BIOS / Firmware Configuration

This is the hub post for my BIOS configuration scripts. There are two groups of scripts: the original task-sequence and interactive scripts built for ConfigMgr/MDT imaging, and the newer Intune Remediations built for continuous, agent-style management. The content below is grouped by how you deploy it.

The two script types

• BIOS Management Scripts v2 Released - the original scripts; designed for interactive use or Configuration Manager integration.
• Managing BIOS Passwords and Settings with Intune - the new scripts; designed for Intune remediations.

Managing BIOS with Intune

The Intune scripts run as recurring detection/remediation pairs that enforce BIOS state continuously and report per-device results. Read these in order.

• Managing BIOS Passwords and Settings with Intune - series overview: the design, the delivery model, and steps to implement.
• Setting up BIOS password certificates in Intune - create the document-encryption certificate, deploy its private key to devices, and build CMS-encrypted payloads.
• BIOS password management with Intune Remediations - the detection and remediation roles, password versioning, rotation, clearing, and recovery.
• BIOS settings management with Intune Remediations - the desired-state table, per-setting markers, drift detection, and profiles.
• Reference and troubleshooting - detailed reference for the registry markers, output strings, and parameters + troubleshooting information.

Reporting

• Reporting on BIOS management with Intune - the single-line status output, reading results in the Intune console, and exporting to CSV with no extra infrastructure.
• Setting up Log Analytics for Intune BIOS reporting - the one-time Azure setup for pushing structured per-device data to a workspace.
• Querying BIOS fleet data with Log Analytics and KQL - the two-table data model, cost controls, and KQL reporting examples.

Task Sequence & Interactive Scripts

The original scripts, run during imaging or on demand. Most vendors offer two variants: one using the vendor’s PowerShell module, and one using WMI directly with no module dependency.

Dell

• Dell BIOS Password Management - DellBIOSProvider
• Dell BIOS Password Management - WMI
• Dell BIOS Settings Management - DellBIOSProvider
• Dell BIOS Settings Management - WMI
• Working with the Dell Command | PowerShell Provider

HP

• HP BIOS Password Management
• HP BIOS Password Management (HPCMSL)
• HP BIOS Settings Management
• HP BIOS Settings Management (HPCMSL)
• Installing the HP Client Management Script Library

Lenovo

• Lenovo BIOS Password Management
• Lenovo BIOS Settings Management

Securing BIOS Passwords

How to deliver a BIOS password to the task-sequence scripts without exposing it in plain text. The same CMS mechanism used in the Intune scripts.

• Securing BIOS Passwords in Unattended Deployments - delivering the password safely under ConfigMgr and task sequences using the built-in CMS support.
• Document Encryption Certificates for BIOS Password Management - creating and managing the document-encryption certificate that CMS relies on.

Downloads

• BIOS Management - Example Task Sequences - downloadable example task sequences showing the scripts in a real deployment.