Lenovo BIOS versions dashboard (uptodate or not) with Log Analytics
In this post I will show you a Log Analytics dashboard for Lenovo devices allowing you to see devices with BIOS uptodate or not, by comparing current BIOS and last one available on website.
What it does ?
Using this report you can easily see:
- How many devices have old BIOS
- How many devices have BIOS uptodate
- List of devices here BIOS is not uptodate
- List of devices with BIOS not upodate by model
- List of devices with BIOS not upodate by severity
- List of devices with BIOS older than 2 years
- List of all BIOS version by model
- Last available versions for all your models
- Check if last version severity (recommended/critical)
The solution
- Create an Azure Automation account
- Use it with Managed Identity
- Create a Runbook in Automation
- Runbook get all Lenovo devices info
- Compares current BIOS version with last one on Lenovo
- Send data to Log Analytics
Sources to download
Click on the below GitHub picture to get following files:
- Runbook.ps1: Azure Automation script
- Assign_permissions.ps1
- Workbook.json: Log Analytics dashboard
- DCR_Table.json: Table to ingest in DCR
Create the account
1. Go to Azure
2. Go to Automation accounts
3. Click on Create
4. Type a name
5. Choose a Subscription
6. Choose the Resource group
7. Choose your region
8. Click on Create
Set Managed Identity
1. Go to your automation account
2. Go to Identity
3. Go to System assigned
4. Select On
5. Click on Save
6. Click on Yes
7. Go to the Azure portal
8. Go to Enterprise applications
9. Filter on Managed identity
10. You will find an app with the name of your automaton account
Add permissions
The script uses Graph API to get all devices BIOS version.
For this you need to add the appropriate permission on Graph API.
Run the script Assign_permissions.ps1 with global admin rights.
Log Analytics prerequisites
Create Data Collection Endpoint
1. Go to the Entra portal
2. Go to Monitor
3. Go to Data Collection Endpoints
4. Click on Create
5. Type a name
6. Choose a subscription
7. Choose a resource group or create a new one
8. Choose a region
9. The region should be the same than the workspace
10. Click on Review+Create then Create
11. Once created, click on the DCE
12. Go to Overview
13. Copy the Logs Ingestion value
You will need it in the runbook
Create custom log (DCR)
We will proceed as below:
1. Go to your Log Analytics workspaces
2. Go to Tables
3. Click on Create
4. Click on New custom log (DCR based)
5. As name type LenovoBIOS_CL
!! Don't change it !!
6. Click on Create a new data collection rule
7. Choose a Subscription
8. Choose a Resource group
9. Type a Name
10. Select the DCE
11. Click on Next
12. Click on Browse for files
13. Select DCR_Table.json
14. Click on Next > Create
15. Go to Monitor
16. Go to Data collection rules
17. Go to your DCR
18. Go to Overview
19. Click on JSON View (on the right side)
20. Copy the immutableId value
You will need it in the runbook
Now we need to give the application permission to use the DCR.
For that proceed as below:
1. Go to your DCR
2. Go to Access Control (IAM)
3. Click on Add role assignment
4. Check Monitoring Metrics Publisher
5. Click on Next
6. Check Managed identity
7. Click on Select members
8. In Managed identity, select Automation Account
9. Check your automation account
10. Click on Select
11. Click on Review + assign
Azure Automation part 2
The runbook
The automation script will proceed as below:
1. Get all Lenovo Intune devices
2. Get the current BIOS version
3. Get device name, model...
4. Get last BIOS available on Lenovo website
5. Compare current BIOS version and last one
6. Send data to Log Analytics
Fill below variables in the Runbook.ps1:
$DcrImmutableId = "dcr-" # id available in DCR > JSON view > immutableId
$DceURI = "" # available in DCE > Logs Ingestion value
$Table = "CustomLogName_CL" # custom log where to send data
Create the account
1. Go to Azure
2. Go to Automation accounts
3. Click on Create
4. Type a name
5. Choose a Subscription
6. Choose the Resource group
7. Choose your region
8. Click on Create
Set Managed Identity
1. Go to your automation account
2. Go to Identity
3. Go to System assigned
4. Select On
5. Click on Save
6. Click on Yes
Add permissions
The script uses Graph API to get all devices BIOS version.
For this you need to add the appropriate permission on Graph API.
Run the script Assign_permissions.ps1 with global admin rights.
Create the Runbook
1. Go to your Automation accounts
2. Go to Runbooks
3. Click on Create a runbook
4. Type a name
5. In Runbook type, select PowerShell
6. Select PowerShell 7
7. Click on Create
8. Go to Edit
9. Copy content of Runbook.ps1
Publish the Runbook
1. Go to your Runbook
2. Click on Edit
3. Click on Publish
4. Click on Yes
Schedule the Runbook
1. Go to your Runbook
2. Click on Schedules
3. Click on Add a schedule
4. Click on Link a schedule to your runbook
5. Click on Add a schedule
6. Type a name
7. In Recurrence, select Recuring
8. Click on Create
Log Analytics dashboard
How it looks like ?
The workbook is divided in 2 tabs:
- BIOS update resume
- BIOS update details
BIOS update resume tab
BIOS update status
Purpose: count of devices with BIOS uptodate and not.
Devices with old BIOS
Purpose: count of devices with BIOS not uptodate. Here we define all devices with old BIOS where current BIOS version is older than 90 days.
Devices with BIOS not uptodate (per model)
Purpose: count of devices with BIOS not uptodate by model.
Devices with BIOS not updated since (in days)
Purpose: count of devices with BIOS not uptodate.
Last BIOS version by model and BIOS severity
Purpose: count of devices with old BIOS version by model.
Devices count by BIOS version and model
Purpose: count of devices by BIOS version and model
BIOS update details tab
Top 10 devices with old BIOS
Purpose: top 10 devices with old BIOS.
Devices with BIOS not uptodate
Purpose: devices details where BIOS is not uptodate.
Devices with BIOS < 1 year
Purpose: list devices details where BIOS is not uptodate but less than 1 year.
Devices with BIOS > 2 years
Purpose: list devices details where BIOS is older than 2 years.
Add the workbook
In this part we will add the report.
The report can be downloaded on GitHub, link mentioned above.
The report is the file: Workbook.json
To add it, proceed as below:
1. Go to the Azure portal
2. Go to Log Analytics workspace
3. Go to workbooks
4. Click on New
5. Go to Advanced editor
6. Remove all content
7. Go to the GitHub link, there
8. Click on the copy button as below:
9. Click on Apply
10. Click on Done editing then Save
Enregistrer un commentaire