Store BIOS passwords on Azure Key Vault and set devices password with Intune (for Lenovo, Dell, HP)

In this post I will show you how to store BIOS passwords on Azure key Vault, then use Intune or MECM to set or create BIOS passwords on your devices.

Context

- You want to create BIOS password on Azure

- You want to use Azure Key Vault

- You have devices that have a BIOS password

- You have devices that don't have a BIOS password

- You want to change or create BIOS password from devices

- You want an automate way for this

How this will work ?

In my example I imagine this as below:

1. Create the key vault

2. Create the current password on key vault

3. Create the new password on key vault

4. Create an Azure app for authentication

5. Add rights on key vault for the app

6. Create a certificate on a device

7. Upload the certificate on the Azure app

8. Export the certificate

9. Install certificate on your devices

10. Authenticate on Azure app on devices

11. Get key vault passwords

12. Change BIOS passwords

For Lenovo an initial password should exist on the device, this is a Lenovo prerequisite.

Password on Key Vault

We will first add two BIOS passwords on Azure key Vault:

- The current (if exists)

- The new password to set

For that proceed as below:

1. Go to Azure Portal

2. Go to Key Vault

3. Click on Add

4. Choose your subscription, resource group (or create a new one)

5. Type a Key vault name like SDVault 

6. Choose your region

7. Click on Review + Create 

8. Click on Create

9. Wait for the message: Your deployment is complete

10. Click on Go to resource

11. Go to Secrets

12. Click on Generate/Import

13. Type a name like NewBiosPassword

14. In Value, type password, like: P@$Sw0ord

15. Click on Create

16. Your new password is now available

17. Click on Generate/Import

18. Type a name like CurrentBiosPassword

19. In Value, type password, like: P@$Sw0ord

20. Click on Create

21. Your current password is now available

Now we have our passwords on the key vault, let's create a quick Azure app to authenticate without to type credentials.

We will connect to the app using a certificate

Create the Azure app

1. Go to the Azure portal

2. Go to App registrations

3. Click on New registration

4. Type your app name, like BIOS_PWD_App

5. Click on Register

Generate a certificate

1. On a device, type the below code to generate the certificate:

2. See below the result:

3. Note the Thumbprint information

4. The certificate is now added to your device

Import certificate on Azure

Now we will add our certificate to our new Azure app

1. Go to your Azure app

2. Go to Certificates & secrets

3. In the Certificates part, click on Upload certificate

4. Browse to your cer certificate

5. Click on Add

6. You will get the below notification:

Add Access policies for the Azure app

In this part we will configure the key vault to jet get info from our password, meaning secret.

You can of course change rights depending of your need.

1. Go to your key vault

2. Go to Access policies

3. Click on add access policies

4. In Configure template, we will choose Secret management

5. In Key permissions, unselect everything

6. In Secret permissions, we will just add Get

7. In Certificate permissions, unselect everything

8. In Select principal, click on None selected

9. Choose your app, here BIOS_PWD_App 

10. Click on select

11. Click on Add

12. Click on Save

Now we have our Azure app and we can access to it using the certificate.

The next step is to export the certificate in order to deploy it to our devices.

Export the certificate

On the device from which you have generated the certificate, run the below code:

Now we have our certificate we have to install it on our devices.

For that we have to find a way to distribute it.

We will see the below ways:

- By uploading it on a blob storage

- By converting it to Base64

Upload certificate on blob storage

We will upload the PFX on a blob storage in order to download it easily on our devices. 

Of course you can also use other ways, like using a Win32 application.

Create the storage account

1. Search Storage accounts

2. Click on Add

3. Select your subscription

4. Select your Resource group 

or 

4. Create a new one by clicking on Create new

5. Type a storage account name

6. Select your location

7. Select Standard

8. Click on Review+Create

9. Click on Create

Create the container

1. Click  on Go to resource

2. Click on Containers

3. Click on + Container

4. Type a name like bios-container

5. Select your public access level

6. Click on Create

7. We now have our Container

Upload the PFX

1. Click on Containers

1. Click on bios-container

3. Click on Upload

4. Select the PFX file

3. Click on Upload

6. Click on the uploaded file

7. Copy the path from URL

Convert certificate to Base64

In this example we will convert our PFX to Base64 in order to be able to install it on our devices without to store it somewhere.

We will use the Base64 to install the certificate on our devices.

See below the code to convert our PFX file to a Base64 code:

Install certificate on devices

In this part we will install the certificate allowing us to get the BIOS password from the Key Vault.

We will install it on devices on which we want to manage BIOS passwords.

The script to import the PFX on your devices is the below one.

Adapt it a bit depending the method: blob storage, Win32 app, others...

So far, we have: 

- Created an Azure app

- Added our passwords on the Key vault 

- Created a certificate and exported it

Next steps are to:

- Install the certificate on devices

- Access BIOS passwords from key vault

- Change devices BIOS passwords

The script allowing us to fo this is available on GitHub here below:

We will implement this on Intune through PowerShell scripts.

The script is called: Manage_BIOS_PWD_From_KeyVault.ps1

Implement on Intune

Create dynamic group

In this part we will create a dynamic Azure AD group that will only contain Lenovo devices.

1. Go to the Microsoft Endpoint manager admin center

2. Go to Groups

3. Click on New group

4. Select Security as Group type

5. Type a name

6. In Membership type, select Dynamic devices

7. Click on Add dynamic query

8. Click on Edit and type below line:

(device.deviceManufacturer -contains "Dell") or (device.deviceManufacturer -contains "HP") or (device.deviceManufacturer -contains "Lenovo")

9. Click on Save

10. Click on Create

Add the script

1. Go to Devices

2. Go to Scripts

3. Click on + Add

3. Select Windows 10

4. Type a name

5. Browse to Change_BIOS_PWD_From_KeyVault.ps1

6. In Assignments, select the group

7. Go to Device status to check result

Log file

A log file is generated by the script in C:\Windows\Debug.

See below an overview:

What's next ?

In next post we will do the same using a Proactive Remediation script