Go to mindcore.dk

Intune compliance with Lenovo dynamic BIOS configuration

Intune compliance with Lenovo dynamic BIOS configuration

Introduction

Using compliance policies in Intune is a great idea for many reasons. Main reason is to be able to set certain security standards before granting your users’ access to company resources.

Letting your users deal with setup configurations in BIOS might be to much of a task to be asking, so this blog post will show how we can regulate device BIOS configurations with a dynamic configuration stored in the cloud.

 

Requirements

  • Microsoft Endpoint Manager
  • Lenovo device
  • GitHub

 

Setup BIOS script and configuration

We need to know the configuration available for the system.

Start an elevated PowerShell Prompt

(Get-WmiObject -Class Lenovo_BiosSetting -Namespace rootwmi).CurrentSetting | Where-Object {$_ -ne “”} | Sort-Object

 

Here we see the parameter we need to use for configuring SecureBoot. Copy that.

 

Go to GitHub (if you don’t have one already start creating one, or use another storage type that can host your csv.)

Add file

Create new files

 

Give it a name

 

Add these values to it (you can add as many you like, to configure on your device)

 

Setting,Value;SecureBoot,Enable;

   

Commit changes

 

Click on the CSV file

 

Click RAW

 

Copy the URL

 

Download this script

Paste your link into the script

Save it locally.

 Go to Endpoint Manager https://endpoint.microsoft.com/

 

Go to Endpoint analytics

 

Proactive remediations

 

Create script package

 

Give it a name

 

Insert detection script and Remediation script.

Detection script can be downloaded here

Remediation script is the one you where you added the URL.

 

Click next

 

Select groups to include

Choose a test group with few clients and work your way toward full production.

My flow will run every day.

Create

 

Now sit back and relax enjoy a cup of coffee and see your remediation data stream into Endpoint Manager.

 

On the client a local log is placed for the Intune diagnostics collector to collect if you need to debug

 

Next time compliance check happens

 

Summary

Compliance settings is great once you found out how to use them correctly. They can be somewhat difficult, as some use cases are difficult to cover.

Hope this post helped you to see the benefit of configuring your setup as dynamic as possible for you to easily add new changes without to much effort.

Happy testing!

Share this post

Table of Contents

Share this post
Search blog posts
Search
Authors

Mattias Melkersen Kalvåg

Modern Workplace consultant and a Microsoft MVP in Enterprise Mobility.

View all posts

Linkedin Youtube X-twitter

Sune Thomsen

Modern Workplace consultant and a Microsoft MVP in Windows and Devices.

View all posts

Linkedin X-twitter

Lars Lohmann Blem

Infrastructure architect with focus on Modern Workplace and Microsoft 365 security.

View all posts

Linkedin X-twitter

Michael Nielsen

Cloud & security specialist with focus on Microsoft backend products and cloud technologies.

View all posts

Linkedin

Michael Morten Sonne

Cloud & security specialist with focus on Microsoft 365.

View all posts

Linkedin

Daniel Britze

Cloud & Security Specialist, with a passion for all things Cybersecurity

View all posts

Linkedin

Frank van Zandwijk

Cloud and infrastructure security specialist with background in networking.

View all posts

Linkedin

Henning Hofflund

Infrastructure architect with focus on design, implementation, migration and consolidation.

View profile

Linkedin

Martin Vittrup Henriksen

Infrastructure consultant with focus on cloud solutions in Office365 and Azure.

View all posts

Linkedin X-twitter

Marcin Chwala

Modern workplace and infrastructure architect with a focus on Microsoft 365 and security.

View all posts

Linkedin
follow us in feedly
Categories

    • Follow on SoMe

    Linkedin X-twitter

    Contact us

    Follow us

    Linkedin X-twitter