Managing Lenovo BIOS settings with Intune (Proactive Remediations) and Azure Key Vault

In this post I will you how to use the apply BIOS settings on Lenovo device using the Proactice Remediation part from the Endpoint Manager portal and Azure Key Vault if there is a BIOS password.

Context

- You have multiple Lenovo devices

- You want to set BIOS settings

- We will add BIOS settings in a CSV

- You want an automate way for this

- Settings will be applied if there is a difference

- In case of BIOS password you want a secure way

Previous posts

Manage Lenovo BIOS settings with Proactive Remediations

Set Lenovo BIOS settings through Intune and PowerShell

The solution

We will proceed in few steps:

- We will add BIOS settings to set in a CSV_URL

- We will add value to configure

- Detection script will check if all settings are setted

- If not it will run remediation script

- This one will set BIOS settings

If there is a BIOS password, we will do the following:

- Create an Azure application

- This one will have access to Key Vault

- Add a certificate to the App

- Deploy certificate on your device

- Remediation script will install/import some modules

- Those modules are: az.accounts, az.keyvault

- Then retrieve BIOS password though Key Vault

- And set BIOS settings

CSV file

See below an overview of my CSV file.

In my case I uploaded the BIOS settings file to a blob storage.

You can set the path of your CSV in the variable $CSV_URL from the detection script.

I won't go into the details of how to create a blob storage there.

Get scripts

Click on the below GitHub picture to download scripts.

BIOS password

In this part we will create a Key Vault to add our Secret meaning BIOS password.

We will proceed as below.

Creating resource group

1. Go to Azure

2. In the search bar type Resource group

3. Go to Resource group

4. Click on Create

5. Choose a Subscription

6. Type a Resource group name

7. Choose your region

8. Click on Review + Create

9. Click on Create

Creating Key Vault

1. Go to Azure Portal

2. Go to Key Vault

3. Click on Create

4. Choose a subscription, 

5. Choose a resource group (or create a new one)

6. Type a Key vault name

7. Choose your region

7. Click on Review + Create 

8. Click on Create

Adding our password

1. Click on Go to resource

2. Go to Secrets

3. Click on Generate/Import

4. Type a name

5. In Value, type password

6. Click on Create

7. Your password is now available

Adding Access policies

In this part we will give acccess to our Azure app to get secret from Key Vault.

You can of course change rights depending of your need.

1. Go to your key vault

2. Go to Access policies

3. Click on add access policies

4. In Configure template, we will choose Secret management

5. In Key permissions, unselect everything

6. In Secret permissions, we will just add Get

7. In Certificate permissions, unselect everything

8. In Select principal, click on None selected

9. Choose your app

10. Click on select

11. Click on Add

12. Click on Save

The script

You can find both scripts for detection and remediation by clicking on the GitHub picture below.

- Lenovo_BIOS_Settings_Detect.ps1

- Lenovo_BIOS_Settings_Remediate_KeyVault.ps1

Variables to set

The script contains some variables to set, as below:

How does it work ?

The Proactive Remediation is divided in two scripts:

- Detection

- Remediation

Detection script allows you to check if settings are compliant.

See below the exit code to add:

- At least one wrong setting: 1 

- No wrong setting: 0 

If the exit code is 1, the Remediation script will be executed.

Creating dynamic group

In this part we will create a dynamic Azure AD group that will only contain Lenovo devices.

1. Go to the Microsoft Endpoint manager admin center

2. Go to Groups

3. Click on New group

4. Select Security as Group type

5. Type a name, like Lenovo devices

6. In Membership type, select Dynamic devices

7. Click on Add dynamic query

8. Click on Edit and type below line:

(device.deviceManufacturer -contains "Lenovo")

9. Click on Save

10. Click on Create

Creating remediation package

1. Go to the Microsoft Endpoint manager admin center

2. Go to Reports

3. Go to Endpoint analytics

4. Go to Proactive remediations

5. Click on Create script package

6. Type a name in our case Check Lenovo BIOS settings

7. Click on Next

8. Click on Detection script file

9. Browse the detection ps1 script

10. Click on Remediation script file

11. Browse the remediation ps1 script

12. Click on Next

13. Select the Lenovo devices group 

14. In the Schedule part, choose when the package should be run.

15. Click on Apply

16. Click on Next

17. Click on Create

Log files

You can find in C:\windows\Debug two log files:

- Lenovo_BIOS_Settings_Detection.log

- Lenovo_BIOS_Settings_Remediation.log