Manage Lenovo BIOS settings with Proactive Remediations
In this post I will you how to use the apply BIOS settings on Lenovo device using the Proactice Remediation part from the Endpoint Manager portal.
Context
- You have multiple Lenovo devices
- You have a CSV file containing some settings to set
- You want to apply settings from the CSV on your devices
- You want an automate way for this
- You want a solution that will be executed each time it found a difference
You can find in my previous post how to do it with Device configuration profile > PowerShell script part.
In my next posts I will do the same for HP and Dell.
CSV file
See below an overview of my CSV file.
Prerequisites
In my case I uploaded the BIOS settings file to a blob storage.
You can set the path of your CSV in the variable $CSV_URL from the detection script.
If you have a BIOS password store it to a secure string in a file using the below code:
Then upload the file on the blob storage.
The path is located in the variable $PWD_File_URL.
The script
You can find both scripts for detection and remediation by clicking on the GitHub picture below.
- Lenovo_BIOS_Settings_Detection.ps1
- Lenovo_BIOS_Settings_Remediation.ps1
How does it work ?
The Proactive Remediation is divided in two scripts part:
- Detection script
- Remediation script
The Detection script allows you to check if settings are compliant.
See below the exit code to add:
- If there is at least one wrong setting: 1
- If there is no wrong setting: 0
If the exit code is configured to 1, the Remediation script will be executed.
Create dynamic group
In this part we will create a dynamic Azure AD group that will only contain Lenovo devices.
1. Go to the Microsoft Endpoint manager admin center
2. Go to Groups
3. Click on New group
4. Select Security as Group type
5. Type a name, like Lenovo devices
6. In Membership type, select Dynamic devices
7. Click on Add dynamic query
8. Click on Edit and type below line:
(device.deviceManufacturer -contains "Lenovo")
9. Click on Save
10. Click on Create
Create the remediation package
1. Go to the Microsoft Endpoint manager admin center
2. Go to Reports
3. Go to Endpoint analytics
4. Go to Proactive remediations
5. Click on Create script package
6. Type a name in our case Check Lenovo BIOS settings
7. Click on Next
8. Click on Detection script file
9. Browse the script BIOS_settings_Detection_Script.ps1
10. Click on Remediation script file
11. Browse the script BIOS_settings_Remediation_Script.ps1
12. Click on Next
13. Select the Lenovo devices group
14. In the Schedule part, choose when the package should be run.
15. In our case we will run it every 3 hours (for our test)
16. Click on Apply
17. Click on Next
18. Click on Create
Log files
You can find in C:\windows\Debug two log files:
- Lenovo_BIOS_Settings_Detection.log
- Lenovo_BIOS_Settings_Remediation.log
Enregistrer un commentaire