Introduction
Using compliance policies in Intune is a great idea for many reasons. Main reason is to be able to set certain security standards before granting your users’ access to company resources.
Letting your users deal with setup configurations in BIOS might be to much of a task to be asking, so this blog post will show how we can regulate device BIOS configurations with a dynamic configuration stored in the cloud.
Requirements
- Microsoft Endpoint Manager
- Lenovo device
- GitHub
Setup BIOS script and configuration
We need to know the configuration available for the system.
Start an elevated PowerShell Prompt
(Get-WmiObject -Class Lenovo_BiosSetting -Namespace root\wmi).CurrentSetting | Where-Object {$_ -ne ""} | Sort-Object
Here we see the parameter we need to use for configuring SecureBoot. Copy that.
Go to GitHub (if you don’t have one already start creating one, or use another storage type that can host your csv.)
Add file
Create new files
Give it a name
Add these values to it (you can add as many you like, to configure on your device)
| Setting,Value; SecureBoot,Enable; |
Commit changes
Click on the CSV file
Click RAW
Copy the URL
Download this script
Paste your link into the script
Save it locally.
Go to Endpoint Manager https://endpoint.microsoft.com/
Go to Endpoint analytics
Proactive remediations
Create script package
Give it a name
Insert detection script and Remediation script.
Detection script can be downloaded here
Remediation script is the one you where you added the URL.
Click next
Select groups to include
Choose a test group with few clients and work your way toward full production.
My flow will run every day.
Create
Now sit back and relax enjoy a cup of coffee and see your remediation data stream into Endpoint Manager.
On the client a local log is placed for the Intune diagnostics collector to collect if you need to debug
Next time compliance check happens
Summary
Compliance settings is great once you found out how to use them correctly. They can be somewhat difficult, as some use cases are difficult to cover.
Hope this post helped you to see the benefit of configuring your setup as dynamic as possible for you to easily add new changes without to much effort.
Happy testing!
Hi,
ReplyDeleteThanks for cool script. I am wondering if you run this script on a machine that has secure boot disabled, will the user be interrupted or will for example bitlocker trigger with recovery key ?
If you are not able to enable secure boot, what will be the impact ?
As I understand there is a relation between PCR7 and SecureBoot ? What happens if the bios say PCR7 binding not possible, does this mean that we cannot enable Secureboot ?
Thanks for reply
/Ole
Hi Ole
ReplyDeleteIf secureboot is disabled your users will not be prompted by Bitlocker recovery when the script enables secureboot. At least have not seen any bitlocker recovery triggered yet.
Good question about PCR7. I saw no issues on that area when I did my testing. Might be a different from vendor to vendor.
Thank you for the great post. I am using your method to change another Bios setting and having some trouble with it. Yes, I am using Lenovo devices. I am trying to enable 'Virtualization' at scale. Here is what I get from the PS output:
ReplyDeleteIntel(R) Virtualization Technology,Enabled;[Optional:Disabled,Enabled]
This is what I am trying to use, tried quotes and no quotes:
Setting,Value;
"Intel(R) Virtualization Technology",Enabled;
I was wondering if you had any ideas? Thanks
Hi there. Thanks for that!
DeleteI don't see that setting apply for my lenovo device. Have you tried with:
VirtualizationTechnology,Enable
VTdFeature,Enable
I have updated my github, so you can see the format that works.
https://github.com/mmelkersen/EndpointManager/blob/main/BIOS/BiosConfiguration.csv
Thank you for your response. So, to dive a little deeper with more testing. Your instructions worked great changing out the secure boot to my what I want enabled for the detection and remediation files.
DeleteThe Lenovo Laptops have these name settings which I am successfully able to configure now:
VirtualizationTechnology,Enable
VTdFeature,Enable
On the other hand, the Lenovo Desktops have these Name Settings:
Intel(R) Virtualization Technology,Enabled
VT-d,Enabled
This is what I am putting in the 'GitHub' .csv file I created:
Setting,Value;
"Intel(R) Virtualization Technology",Enabled;
I have tried with quotes, without quotes, all of the above. This is what the logs show on the workstations:
[05/10/21 10:00:13] - INFO : Testing if hardware
[05/10/21 10:00:14] - INFO : Read current BIOS Settings.
[05/10/21 10:00:14] - INFO : Getting BIOS cloud configuration
[05/10/21 10:00:14] - INFO : Config to apply
[05/10/21 10:00:14] - INFO : Change to do: Intel(R)
[05/10/21 10:00:14] - ERROR : Can not change setting Intel(R) (Return code Invalid Parameter)
[05/10/21 10:00:14] - INFO : Change to do: Virtualization
[05/10/21 10:00:14] - ERROR : Can not change setting Virtualization (Return code Invalid Parameter)
[05/10/21 10:00:14] - INFO : Change to do: Technology,Enabled
[05/10/21 10:00:14] - ERROR : Can not change setting Technology,Enabled (Return code Invalid Parameter)
[05/10/21 10:00:14] - SUCCESS : BIOS settings have been saved
[05/10/21 10:00:14] - INFO : Script finished
[05/10/21 10:00:14] - :
[05/10/21 14:32:02] - INFO : Testing if hardware
[05/10/21 14:32:02] - INFO : Read current BIOS Settings.
[05/10/21 14:32:02] - INFO : Getting BIOS cloud configuration
[05/10/21 14:32:02] - INFO : Config to apply
[05/10/21 14:32:03] - INFO : Change to do: "Intel(R)
[05/10/21 14:32:03] - ERROR : Can not change setting "Intel(R) (Return code Invalid Parameter)
[05/10/21 14:32:03] - INFO : Change to do: Virtualization
[05/10/21 14:32:03] - ERROR : Can not change setting Virtualization (Return code Invalid Parameter)
[05/10/21 14:32:03] - INFO : Change to do: Technology",Enabled
[05/10/21 14:32:03] - ERROR : Can not change setting Technology",Enabled (Return code Invalid Parameter)
[05/10/21 14:32:03] - SUCCESS : BIOS settings have been saved
[05/10/21 14:32:03] - INFO : Script finished
[05/10/21 14:32:03] - :
Any advice would be great, thank you.
I have found the issue. I will make a new version as soon as I have time.
DeleteHello - Thank you so much Mattias for your help. Looking forward to the update. I have tried so many different ways, tried searching everywhere. Have a wonderful day.
ReplyDeleteThis is great. One thing to keep in mind, Lenovo BIOS settings are not standard across models. Maybe they have finally standardized them but you should probably create these per model.
ReplyDeleteHey Mattias,
ReplyDeleteThanks for the post and instructions. I have everything all set up, and the logs on the system itself show a successful settings update, but when I reboot the machine and check the system information I'm still getting the Secure Boot : Off setting. I've got the proactive remediation to run every hour for testing purposes, and the device remediation status reports "Failed" on Endpoint Manager. Even the Detection status reports "With Issues" Am I missing something?
Hi chris
DeleteYou are absolute welcome. Can you DM me on Twitter? MMelkersen, then it is easier to communicate and help you out