Manage Lenovo BIOS settings with Proactive Remediations

Reply A+ A-

In this post I will you how to use the apply BIOS settings on Lenovo device using the Proactice Remediation part from the Endpoint Manager portal.


- You have multiple Lenovo devices

- You have a CSV file containing some settings to set

- You want to apply settings from the CSV on your devices

- You want an automate way for this

- You want a solution that will be executed each time it found a difference

You can find in my previous post how to do it with Device configuration profile > PowerShell script part.

In my next posts I will do the same for HP and Dell.

CSV file

See below an overview of my CSV file.


In my case I uploaded the BIOS settings file to a blob storage.

You can set the path of your CSV in the variable $CSV_URL from the detection script.

If you have a BIOS password store it to a secure string in a file using the below code:

Then upload the file on the blob storage. 

The path is located in the variable $PWD_File_URL.

The script

You can find both scripts for detection and remediation by clicking on the GitHub picture below.

- Lenovo_BIOS_Settings_Detection.ps1

- Lenovo_BIOS_Settings_Remediation.ps1

How does it work ?

The Proactive Remediation is divided in two scripts part:

- Detection script

- Remediation script

The Detection script allows you to check if settings are compliant.

See below the exit code to add:

- If there is at least one wrong setting: 1 

- If there is no wrong setting: 0 

If the exit code is configured to 1, the Remediation script will be executed.

Create dynamic group

In this part we will create a dynamic Azure AD group that will only contain Lenovo devices.

1. Go to the Microsoft Endpoint manager admin center

2. Go to Groups

3. Click on New group

4. Select Security as Group type

5. Type a name, like Lenovo devices

6. In Membership type, select Dynamic devices

7. Click on Add dynamic query

8. Click on Edit and type below line:

(device.deviceManufacturer -contains "Lenovo")

9. Click on Save

10. Click on Create

Create the remediation package

1. Go to the Microsoft Endpoint manager admin center

2. Go to Reports

3. Go to Endpoint analytics

4. Go to Proactive remediations

5. Click on Create script package

6. Type a name in our case Check Lenovo BIOS settings

7. Click on Next

8. Click on Detection script file

9. Browse the script BIOS_settings_Detection_Script.ps1

10. Click on Remediation script file

11. Browse the script BIOS_settings_Remediation_Script.ps1

12. Click on Next

13. Select the Lenovo devices group 

14. In the Schedule part, choose when the package should be run.

15. In our case we will run it every 3 hours (for our test)

16. Click on Apply

17. Click on Next

18. Click on Create

Log files

You can find in C:\windows\Debug two log files:

- Lenovo_BIOS_Settings_Detection.log

- Lenovo_BIOS_Settings_Remediation.log

Proactive_Remediations 3071680030016806185

Enregistrer un commentaire

Accueil item




Learn KQL in one month

You want to support me ?

Mes articles en français

Books in French