Managing BIOS with Intune on Jon's Notes

Managing BIOS Passwords and Settings with Intune

Mon, 01 Jun 2026 00:00:00 +0000

My Dell, HP, and Lenovo BIOS password and settings scripts have primarily been built for use with traditional device management tools like Microsoft Configuration Manager. This post introduces a new set of scripts designed specifically for Intune. These scripts are designed around the Intune Remediations feature. The goal is to manage BIOS passwords and settings continuously, with no module dependencies, and no plain-text passwords.

The scripts can be downloaded from my GitHub. https://github.com/ConfigJon/Firmware-Management

Setting up BIOS password certificates in Intune

Tue, 02 Jun 2026 00:00:00 +0000

This is the first deep dive in the Managing BIOS with Intune series. The goal here is to get from nothing to password material that is ready to deploy as an Intune remediation. That means three things, in order:

A document-encryption certificate, with its private key delivered to devices.
BIOS passwords encrypted to that certificate as CMS files.
Those CMS files embedded into a remediation script.

The actual password and settings remediations are covered in the next two posts. This one is everything that has to be in place first.

BIOS password management with Intune Remediations

Wed, 03 Jun 2026 00:00:00 +0000

This is the second deep dive in the Managing BIOS with Intune series. The first post, Setting up BIOS password certificates in Intune, got the certificate onto devices and embedded the CMS-encrypted passwords into a deployable remediation script. This post details the password script logic and how to deploy the password scripts via an Intune remediation.

This post assumes you’ve completed the certificate post and have built a remediation script (with the payload embedded) plus its matching detection script.

BIOS settings management with Intune Remediations

Thu, 04 Jun 2026 00:00:00 +0000

This is the third deep dive in the Managing BIOS with Intune series. It applies the same detection-and-remediation model from the password management post to BIOS settings. The goal is to keep devices at a desired BIOS configuration, detecting drift, and reporting on it.

The deployment mechanics (creating the remediation, running as SYSTEM in 64-bit, assigning to a device group) are identical to the password post, so this post focuses on what’s different about settings: defining the desired state, the per-setting marker model, and the dependency on password management (and how to opt out of it).

BIOS management with Intune: reference and troubleshooting

Mon, 08 Jun 2026 00:00:00 +0000

This is the reference post for the Managing BIOS with Intune series. It is not part of the setup walkthrough. If you are deploying the solution, follow the deep-dive posts in order; come here when you need to look up a status line, understand the registry markers, decode a FailReason, or troubleshoot a device that isn’t behaving as expected.

The registry markers

A recurring remediation has to remember what it has done between runs, because the BIOS can only report whether a password is set, not which version. The scripts bridge that gap with registry markers under HKLM:\SOFTWARE\ConfigJonScripts\FirmwareManagement\.