With the April Intune release a new feature was released that makes it possible to configure Dell BIOS by deploying a CCTK file using Intune. Intune also has the built-in capability to create a unique BIOS password for each Dell computer and store it in Intune, like LAPS for BIOS passwords. This new policy is applied on the device using the new Dell application that must be installed on the device for the policy to work: Dell Command | Endpoint Configure for Microsoft Intune (DCECMI).
This post will cover:
- Prerequisites
- Deploy the DCECMI application.
- Configuring the policy
- Retrieving the BIOS Password
- Troubleshooting
- Conclusion
When deploying the BIOS password keep the following in mind:
- The BIOS password can be retrieved even if the device is deleted from Intune using Graph.
- The BIOS password cannot be changed on the device manually even after entering the correct password. It can only be removed using Intune Policy
- Deleting the device from Intune does NOT remove the BIOS Password from the device, deploy a Dell BIOS configuration policy with the option to manage BIOS passwords set to NO to remove the password before deleting the device.
- To use the password feature the device cannot have an existing BIOS password configured.
- When deleting and re-deploying a Dell computer the old BIOS password is still being used as it cannot change if a password is set!
Prerequisites
To start using the Dell BIOS policy the following prerequisites are required.
- Download and install the Dell Command | Update application which can be found here. https://www.dell.com/support/kbdoc/en-us/000177325/dell-command-update. It is used to create the BIOS configuration file .CCTK used by the policy.
Create the BIOS policy that is the be deployed using the Dell Client Configuration Toolkit
- Download.NET 6.0 Runtime x64 (latest version recommended) Required by the DCECMI application. If you don’t have a Win32app already in Intune or maybe deployed to all devices.
- Download the Dell Command | Endpoint Configure for Microsoft Intune (DCECMI) application must be installed on all devices before deploying the Dell BIOS configuration profile. The application will act as a broker for the Intune Policy and apply the policy and BIOS password (if selected in the policy)
- Create a Win32 App with the Dell Command | Endpoint Configure for Microsoft Intune application, a comprehensive guide to how it works can be found here: Support for Dell Command | Endpoint Configure for Microsoft Intune | Documentation | Dell US
Deploy the DCECMI application.
To deploy the DCECMI application do the following:
- Launch the file downloaded with the DCECMI application in my case Dell-Command-Endpoint-Configure-for-Microsoft-Intune_T88X8_WIN_1.2.0.76_A00.EXE.
Select Extract to extract the DCECMI.msi file.
Then we have our DCECMI.msi file ready to create a win23app package.
- Create a Win32app using the IntuneWinAppUtil.exe containing the DCECMI.msi.
- Create a Win32app in Intune with and select the IntuneWin file that is created using Win32 Content Prep Tool.
The standard install string generated for .MSI files will work just fine.
Add .NET 6 Runtime x64 as a dependency as shown below, or make sure it is already installed
Deploy the newly created app to a test Entra Group with your test devices. Be sure to test this our especially the BIOS password feature before deploying it in your organization.
Configuring the policy
When configuring the policy we supply the .CCTK file we created earlier and select if we want Intune to manage the BIOS password of the devices. When creating the “BIOS Configurations and other settings” it must when writing this needs to be created from Configuration Profiles under Device, Windows otherwise the policy template type is not available.
In the next dialog give the policy a name:
In the next dialog we select Dell as Hardware, select if Passwords should be managed or not and supply the .CCTK file with the BIOS settings we created earlier.
Then we deploy the newly created Dell BIOS configuration policy to our test Entra group.
Important note from the Dell documentation:
“Do not modify BIOS Configuration Profiles in the Pending state!!
– If there is already an existing BIOS Configuration Profile that is deployed to the endpoint groups and the status is displayed as Pending, do not update that BIOS Configuration Profile.
– You must not update until the status transitions from Pending to Succeeded or Failure.
– Modifying may cause conflicts and subsequent BIOS Configuration Profile version failures. Sometimes, BIOS Password sync failures may occur, and you may not be able to see the newly applied BIOS Password.”
More information can be found here in the User Guide: https://dl.dell.com/content/manual52878209-dell-command-endpoint-configure-for-microsoft-intune-user-s-guide.pdf?language=en-us
During my testing I managed to get a lot of strange results when doing the above, changing the policy when the deployment state is pending should be avoided.
Retrieving the BIOS Password
There are two Graph API’s that can be used to retrieve the BIOS passwords from Intune.
https://graph.microsoft.com/beta/deviceManagement/hardwarePasswordInfo(‘<deviceID>’)
and
https://graph.microsoft.com/beta/deviceManagement/hardwarePasswordInfo
The output from the last command that lists all passwords stored in Intune with serialnumber and Entra ID as identifiers.
What happens when a device is deleted then, well the BIOS password is still there as in the picture above. But what happens if I reinstall the device again?
It will get a new Intune DeviceID and now it cannot configure the BIOS password as there is a password already set on the device I assume. The same command now returns the following:
Note: Even after re-enrolling the device I cannot remove the BIOS password or change it using Intune. However it can be removed by using the CCTK.
Troubleshooting
DCEMI has its own log files (we love log files) located in C:\Programdata\Dell\EndpointConfigure
This makes it easy to troubleshoot for example if a password is already set it will be easy to troubleshoot in the log files, screenshot from the DellCommandConfigure.log file.
Conclusion
I like the simplicity in the solution, create a .CCTK file with the comprehensive tool Dell already have, Dell Command | Update.
The BIOS password is saved in the tenant forever or until the tenant is removed, would be great to have something similar for Windows LAPS and BitLocker Recovery keys as well so they can be retrieved even if a device is deleted.
Deleting a device is probably not a good idea as the BIOS password is left in place and cannot be removed manually, so make sure you lifecycle management have all necessary steps.
Make sure to test everything before deploying it in production.
Some additional reading:
Manuals and Documentation for Dell Command | Endpoint Configure for Microsoft Intune Support for Dell Command | Endpoint Configure for Microsoft Intune | Documentation | Dell US
Are you using Dell device? It is time to test it out.
Thanks for this! I’m new to this and have a question. When visiting the dotnet site for Download.NET 6.0 Runtime x64 I see I have 5 options, which one do I need?
I cannot get Microsoft Graph to show any results on my hardware. I am probably missing something. I am also not good with Microsoft Graph
Hello,
I have a question. Is it possible to change Bios configuration via Intune policy if we already set Bios password on the all mashines? We are using one common Bios password for all laptops.
Hi, No the requirement is that there is no password set.
Regards,
Jörgen
Hello
Can I ask for directions?
I set everything up in the test environment according to the instructions.
API = PAS 100%
Intune = Pass 100%
But the password in BIOS is False and in API it is correct
============================================
PS C:\Windows\system32> Get-Item -Path DellSmbios:\Security\IsAdminPasswordSet
Attribute ShortDescription CurrentValue
——— —————- ————
IsAdminPasswordSet Is Admin Password Set False
Hello
I can ask for help
I configured everything as in the post and everything works 100%
I only have a problem with the API saying that the password is set, but there is no physical BIOS password on the machine. Intune policy set to NO
Hi
Also a question. How can we update the BIos with dcu (deployed by intune) with a fixed password.
If i run the tool manually then im getting the request for a password. Otherwise the bios update will fail!