This text has been moved to https://weblog.lenovocdrt.com/#/2021/intune_bios_settings
There’s already a number of nice articles out locally that stroll by way of how you can configure BIOS settings by way of Intune. The vast majority of them being PowerShell options.
This submit will present an alternate technique for configuring BIOS settings utilizing our official Assume BIOS Config HTA that was launched again in 2016. This answer will also be leveraged as a part of an Autopilot deployment.
Earlier than continuing, be sure you have an exported .ini file that incorporates the specified BIOS settings you need utilized to your goal programs. Seek advice from the documentation offered within the TBCT zip on how you can receive this file. For this demonstration, I’ve exported the next .ini from a T14s (Intel)
Since my goal programs have a Supervisor password already set, the primary line is the encrypted Supervisor password which was created utilizing the desired secret key as a part of the instrument’s seize course of. Word, there isn’t any solution to set an preliminary Supervisor password with this instrument.
Getting ready the Win32 App supply information
Create a temp listing and place the HTA, .ini file, and the next pattern PowerShell script (save as a .ps1), which might be used to name the instrument and apply the .ini.
Word: The $arg variable is crucial as this holds the file and password switches. You will want to interchange ThinkPadBiosConfig.ini to no matter you named your .ini file. Exchange secretkey to the encrypting key you specified in the course of the seize course of.
$tag = "$($env:ProgramData)LenovoThinkBiosConfigThinkBiosConfig.tag" $arg = '"file=ThinkPadBiosConfig.ini" "key=secretkey"' $log = '"log=%ProgramDatapercentLenovoThinkBiosConfig""' strive { if (!(Check-Path -Path $tag -PathType Leaf)) { Write-Host "Creating TBCT listing..." New-Merchandise -ItemType File -Path $tag -Pressure -ErrorAction Cease
Set-Content material -Path $tag -Worth "Bios Settings Configured" Write-Host "Tag file created..." Begin-Course of cmd.exe -ArgumentList "/C ThinkBiosConfig.hta $arg $log" -NoNewWindow -Wait Write-Host "Bios Settings Configured" Exit 3010 } else { Write-Host "Bios Settings already configured..." Exit 0 } } catch [System.IO.IOException] { Write-Host "$($_.Exception.Message)" } catch { Write-Host "$($_.Exception.Message)" }
Your listing ought to have 3 objects
Create/Add the Win32 App
We’ll use the Win32 Content material Prep instrument to create an .intunewin file that might be uploaded to Intune.
As soon as the .intunewin file has been created, signal into the MEM admin middle and create a brand new Home windows shopper app. Select Home windows app (Win32) for the app sort and choose the .intunewin package deal file to add.
Specify the App Info
Enter the Set up command:
powershell.exe -NoProfile -ExecutionPolicy Bypass -File .Set-BiosSettings.ps1
and Uninstall command:
cmd.exe /c del %ProgramDatapercentLenovoThinkBiosConfigThinkBiosConfig.tag
Set Working system structure to 64-bit and Minimal working system to Home windows 10 1607
Add a Registry requirement sort rule to verify the goal system is Lenovo (Non-compulsory)
Key path: HKEY_LOCAL_MACHINEHARDWAREDESCRIPTIONSystemBIOS
Worth identify: SystemManufacturer
Registry key requirement: String comparability
Operator: Equals
Worth: LENOVO
Add a File sort rule to verify for the presence of the tag that will get created by the PowerShell script. We’ll use this for the detection technique.
Path: %ProgramDatapercentLenovoThinkBiosConfig
File or folder: ThinkBiosConfig
Detection technique: File or folder exists
Lastly, Overview + Save to create the brand new app and deploy to a System Group.
On my take a look at machine, I see toast notifications that present the BIOS has been configured and to reboot.
The instrument generates a log file so right here you may see my Supervisor password has been validated with the encrypting key and the settings have been utilized efficiently
Extra Notes:
- You possibly can mix settings throughout totally different merchandise right into a single .ini and apply them to your entire units which use the identical BIOS password (just one password might be specified per .ini file). There could also be a BIOS setting from one system with a price of Enabled whereas one other system’s worth is Allow. For instance: LockBIOSSetting,Allow vs. LockBIOSSetting,Enabled If one would not apply to a tool, it’ll merely skip it.
- For those who select to deploy this as a Required app for Autopilot units, the dreaded reboot throughout ESP will happen, ensuing within the additional person login.