Proactive Remediation scripts: Detects devices that don't have a BIOS password (for Lenovo, Dell and HP)

3 A+ A-

In this post I will show you how to use Endpoint Analytics Proactive Remediation scripts to detect if your computer has a password configured to configure the BIOS.


- You have enrolled devices (HP, Dell or Lenovo)

- You want to be sure all of them have a BIOS password

- If not you want to be informed

- The script should be executed in system context

- You want to display a warning to the user

Get the script

Click on the picture below to get the script:

The script

You can find both scripts for detection and remediation by clicking on the GitHub picture below.

- Check_BIOS_Password_Detection.ps1

- Check_BIOS_Password_Remediation.ps1

How does it work ?

The Proactive Remediation is divided in two scripts part:

- Detection script

- Remediation script

The Detection script allows you to check if settings are compliant.

See below the exit code to add:

- If there is no BIOS password: 1 

- If there is a BIOS password: 0 

If the exit code is configured to 1, the Remediation script will be executed.

In this example the remediation will display a warning to the user, as below:

If you don't want to display a warning and just be informed on the portal, add a blank remediation script.

Create dynamic group

In this part we will create a dynamic Azure AD group that will only contain Lenovo devices.

1. Go to the Microsoft Endpoint manager admin center

2. Go to Groups

3. Click on New group

4. Select Security as Group type

5. Type a name, like Lenovo_Dell_HP_Devices

6. In Membership type, select Dynamic devices

7. Click on Add dynamic query

8. Click on Edit and type below line:

(device.deviceManufacturer -contains "Dell") or (device.deviceManufacturer -contains "HP") or (device.deviceManufacturer -contains "Lenovo")

9. Click on Save

10. Click on Create

Create the remediation package

1. Go to the Microsoft Endpoint manager admin center

2. Go to Reports

3. Go to Endpoint analytics

4. Go to Proactive remediations

5. Click on Create script package

6. Type a name in our case Detects no BIOS password devices

7. Click on Next

8. Click on Detection script file

9. Browse the detection script

10. Click on Remediation script file

11. Browse the remediation script

12. Click on Next

13. Select the Lenovo_Dell_HP_Devices group 

14. In the Schedule part, choose when the package should be run.

15. In our case we will run it every 3 hours (for our test)

16. Click on Apply

17. Click on Next

18. Click on Create

Get the result

1. Go to your remediation script

2. Go to device status

3. Go to column

4. Check Pre-remediation detection output

5. The information will be enabled as below:

What's next ?

In the next post I will show you how to store remediate device that don't have BIS password by

storing BIOS password on Azure Key Vault, then use Intune to set or change passwords.

Proactive_Remediations 4810567863297432728

Enregistrer un commentaire

3 commentaires

Ztrhgf a dit…

I don't see the github icon to be able to download the scripts..

networkengineer a dit…
Ce commentaire a été supprimé par un administrateur du blog.
Damien Van Robaeys a dit…

Weird, the picture is there? This is a github picture in the get the script part

Accueil item



Learn KQL in one month

You want to support me ?

Mes articles en français

Books in French