Store BIOS passwords on Azure Key Vault and set devices password with Intune (for Lenovo, Dell, HP)
In this post I will show you how to store BIOS passwords on Azure key Vault, then use Intune or MECM to set or create BIOS passwords on your devices.
Context
- You want to create BIOS password on Azure
- You want to use Azure Key Vault
- You have devices that have a BIOS password
- You have devices that don't have a BIOS password
- You want to change or create BIOS password from devices
- You want an automate way for this
How this will work ?
In my example I imagine this as below:
1. Create the key vault
2. Create the current password on key vault
3. Create the new password on key vault
4. Create an Azure app for authentication
5. Add rights on key vault for the app
6. Create a certificate on a device
7. Upload the certificate on the Azure app
8. Export the certificate
9. Install certificate on your devices
10. Authenticate on Azure app on devices
11. Get key vault passwords
12. Change BIOS passwords
For Lenovo an initial password should exist on the device, this is a Lenovo prerequisite.
Password on Key Vault
We will first add two BIOS passwords on Azure key Vault:
- The current (if exists)
- The new password to set
For that proceed as below:
1. Go to Azure Portal
2. Go to Key Vault
3. Click on Add
4. Choose your subscription, resource group (or create a new one)
5. Type a Key vault name like SDVault
6. Choose your region
7. Click on Review + Create
8. Click on Create
9. Wait for the message: Your deployment is complete
10. Click on Go to resource
11. Go to Secrets
12. Click on Generate/Import
13. Type a name like NewBiosPassword
14. In Value, type password, like: P@$Sw0ord
15. Click on Create
16. Your new password is now available
17. Click on Generate/Import
18. Type a name like CurrentBiosPassword
19. In Value, type password, like: P@$Sw0ord
20. Click on Create
21. Your current password is now available
Now we have our passwords on the key vault, let's create a quick Azure app to authenticate without to type credentials.
We will connect to the app using a certificate
Create the Azure app
1. Go to the Azure portal
2. Go to App registrations
3. Click on New registration
4. Type your app name, like BIOS_PWD_App
5. Click on Register
Generate a certificate
1. On a device, type the below code to generate the certificate:
2. See below the result:
3. Note the Thumbprint information
4. The certificate is now added to your device
Import certificate on Azure
Now we will add our certificate to our new Azure app
1. Go to your Azure app
2. Go to Certificates & secrets
3. In the Certificates part, click on Upload certificate
4. Browse to your cer certificate
5. Click on Add
6. You will get the below notification:
Add Access policies for the Azure app
In this part we will configure the key vault to jet get info from our password, meaning secret.
You can of course change rights depending of your need.
1. Go to your key vault
2. Go to Access policies
3. Click on add access policies
4. In Configure template, we will choose Secret management
5. In Key permissions, unselect everything
6. In Secret permissions, we will just add Get
7. In Certificate permissions, unselect everything
8. In Select principal, click on None selected
9. Choose your app, here BIOS_PWD_App
10. Click on select
11. Click on Add
12. Click on Save
Now we have our Azure app and we can access to it using the certificate.
The next step is to export the certificate in order to deploy it to our devices.
Export the certificate
On the device from which you have generated the certificate, run the below code:
Now we have our certificate we have to install it on our devices.
For that we have to find a way to distribute it.
We will see the below ways:
- By uploading it on a blob storage
- By converting it to Base64
Upload certificate on blob storage
We will upload the PFX on a blob storage in order to download it easily on our devices.
Of course you can also use other ways, like using a Win32 application.
Create the storage account
1. Search Storage accounts
2. Click on Add
3. Select your subscription
4. Select your Resource group
or
4. Create a new one by clicking on Create new
5. Type a storage account name
6. Select your location
7. Select Standard
8. Click on Review+Create
9. Click on Create
Create the container
1. Click on Go to resource
2. Click on Containers
3. Click on + Container
4. Type a name like bios-container
5. Select your public access level
6. Click on Create
7. We now have our Container
Upload the PFX
1. Click on Containers
1. Click on bios-container
3. Click on Upload
4. Select the PFX file
3. Click on Upload
6. Click on the uploaded file
7. Copy the path from URL
Convert certificate to Base64
In this example we will convert our PFX to Base64 in order to be able to install it on our devices without to store it somewhere.
We will use the Base64 to install the certificate on our devices.
See below the code to convert our PFX file to a Base64 code:
Install certificate on devices
In this part we will install the certificate allowing us to get the BIOS password from the Key Vault.
We will install it on devices on which we want to manage BIOS passwords.
The script to import the PFX on your devices is the below one.
Adapt it a bit depending the method: blob storage, Win32 app, others...
So far, we have:
- Created an Azure app
- Added our passwords on the Key vault
- Created a certificate and exported it
Next steps are to:
- Install the certificate on devices
- Access BIOS passwords from key vault
- Change devices BIOS passwords
The script allowing us to fo this is available on GitHub here below:
We will implement this on Intune through PowerShell scripts.
The script is called: Manage_BIOS_PWD_From_KeyVault.ps1
Implement on Intune
Create dynamic group
In this part we will create a dynamic Azure AD group that will only contain Lenovo devices.
1. Go to the Microsoft Endpoint manager admin center
2. Go to Groups
3. Click on New group
4. Select Security as Group type
5. Type a name
6. In Membership type, select Dynamic devices
7. Click on Add dynamic query
8. Click on Edit and type below line:
(device.deviceManufacturer -contains "Dell") or (device.deviceManufacturer -contains "HP") or (device.deviceManufacturer -contains "Lenovo")
9. Click on Save
10. Click on Create
Add the script
1. Go to Devices
2. Go to Scripts
3. Click on + Add
3. Select Windows 10
4. Type a name
5. Browse to Change_BIOS_PWD_From_KeyVault.ps1
6. In Assignments, select the group
7. Go to Device status to check result
Log file
A log file is generated by the script in C:\Windows\Debug.
See below an overview:
What's next ?
In next post we will do the same using a Proactive Remediation script
1 commentaire
Hello
thanks for this post
to deploy the certificate on devices why not just use Intune (certificat configuration) ?
Enregistrer un commentaire