Introduction
Using compliance policies in Intune is a great idea for many reasons. Main reason is to be able to set certain security standards before granting your users’ access to company resources.
Letting your users deal with setup configurations in BIOS might be to much of a task to be asking, so this blog post will show how we can regulate device BIOS configurations with a dynamic configuration stored in the cloud.
Requirements
- Microsoft Endpoint Manager
- Lenovo device
- GitHub
Setup BIOS script and configuration
We need to know the configuration available for the system.
Start an elevated PowerShell Prompt
(Get-WmiObject -Class Lenovo_BiosSetting -Namespace rootwmi).CurrentSetting | Where-Object {$_ -ne ""} | Sort-Object
Here we see the parameter we need to use for configuring SecureBoot. Copy that.
Go to GitHub (if you don’t have one already start creating one, or use another storage type that can host your csv.)
Add file
Create new files
Give it a name
Add these values to it (you can add as many you like, to configure on your device)
|
Setting,Value; SecureBoot,Enable; |
Commit changes
Click on the CSV file
Click RAW
Copy the URL
Download this script
Paste your link into the script
Save it locally.
Go to Endpoint Manager https://endpoint.microsoft.com/
Go to Endpoint analytics
Proactive remediations
Create script package
Give it a name
Insert detection script and Remediation script.
Detection script can be downloaded here
Remediation script is the one you where you added the URL.
Click next
Select groups to include
Choose a test group with few clients and work your way toward full production.
My flow will run every day.
Create
Now sit back and relax enjoy a cup of coffee and see your remediation data stream into Endpoint Manager.
On the client a local log is placed for the Intune diagnostics collector to collect if you need to debug
Next time compliance check happens
Summary
Compliance settings is great once you found out how to use them correctly. They can be somewhat difficult, as some use cases are difficult to cover.
Hope this post helped you to see the benefit of configuring your setup as dynamic as possible for you to easily add new changes without to much effort.
Happy testing!
