Lenovo BIOS versions dashboard with Log Analytics and Intune
.png)
In this post I will show you the new version of the Log Analytics dashboard for Lenovo devices allowing you to see devices with BIOS uptodate or not, by comparing current BIOS and last one available on website.
What it does ?
This dashboard allows you to easily monitor BIOS update status on your Lenovo devices.
You will get a lot of insights:
- Devices that are uptodate or not
- Devices that are x versions behind
- Evolution of devices uptodate over the past year
- Devices that are not uptodate since x days
- Number of devices not up to date by model
- Last BIOS available for your models
- and more...
The dashboard is organized in 3 tabs:
- BIOS update resume: give a lot of count info
- BIOS update details: more details about BIOS update on your devices
- Devices to update: list of devices to update
The solution
1. Use Azure Automation account with managed identity
2. Add a Runbook (script)
4. Gets all your Lenovo devices info
5. Compares current BIOS version with latest version available*
6. Send data to Log Analytics
7. Create dashboard with data
* The script will directlty get latest BIOS version for a specific model on Lenovo website through Lenovo API.
If you have any issues about implementing the dashboard, feel free to send me a mail at damien.vanrobaeys@gmail.com
I also added data from another table allowing you to see drivers installed on your devices and also available drivers updates.
This way you can see Lenovo BIOS updates available through Windows Update.
To implement it check this link.
What's new ?
In Resume tab
BIOS not uptodate by count of newer versions
This chart allows you to see number of devices with BIOS not uptodate by choosing count of versions between the current installed and last one available on Lenovo website.
Let's take an example, we have a device "Test" model T14s Gen 5 (21LT).
The current BIOS installed is 1.10 and last one available (at this date) is 1.14.
It means there are 4 new versions available for this device and it may have a lot of new security features.
Now if the current BIOS version of this device was 1.13, it means the device has only one version left.
The chart looks like as below:
Devices with BIOS not uptodate since (in days)
It's the same above for versions but using release date.
It will count number of days between the current version installed and last one available on Lenovo website.
Evolution of uptodate devices over the pas year
There is also a grid with count by month:
Devices to update tab
This part allows you to easily list devices to update.
Devices to update depending of the age of the current BIOS
In this part you can see list of devices with BIOS not uptodate depending of count of new BIOS versions available.
The first step is to choose number of new BIOS versions available since the current installed.
Then devices will be listed.
You can also export data to CSV.
Devices to update depending of the count of newer versions available since the current one
In this part you can see list of devices with BIOS not uptodate depending of release date.
The first step is to choose number of new BIOS versions available since the current installed.
Then devices will be listed.
You can also export data to CSV.
Sources to download
Click on the below GitHub picture to get following files:
- Runbook.ps1: Azure Automation script
- Assign_permissions.ps1
- Workbook.json: Log Analytics dashboard
- DCR_Table.json: Table to ingest in DCR
Log Analytics prerequisites
Create Data Collection Endpoint
1. Go to the Entra portal
2. Go to Monitor
3. Go to Data Collection Endpoints
4. Click on Create
5. Type a name
6. Choose a subscription, resource group, region
7. Click on Review+Create then Create
8. Once created, click on the DCE
9. Go to Overview
10. Copy the Logs Ingestion value
You will need it in the runbook
Create custom log (DCR)
We will proceed as below:
1. Go to Log Analytics workspaces
2. Go to Tables
3. Click on Create
4. Click on New custom log (DCR based)
5. As name type LenovoBIOS_CL
!! Don't change it !!
6. Click on Create a new data collection rule
7. Choose a Subscription, Resource group
9. Type a Name
10. Select the DCE
11. Click on Next
12. Click on Browse for files
13. Select DCR_Table.json
14. Click on Next > Create
15. Go to Monitor
16. Go to Data collection rules
17. Go to your DCR
18. Go to Overview
19. Click on JSON View
20. Copy the immutableId value
You will need it in the runbook
Now we need to give the application permission to use the DCR.
For that proceed as below:
1. Go to your DCR
2. Go to Access Control (IAM)
3. Click on Add role assignment
4. Check Monitoring Metrics Publisher
5. Click on Next
6. Check Managed identity
7. Click on Select member
8. In Managed identity, select Automation Account
9. Check your automation account
10. Click on Select
11. Click on Review + assign
Creating Automation the account
1. Go to Azure portal
2. Go to Automation accounts
3. Click on Create
4. Type a name
5. Choose a Subscription and Resource group
6. Choose your region
7. Click on Create
Setting Managed Identity
1. Go to your automation account
2. Go to Identity
3. Go to System assigned
4. Select On
5. Click on Save
6. Click on Yes
Adding permissions
The script uses Graph API to get all devices BIOS version.
For this you need to add the appropriate permission on Graph API.
Run the script Assign_permissions.ps1 with global admin rights.
Creating the Runbook
1. Go to your Automation accounts
2. Go to Runbooks
3. Click on Create a runbook
4. Type a name
5. In Runbook type, select PowerShell
6. Select PowerShell 7
7. Click on Create
8. Go to Edit
9. Copy content of Runbook.ps1
The runbook
The automation script will proceed as below:
1. Get all Lenovo Intune devices
2. Get the current BIOS version
3. Get device name, model...
4. Get last BIOS available on Lenovo website
5. Compare current BIOS version and last one
6. Send data to Log Analytics
Fill below variables in the Runbook.ps1:
$DcrImmutableId = "dcr-" # id available in DCR > JSON view > immutableId
$DceURI = "" # available in DCE > Logs Ingestion value
$Table = "LenovoBIOS_CL" # custom log where to send data
Publishing the Runbook
1. Go to your Runbook
2. Click on Edit
3. Click on Publish
4. Click on Yes
Scheduling the Runbook
1. Go to your Runbook
2. Click on Schedules
3. Click on Add a schedule
4. Click on Link a schedule to your runbook
5. Click on Add a schedule
6. Type a name
7. In Recurrence, select Recuring
8. Click on Create
Adding the workbook
In this part we will add the report.
The report can be downloaded on GitHub, link mentioned above.
The report is the file: Workbook.json
To add it, proceed as below:
1. Go to the Azure portal
2. Go to Log Analytics workspace
3. Go to workbooks
4. Click on New
5. Go to Advanced editor
6. Remove all content
7. Go to the GitHub link, there
8. Click on the copy button
9. Click on Apply
10. Click on Done editing then Save
Enregistrer un commentaire