Managing Lenovo BIOS settings with Intune (Proactive Remediations) and Azure Key Vault
In this post I will you how to use the apply BIOS settings on Lenovo device using the Proactice Remediation part from the Endpoint Manager portal and Azure Key Vault if there is a BIOS password.
Context
- You have multiple Lenovo devices
- You want to set BIOS settings
- We will add BIOS settings in a CSV
- You want an automate way for this
- Settings will be applied if there is a difference
- In case of BIOS password you want a secure way
Previous posts
Manage Lenovo BIOS settings with Proactive Remediations
Set Lenovo BIOS settings through Intune and PowerShell
The solution
We will proceed in few steps:
- We will add BIOS settings to set in a CSV_URL
- We will add value to configure
- Detection script will check if all settings are setted
- If not it will run remediation script
- This one will set BIOS settings
If there is a BIOS password, we will do the following:
- Create an Azure application
- This one will have access to Key Vault
- Add a certificate to the App
- Deploy certificate on your device
- Remediation script will install/import some modules
- Those modules are: az.accounts, az.keyvault
- Then retrieve BIOS password though Key Vault
- And set BIOS settings
CSV file
See below an overview of my CSV file.
In my case I uploaded the BIOS settings file to a blob storage.
You can set the path of your CSV in the variable $CSV_URL from the detection script.
I won't go into the details of how to create a blob storage there.
Get scripts
Click on the below GitHub picture to download scripts.
BIOS password
In this part we will create a Key Vault to add our Secret meaning BIOS password.
We will proceed as below.
Creating resource group
1. Go to Azure
2. In the search bar type Resource group
3. Go to Resource group
4. Click on Create
5. Choose a Subscription
6. Type a Resource group name
7. Choose your region
8. Click on Review + Create
9. Click on Create
Creating Key Vault
1. Go to Azure Portal
2. Go to Key Vault
3. Click on Create
4. Choose a subscription,
5. Choose a resource group (or create a new one)
6. Type a Key vault name
7. Choose your region
7. Click on Review + Create
8. Click on Create
Adding our password
1. Click on Go to resource
2. Go to Secrets
3. Click on Generate/Import
4. Type a name
5. In Value, type password
6. Click on Create
7. Your password is now available
Adding Access policies
In this part we will give acccess to our Azure app to get secret from Key Vault.
You can of course change rights depending of your need.
1. Go to your key vault
2. Go to Access policies
3. Click on add access policies
4. In Configure template, we will choose Secret management
5. In Key permissions, unselect everything
6. In Secret permissions, we will just add Get
7. In Certificate permissions, unselect everything
8. In Select principal, click on None selected
9. Choose your app
10. Click on select
11. Click on Add
12. Click on Save
The script
You can find both scripts for detection and remediation by clicking on the GitHub picture below.
- Lenovo_BIOS_Settings_Detect.ps1
- Lenovo_BIOS_Settings_Remediate_KeyVault.ps1
Variables to set
The script contains some variables to set, as below:
How does it work ?
The Proactive Remediation is divided in two scripts:
- Detection
- Remediation
Detection script allows you to check if settings are compliant.
See below the exit code to add:
- At least one wrong setting: 1
- No wrong setting: 0
If the exit code is 1, the Remediation script will be executed.
Creating dynamic group
In this part we will create a dynamic Azure AD group that will only contain Lenovo devices.
1. Go to the Microsoft Endpoint manager admin center
2. Go to Groups
3. Click on New group
4. Select Security as Group type
5. Type a name, like Lenovo devices
6. In Membership type, select Dynamic devices
7. Click on Add dynamic query
8. Click on Edit and type below line:
(device.deviceManufacturer -contains "Lenovo")
9. Click on Save
10. Click on Create
Creating remediation package
1. Go to the Microsoft Endpoint manager admin center
2. Go to Reports
3. Go to Endpoint analytics
4. Go to Proactive remediations
5. Click on Create script package
6. Type a name in our case Check Lenovo BIOS settings
7. Click on Next
8. Click on Detection script file
9. Browse the detection ps1 script
10. Click on Remediation script file
11. Browse the remediation ps1 script
12. Click on Next
13. Select the Lenovo devices group
14. In the Schedule part, choose when the package should be run.
15. Click on Apply
16. Click on Next
17. Click on Create
Log files
You can find in C:\windows\Debug two log files:
- Lenovo_BIOS_Settings_Detection.log
- Lenovo_BIOS_Settings_Remediation.log
Enregistrer un commentaire