Using Intune (Proactive Remediation) and Azure Key Vault to set/change BIOS password and your devices (Lenovo/Dell/HP)

6 A+ A-

In this post I will show you how to use Endpoint Analytics Proactive Remediation scripts and Azure Key Vault to set or change your BIOS device password.


- You have enrolled devices (HP, Dell or Lenovo)

- You want to set or change the BIOS password remotely

- You want to be sure all of them have a BIOS password

- If not, you want to set it

- You want to store BIOS password on the cloud

- You want to use Azure Key Vault

- You want an automate way for this

The solution

In my example I imagine this as below:

1. Create the key vault

2. Add current password on key vault

3. Add new password on key vault

4. Create an Azure app for authentication

5. Add rights on key vault for the app

7. Add a certificate to access to the app

10. Authenticate on Azure app on devices

11. Get key vault passwords

12. Change BIOS passwords

The certificate part is not mentioned in this article.

You can check this post to add it.

Get the script

Click on the below picture to get the scripts

The script

You can find both scripts for detection and remediation by clicking on the GitHub picture below:

- Check_BIOS_Password_Detection.ps1

- Check_BIOS_Password_Remediation.ps1

Detection script

How does it work ?

It will first install below modules: 

- Az.accounts

- Az.KeyVault

You can choose to let the scripts install them or choose a location from where to download them, like a blob storage.

Then it will check if current BIOS password is the latest one from the Key Vault.

If not, it means the BIOS password is not uptodate so we need to change it.

In this case, the remediation script will be executed.

Variables to set

Azure application info:

$TenantID = ""

$App_ID = ""

$ThumbPrint = ""

How to install Az modules ?

$Az_Module_Install_Mode = "Install" # Install or Download

If you choose Download, set below variables:

$Az_Accounts_URL = ""

$Az_KeyVault_URL = ""

Key Vault info

$vaultName = ""

$Secret_Name_New_PWD = ""

Remediation script

How does it work ?

If modules are not instaled, it will install them.

You can choose to let the scripts istall them or choose a location from here to download them, like a blob storage.

Then it will get new password available and change it on the device.

Variables to set

Azure application info:

$TenantID = ""

$App_ID = ""

$ThumbPrint = ""

How to install Az modules ?

$Az_Module_Install_Mode = "Install" # Install or Download

If you choose Download, set below variables:

$Az_Accounts_URL = ""

$Az_KeyVault_URL = ""

Key Vault info

$vaultName = "SDVault"

$Secret_Name_Old_PWD = "OldPassword"

$Secret_Name_New_PWD = "NewPassword"

Password uptodate or not ?

As mentioned previously detection script will first check if the BIOSpassword configured on the device is the latest one or not.

But how does know what is the latest and if it's uptodate or not ?

Actually the process I imagine is pretty simple, the detection script will first connect to Key Vault and check secret called NewPassword, as below:

This one is the secret used to set a new BIOS password.

The script will check date and version of this secret. See below what we get from PowerShell.

Once the script gets those values it will check same values from registry.

The registry key to check is: HKLM\SOFTWARE\BIOS_Management

If both values are equals it means the device has the latest BIOS password.

If not it means the device hasn't the latest BIOS password and the remediation script needs to be executed.

But what is this registry key ?

This registry key and values are created when the remediation script is executed and has changed the BIOS password.

It will take version and date from the secret on Key Vault and creates appropriates registry values.

Key Vault part

Creating Key Vault

1. Go to Azure Portal

2. Go to Key Vault

3. Click on Create

4. Choose a subscription, 

5. Choose a resource group

6. Type a Key vault name

7. Choose your region

7. Click on Review + Create 

8. Click on Create

Adding our password

1. Click on Go to resource

2. Go to Secrets

3. Click on Generate/Import

4. Type a name

5. In Value, type OldPassword

6. Click on Create

7. Create a new Secret called NewPassword

Add Access policies

In this part we will give acccess to our Azure app to get secret from Key Vault.

You can of course change rights depending of your need.

1. Go to your key vault

2. Go to Access policies

3. Click on add access policies

4. In Configure template, we will choose Secret management

5. In Key permissions, unselect everything

6. In Secret permissions, we will just add Get

7. In Certificate permissions, unselect everything

8. In Select principal, click on None selected

9. Choose your app

10. Click on select

11. Click on Add

12. Click on Save

Implement it in Intune

Create dynamic group

In this part we will create a dynamic Azure AD group that will only contain Lenovo devices.

1. Go to the Microsoft Endpoint manager admin center

2. Go to Groups

3. Click on New group

4. Select Security as Group type

5. Type a name

6. In Membership type, select Dynamic devices

7. Click on Add dynamic query

8. Click on Edit and type below line:

(device.deviceManufacturer -contains "Lenovo")

Of course change it with your manufacturer.

9. Click on Save

10. Click on Create

Create the remediation package

1. Go to the Microsoft Endpoint Manager admin center

2. Go to Reports

3. Go to Endpoint Analytics

4. Go to Proactive Remediations

5. Click on Create script package

6. Type a name in our case Set BIOS Password

7. Click on Next

8. Click on Detection script file

9. Browse the script Set_BIOS_PWD_KeyVault_Remediation.ps1

10. Click on Next

11. Select the Lenovo_Devices group 

12. In the Schedule part, choose when the package should be run.

13. Click on Apply

14. Click on Next

15. Click on Create

Log file

You can file in C:\Windows\Debug log files of the script.

slider 6948617257190721497

Enregistrer un commentaire

6 commentaires

Remy a dit…

thanks for your post. very useful.

I just have one issue with the dell module. It seems it is not loaded correctly and I do not have the value $IsPasswordset.
I can see the "Performing operation New-PSDrive for the provider DellSmbiosProv." is needed to get the value as "false" or "true" and need admin right to install it.
Very annoying because I cannot set any password without that module.
I can see my module "DellBIOSProvider" is installed in the module folder so I do not understand what's going wrong.
When I run the script as system user manually it works but not with proremiedation in intune.
Did you already have that issue? Did you test it with DELL computer?
thanks for your answer.

Damien Van Robaeys a dit…

Hey Rémy, yep I tested on my Dell, but it remember me somthing similar I faced with anotehr script.
Could you please send me a mail at damien.vanrobaeys@gmail.com to test it together ?

Damien Van Robaeys a dit…

One more uestion did you run it as user or system through intune ?

Remy a dit…

Hi Damien,

sorry I didn't see your comment. It works fine now. It was an issue with the Dell module.
Thanks for your answer

Stefan T a dit…


Am i missing something in this discription? You are talking about an Azure App for authentication but i can't find the discription for that.

Anonyme a dit…


This looks very useful, but in the beginning a link appears to be missing, relating to the certificate element.

I regularly use the "self-signed certificate plus AzureAD App Reg" method for interacting with MS Graph.

But I'm not clear on a method of installing a key-pair into LocalMachine, and maybe a little bit concerned that I might not be gaining much here?
As in: if my certificate is installed on every computer, and can read the current UEFI/BIOS password from Key Vault, I have just created a significant security problem.
Penetration testers and hackers alike know to check the Intune folder for scripts.



Accueil item



Learn KQL in one month

You want to support me ?

Mes articles en français

Books in French