- Devices are enrolled in Intune

- You want to update BIOS

- You want to automatically update

- You want an automate way

The solution

Detection script

The detection works as below:

- Check current model

- Get current BIOS version

- Check the latest BIOS version available for this model on the Lenovo website


- If yes: check the release date and compare it to the current date.

- If release date is older than 180 days, it will download the BIOS update.

- The BIOS update will be downloaded in temp folder.

You can change the delay of 180 days in the variable $BIOS_Delay_Days from the detection script.

Of course you can also skip this and choose to always install the last version.
For instance, for my device a T480s, it will get latest version as below:

There is no need to put a specific URL for your device, the script will check BIOS for your computer MTM or Family name.

Remediation script

If a new version is available, it will proceed as below:

1. Download the BIOS EXE

2. Extract the BIOS update EXE

3. Suspend BitLocker until next reboot

4. Warn the user for the update

5. Install the BIOS update

6. Reboot the device

Use this solution at your own risk 😁
Indeed BIOS update may have an impact on your system. 

Get the script

Click on the below GitHub picture to get both detection and remediation scripts.


For the detection script we will use a specific assembly that will help us to extract content from Lenovo website.

You can find it in the download folder. We will upload it to a blob storage.

Add path in variable: $LZ4_DLL

User warning

I created a specific user warning for the user.

See below an overview of this warning:

In my case I upload the ZIP on a blob storage.

Add path in variable: $BIOS_Warning_URL

Create dynamic group

In this part, we will create a group to gather all our Lenovo devices.

1. Go to the Microsoft Endpoint manager admin center

2. Go to Groups

3. Click on New group

4. Select Security as Group type

5. Type a name, like Lenovo devices

6. In Membership type, select Dynamic devices

7. Click on Add dynamic query

8. Click on Edit and type below line:

(device.deviceManufacturer -contains "Lenovo")

9. Click on Save

10. Click on Create

Create the remediation package

1. Go to the Microsoft Endpoint manager admin center

2. Go to Reports

3. Go to Endpoint analytics

4. Go to Proactive remediations

5. Click on Create script package

6. Type a name in our case Update Lenovo BIOS

7. Click on Next

8. Click on Detection script file

9. Choose: Lenovo_BIOS_AutoUpdate_Detection.ps1

10. Click on Remdiation script file

11. Choose: Lenovo_BIOS_AutoUpdate_Remediation.ps1

12. Click on Next

13. Select the group Lenovo devices

14. In the Schedule part, choose when the package should be run.

15. In our case we will run it every 3 hours (for our test)

16. Click on Apply

17. Click on Next

18. Click on Create

Driver Downloader tool

A big shoot oot to my buddy Kevin for its tool Driver Downloader tool.

You can find there the tool see below an overview:

slider 8460594643123235734

Enregistrer un commentaire

2 commentaires

Anonyme a dit…

Hello, thanks for this work!

In the .zip package I can´t find the LZ4.dll file.

Can you reupload it?

Damien Van Robaeys a dit…

You're right.
I just uploaded it

Accueil item


Endpoint Manager award

Mes articles en français

Author of Books

PowerShell GUI & WPF Group

PowerShell GUI & WPF Group

Join the FPSUGR

Join the FPSUGR