Loading...

Lenovo BIOS versions dashboard (uptodate or not) with Log Analytics

Reply A+ A-


In this post I will show you a Log Analytics dashboard for Lenovo devices allowing you to see devices with BIOS uptodate or not, by comparing current BIOS and last one available on website.


What it does ?

Using this report you can easily see:

- How many devices have old BIOS

- How many devices have BIOS uptodate

- List of devices here BIOS is not uptodate

- List of devices with BIOS older than 2 years

- List of all BIOS version by model 

- Last available versions for all your models

- Check if last version severity (recommended/critical)


The solution

- Create an Azure Automation account

- Use it with Managed Identity

- Create a Runbook in Automation

- Runbook get all Lenovo devices info

- Compares current BIOS version with last one on Lenovo

- Send data to Log Analytics


Sources to download

Click on the below GitHub picture to get following files:

- Runbook.ps1: Azure Automation script

- Assign_permissions.ps1

- Workbook.json: Log Analytics dashboard

- DCR_Table.json: Table to ingest in DCR



Azure Automation part 1

Create the account

1. Go to Azure

2. Go to Automation accounts

3. Click on Create

4. Type a name

5. Choose a Subscription

6. Choose the Resource group

7. Choose your region

8. Click on Create


Set Managed Identity

1. Go to your automation account

2. Go to Identity

3. Go to System assigned

4. Select On

5. Click on Save

6. Click on Yes

7. Go to the Azure portal

8. Go to Enterprise applications

9. Filter on Managed identity

10. You will find an app with the name of your automaton account


Add permissions

The script uses Graph API to get all devices BIOS version.

For this you need to add the appropriate permission on Graph API.

Run the script Assign_permissions.ps1 with global admin rights.


Log Analytics prerequisites

Create Data Collection Endpoint

1. Go to the Entra portal

2. Go to Monitor

3. Go to Data Collection Endpoints 


4. Click on Create

5. Type a name

6. Choose a subscription

7. Choose a resource group or create a new one

8. Choose a region

9. The region should be the same than the workspace

10. Click on Review+Create then Create

11. Once created, click on the DCE

12. Go to Overview

13. Copy the Logs Ingestion value

You will need it in the runbook


Create custom log (DCR)

We will proceed as below:

1. Go to your Log Analytics workspaces

2. Go to Tables

3. Click on Create 

4. Click on New custom log (DCR based)

5. As name type LenovoBIOS_CL

!! Don't change it !!

6. Click on Create a new data collection rule 


7. Choose a Subscription

8. Choose a Resource group

9. Type a Name 

10. Select the DCE 

11. Click on Next

12. Click on Browse for files

13. Select DCR_Table.json

14. Click on Next > Create

15. Go to Monitor

16. Go to Data collection rules 

17. Go to your DCR

18. Go to Overview

19. Click on JSON View (on the right side)

20. Copy the immutableId value

You will need it in the runbook


Now we need to give the application permission to use the DCR. 

For that proceed as below:

1. Go to your DCR

2. Go to Access Control (IAM) 

3. Click on Add role assignment

4. Check Monitoring Metrics Publisher 

5. Click on Next

6. Check Managed identity

7. Click on Select members

8. In Managed identity, select Automation Account

9. Check your automation account

10. Click on Select

11. Click on Review + assign 


Azure Automation part 2

The runbook

The automation script will proceed as below:

1. Get all Lenovo Intune devices

2. Get the current BIOS version

3. Get device name, model...

4. Get last BIOS available on Lenovo website

5. Compare current BIOS version and last one

6. Send data to Log Analytics


Fill below variables in the Runbook.ps1:

$DcrImmutableId = "dcr-" # id available in DCR > JSON view > immutableId

$DceURI = "" # available in DCE > Logs Ingestion value

$Table = "CustomLogName_CL" # custom log where to send data


Create the account

1. Go to Azure

2. Go to Automation accounts

3. Click on Create

4. Type a name

5. Choose a Subscription

6. Choose the Resource group

7. Choose your region

8. Click on Create


Set Managed Identity

1. Go to your automation account

2. Go to Identity

3. Go to System assigned

4. Select On

5. Click on Save

6. Click on Yes


Add permissions

The script uses Graph API to get all devices BIOS version.

For this you need to add the appropriate permission on Graph API.

Run the script Assign_permissions.ps1 with global admin rights.


Create the Runbook

1. Go to your Automation accounts

2. Go to Runbooks

3. Click on Create a runbook

4. Type a name

5. In Runbook type, select PowerShell 

6. Select PowerShell 7

7. Click on Create

8. Go to Edit

9. Copy content of Runbook.ps1


Publish the Runbook

1. Go to your Runbook

2. Click on Edit

3. Click on Publish

4. Click on Yes


Schedule the Runbook

1. Go to your Runbook

2. Click on Schedules

3. Click on Add a schedule

4. Click on Link a schedule to your runbook

5. Click on Add a schedule

6. Type a name

7. In Recurrence, select Recuring

8. Click on Create


Log Analytics dashboard

How it looks like ?

The workbook is divided in 2 tabs:

- BIOS update resume

- BIOS update details


BIOS update resume tab

BIOS update status

Purpose: count of devices with BIOS uptodate and not.


Devices with old BIOS

Purpose: count of devices with BIOS not uptodate. Here we define all devices with old BIOS where current BIOS version is older than 90 days.


Devices with BIOS not uptodate (per model)

Purpose: count of devices with BIOS not uptodate by model.


Devices with BIOS not updated since (in days)

Purpose: count of devices with BIOS not uptodate.


Last BIOS version by model

Purpose: count of devices with old BIOS version by model.


Devices count by BIOS version and model

Purpose: count of devices by BIOS version and model


BIOS update details tab

Top 10 devices with old BIOS

Purpose: top 10 devices with old BIOS.


Devices with BIOS not uptodate

Purpose: devices details where BIOS is not uptodate.


Devices with BIOS < 1 year

Purpose: list devices details where BIOS is not uptodate but less than 1 year.


Devices with BIOS > 2 years

Purpose: list devices details where BIOS is older than 2 years.


Add the workbook

In this part we will add the report.

The report can be downloaded on GitHub, link mentioned above.

The report is the file: Workbook.json


To add it, proceed as below:

1. Go to the Azure portal

2. Go to Log Analytics workspace

3. Go to workbooks

4. Click on New


5. Go to Advanced editor


6. Remove all content


7. Go to the GitHub link, there

8. Click on the copy button as below:


9. Click on Apply


10. Click on Done editing then Save

slider 3509928825575923448

Enregistrer un commentaire

Accueil item

Award

Learn KQL in one month

Sponsors

You want to support me ?

Mes articles en français

Books in French


Stats