Lenovo BIOS versions dashboard with Log Analytics

In this post I will show you the new version of the Log Analytics dashboard for Lenovo devices allowing you to see devices with BIOS uptodate or not, by comparing current BIOS and last one available on website.

What it does ?

Using this report you can easily see a lot of things about Lenovo BIOS update for your Intune devices.

The dashboard gets data from an Azure Automation runbook.

The runbook will use Graph API to get all Lenovo devices info.

Then it compares for all devices, current BIOS version with last one available on Lenovo website for the current model.

In the dashboard you will see:

- How many devices have old BIOS

- How many devices have BIOS uptodate

- List of devices here BIOS is not uptodate

- Devices with BIOS not upodate by model

- Devices with BIOS not upodate by severity

- Count of new BIOS updates in the past few days

- Devices with BIOS not uptodate since (in days)

- Last Windows Update package by version and model

- Devices count by Windows Update package version and model

- Devices with BIOS older than 2 years

- List of all BIOS version by model 

- Last available versions for all your models

- Check if last version severity (recommended/critical)

What's new ?

- Count of new BIOS updates in the past few days

- Devices with BIOS not uptodate since (in days)

- Devices with BIOS not uptodate > 100 days (per model)

- BIOS updates available in the past 30 days

- Last Windows Update package by version and model

- Devices count by Windows Update package version and model

- Top 50 devices with old BIOS

In this new version I added data from another table allowing you to see drivers installed on your devices and also available drivers updates.

This way you can see Lenovo BIOS updates available through Windows Update.

To implement it check this link.

The solution

1. Create an Azure Automation account

2. Use it with Managed Identity

3. Create a Runbook in Automation

4. Runbook get all Lenovo devices info

5. Compares current BIOS version with last one on Lenovo

6. Send data to Log Analytics

7. Create dashboard with data

If you have any issues about implementing the dashboard, feel free to send me a mail at damien.vanrobaeys@gmail.com

Sources to download

Click on the below GitHub picture to get following files:

- Runbook.ps1: Azure Automation script

- Assign_permissions.ps1

- Workbook.json: Log Analytics dashboard

- DCR_Table.json: Table to ingest in DCR

The dashboard

The workbook is divided in 2 tabs:

- BIOS update resume

- BIOS update details

BIOS update resume tab

BIOS update status

Purpose: count of devices with BIOS uptodate and not.

Devices with BIOS not uptodate by severity

Purpose: count of device with old BIOS by severity (critical or recommended)

Count of new BIOS updates in the past few days

Purpose: count of new BIOS update available for your Lenovo models

See below an overview:

Devices with BIOS not updated since (in days)

Purpose: count of devices with BIOS not uptodate.

Devices with BIOS not uptodate (per model)

Purpose: count of devices with BIOS not uptodate by model.

Devices with BIOS not uptodate > 100 days (per model)

Purpose: count of devices with BIOS not uptodate and oldest thn 100 days by model.

See below an overview:

BIOS updates available in the past 30 days

Purpose: list of last BIOS update by model during last 30 days

Devices count by BIOS version and model

Purpose: count of devices by BIOS version and model

Last Windows Update package by version and model

Devices count by Windows Update package version and model

See below an overview:

BIOS update details tab

Top 50 devices with old BIOS

Purpose: top 50 devices with old BIOS. 

!!! This query uses the Drivers inventory table.

Devices with BIOS uptodate

Purpose: devices details where BIOS is uptodate.

Devices with BIOS not uptodate

Purpose: devices details where BIOS is not uptodate.

Devices with BIOS > 2 years

Purpose: list devices details where BIOS is older than 2 years.

!!! This query uses the Drivers inventory table.

Log Analytics prerequisites

Create Data Collection Endpoint

1. Go to the Entra portal

2. Go to Monitor

3. Go to Data Collection Endpoints 

4. Click on Create

5. Type a name

6. Choose a subscription, resource group, region

7. Click on Review+Create then Create

8. Once created, click on the DCE

9. Go to Overview

10. Copy the Logs Ingestion value

You will need it in the runbook

Create custom log (DCR)

We will proceed as below:

1. Go to your Log Analytics workspaces

2. Go to Tables

3. Click on Create 

4. Click on New custom log (DCR based)

5. As name type LenovoBIOS_CL

!! Don't change it !!

6. Click on Create a new data collection rule 

7. Choose a Subscription

8. Choose a Resource group

9. Type a Name 

10. Select the DCE 

11. Click on Next

12. Click on Browse for files

13. Select DCR_Table.json

14. Click on Next > Create

15. Go to Monitor

16. Go to Data collection rules 

17. Go to your DCR

18. Go to Overview

19. Click on JSON View (on the right side)

20. Copy the immutableId value

You will need it in the runbook

Now we need to give the application permission to use the DCR. 

For that proceed as below:

1. Go to your DCR

2. Go to Access Control (IAM) 

3. Click on Add role assignment

4. Check Monitoring Metrics Publisher 

5. Click on Next

6. Check Managed identity

7. Click on Select members

8. In Managed identity, select Automation Account

9. Check your automation account

10. Click on Select

11. Click on Review + assign 

Creating Azure Automation the account

1. Go to Azure portal

2. Go to Automation accounts

3. Click on Create

4. Type a name

5. Choose a Subscription

6. Choose the Resource group

7. Choose your region

8. Click on Create

Setting Managed Identity

1. Go to your automation account

2. Go to Identity

3. Go to System assigned

4. Select On

5. Click on Save

6. Click on Yes

Adding permissions

The script uses Graph API to get all devices BIOS version.

For this you need to add the appropriate permission on Graph API.

Run the script Assign_permissions.ps1 with global admin rights.

Creating the Runbook

1. Go to your Automation accounts

2. Go to Runbooks

3. Click on Create a runbook

4. Type a name

5. In Runbook type, select PowerShell 

6. Select PowerShell 7

7. Click on Create

8. Go to Edit

9. Copy content of Runbook.ps1

The runbook

The automation script will proceed as below:

1. Get all Lenovo Intune devices

2. Get the current BIOS version

3. Get device name, model...

4. Get last BIOS available on Lenovo website

5. Compare current BIOS version and last one

6. Send data to Log Analytics

Fill below variables in the Runbook.ps1:

$DcrImmutableId = "dcr-" # id available in DCR > JSON view > immutableId

$DceURI = "" # available in DCE > Logs Ingestion value

$Table = "CustomLogName_CL" # custom log where to send data

Publishing the Runbook

1. Go to your Runbook

2. Click on Edit

3. Click on Publish

4. Click on Yes

Scheduling the Runbook

1. Go to your Runbook

2. Click on Schedules

3. Click on Add a schedule

4. Click on Link a schedule to your runbook

5. Click on Add a schedule

6. Type a name

7. In Recurrence, select Recuring

8. Click on Create

Adding the workbook

In this part we will add the report.

The report can be downloaded on GitHub, link mentioned above.

The report is the file: Workbook.json

To add it, proceed as below:

1. Go to the Azure portal

2. Go to Log Analytics workspace

3. Go to workbooks

4. Click on New

5. Go to Advanced editor

6. Remove all content

7. Go to the GitHub link, there

8. Click on the copy button

9. Click on Apply

10. Click on Done editing then Save