6.6 C
New York
Friday, January 12, 2024

Configure BIOS Settings By means of Intune with the Assume BIOS Config Software

This text has been moved to https://weblog.lenovocdrt.com/#/2021/intune_bios_settings

There’s already a number of nice articles out locally that stroll by way of how you can configure BIOS settings by way of Intune.  The vast majority of them being PowerShell options.  

This submit will present an alternate technique for configuring BIOS settings utilizing our official Assume BIOS Config HTA that was launched again in 2016.  This answer will also be leveraged as a part of an Autopilot deployment.

Earlier than continuing, be sure you have an exported .ini file that incorporates the specified BIOS settings you need utilized to your goal programs.   Seek advice from the documentation offered within the TBCT zip on how you can receive this file.  For this demonstration, I’ve exported the next .ini from a T14s (Intel)

Since my goal programs have a Supervisor password already set, the primary line is the encrypted Supervisor password which was created utilizing the desired secret key as a part of the instrument’s seize course of.  Word, there isn’t any solution to set an preliminary Supervisor password with this instrument.

Getting ready the Win32 App supply information

Create a temp listing and place the HTA, .ini file, and the next pattern PowerShell script (save as a .ps1), which might be used to name the instrument and apply the .ini.

Word: The $arg variable is crucial as this holds the file and password switches.  You will want to interchange ThinkPadBiosConfig.ini to no matter you named your .ini file.  Exchange secretkey to the encrypting key you specified in the course of the seize course of.

$tag = "$($env:ProgramData)LenovoThinkBiosConfigThinkBiosConfig.tag"
$arg = '"file=ThinkPadBiosConfig.ini" "key=secretkey"'
$log = '"log=%ProgramDatapercentLenovoThinkBiosConfig""'

strive {
    if (!(Check-Path -Path $tag -PathType Leaf)) {
        Write-Host "Creating TBCT listing..."
        New-Merchandise -ItemType File -Path $tag -Pressure -ErrorAction Cease
        Set-Content material -Path $tag -Worth "Bios Settings Configured"
        Write-Host "Tag file created..."

        Begin-Course of cmd.exe -ArgumentList "/C ThinkBiosConfig.hta $arg $log" -NoNewWindow -Wait
        Write-Host "Bios Settings Configured"
        Exit 3010
    else {
        Write-Host "Bios Settings already configured..."
        Exit 0
catch [System.IO.IOException] {
    Write-Host "$($_.Exception.Message)"
catch {
    Write-Host "$($_.Exception.Message)"

Your listing ought to have 3 objects

Create/Add the Win32 App

We’ll use the Win32 Content material Prep instrument to create an .intunewin file that might be uploaded to Intune.

As soon as the .intunewin file has been created, signal into the MEM admin middle and create a brand new Home windows shopper app.  Select Home windows app (Win32) for the app sort and choose the .intunewin package deal file to add.

Specify the App Info

Enter the Set up command:

powershell.exe -NoProfile -ExecutionPolicy Bypass -File .Set-BiosSettings.ps1

and Uninstall command:

cmd.exe /c del %ProgramDatapercentLenovoThinkBiosConfigThinkBiosConfig.tag

Set Working system structure to 64-bit and Minimal working system to Home windows 10 1607

Add a Registry requirement sort rule to verify the goal system is Lenovo (Non-compulsory)


Worth identify: SystemManufacturer

Registry key requirement: String comparability

Operator: Equals


Add a File sort rule to verify for the presence of the tag that will get created by the PowerShell script.  We’ll use this for the detection technique.

Path: %ProgramDatapercentLenovoThinkBiosConfig

File or folder: ThinkBiosConfig

Detection technique: File or folder exists

Lastly, Overview + Save to create the brand new app and deploy to a System Group.  

On my take a look at machine, I see toast notifications that present the BIOS has been configured and to reboot.

The instrument generates a log file so right here you may see my Supervisor password has been validated with the encrypting key and the settings have been utilized efficiently

Extra Notes:

  • You possibly can mix settings throughout totally different merchandise right into a single .ini and apply them to your entire units which use the identical BIOS password (just one password might be specified per .ini file).  There could also be a BIOS setting from one system with a price of Enabled whereas one other system’s worth is Allow.  For instance: LockBIOSSetting,Allow vs. LockBIOSSetting,Enabled If one would not apply to a tool, it’ll merely skip it.
  • For those who select to deploy this as a Required app for Autopilot units, the dreaded reboot throughout ESP will happen, ensuing within the additional person login.

Supply hyperlink

Related Articles


Please enter your comment!
Please enter your name here

Latest Articles