Configuring Dell BIOS using built-in support in Intune

With the April Intune release a new feature was released that makes it possible to configure Dell BIOS by deploying a CCTK file using Intune. Intune also has the built-in capability to create a unique BIOS password for each Dell computer and store it in Intune, like LAPS for BIOS passwords. This new policy is applied on the device using the new Dell application that must be installed on the device for the policy to work: Dell Command | Endpoint Configure for Microsoft Intune (DCECMI).
This post will cover:

When deploying the BIOS password keep the following in mind:

• The BIOS password can be retrieved even if the device is deleted from Intune using Graph.
• The BIOS password cannot be changed on the device manually even after entering the correct password. It can only be removed using Intune Policy
• Deleting the device from Intune does NOT remove the BIOS Password from the device, deploy a Dell BIOS configuration policy with the option to manage BIOS passwords set to NO to remove the password before deleting the device.
• To use the password feature the device cannot have an existing BIOS password configured.
• When deleting and re-deploying a Dell computer the old BIOS password is still being used as it cannot change if a password is set!

Prerequisites

To start using the Dell BIOS policy the following prerequisites are required.

• Download and install the Dell Command | Update application which can be found here. https://www.dell.com/support/kbdoc/en-us/000177325/dell-command-update. It is used to create the BIOS configuration file .CCTK used by the policy.

Create the BIOS policy that is the be deployed using the Dell Client Configuration Toolkit

• Download.NET 6.0 Runtime x64 (latest version recommended) Required by the DCECMI application. If you don’t have a Win32app already in Intune or maybe deployed to all devices.
• Download the Dell Command | Endpoint Configure for Microsoft Intune (DCECMI) application must be installed on all devices before deploying the Dell BIOS configuration profile. The application will act as a broker for the Intune Policy and apply the policy and BIOS password (if selected in the policy)
• Create a Win32 App with the Dell Command | Endpoint Configure for Microsoft Intune application, a comprehensive guide to how it works can be found here: Support for Dell Command | Endpoint Configure for Microsoft Intune | Documentation | Dell US

Deploy the DCECMI application.

To deploy the DCECMI application do the following:

• Launch the file downloaded with the DCECMI application in my case Dell-Command-Endpoint-Configure-for-Microsoft-Intune_T88X8_WIN_1.2.0.76_A00.EXE.

Select Extract to extract the DCECMI.msi file.

Then we have our DCECMI.msi file ready to create a win23app package.

• Create a Win32app using the IntuneWinAppUtil.exe containing the DCECMI.msi.
• Create a Win32app in Intune with and select the IntuneWin file that is created using Win32 Content Prep Tool.

The standard install string generated for .MSI files will work just fine.

Add .NET 6 Runtime x64 as a dependency as shown below, or make sure it is already installed

Deploy the newly created app to a test Entra Group with your test devices. Be sure to test this our especially the BIOS password feature before deploying it in your organization.

Configuring the policy

When configuring the policy we supply the .CCTK file we created earlier and select if we want Intune to manage the BIOS password of the devices. When creating the “BIOS Configurations and other settings” it must when writing this needs to be created from Configuration Profiles under Device, Windows otherwise the policy template type is not available.

In the next dialog give the policy a name:

In the next dialog we select Dell as Hardware, select if Passwords should be managed or not and supply the .CCTK file with the BIOS settings we created earlier.

Then we deploy the newly created Dell BIOS configuration policy to our test Entra group.

Important note from the Dell documentation:
“Do not modify BIOS Configuration Profiles in the Pending state!!

– If there is already an existing BIOS Configuration Profile that is deployed to the endpoint groups and the status is displayed as Pending, do not update that BIOS Configuration Profile.

– You must not update until the status transitions from Pending to Succeeded or Failure.

– Modifying may cause conflicts and subsequent BIOS Configuration Profile version failures. Sometimes, BIOS Password sync failures may occur, and you may not be able to see the newly applied BIOS Password.”

More information can be found here in the User Guide: https://dl.dell.com/content/manual52878209-dell-command-endpoint-configure-for-microsoft-intune-user-s-guide.pdf?language=en-us

During my testing I managed to get a lot of strange results when doing the above, changing the policy when the deployment state is pending should be avoided.

Retrieving the BIOS Password

There are two Graph API’s that can be used to retrieve the BIOS passwords from Intune.

https://graph.microsoft.com/beta/deviceManagement/hardwarePasswordInfo(‘<deviceID>’)

and

https://graph.microsoft.com/beta/deviceManagement/hardwarePasswordInfo

The output from the last command that lists all passwords stored in Intune with serialnumber and Entra ID as identifiers.

What happens when a device is deleted then, well the BIOS password is still there as in the picture above. But what happens if I reinstall the device again?
It will get a new Intune DeviceID and now it cannot configure the BIOS password as there is a password already set on the device I assume. The same command now returns the following:

Note: Even after re-enrolling the device I cannot remove the BIOS password or change it using Intune. However it can be removed by using the CCTK.

Troubleshooting

DCEMI has its own log files (we love log files) located in C:\Programdata\Dell\EndpointConfigure

This makes it easy to troubleshoot for example if a password is already set it will be easy to troubleshoot in the log files, screenshot from the DellCommandConfigure.log file.

Conclusion

I like the simplicity in the solution, create a .CCTK file with the comprehensive tool Dell already have, Dell Command | Update.
The BIOS password is saved in the tenant forever or until the tenant is removed, would be great to have something similar for Windows LAPS and BitLocker Recovery keys as well so they can be retrieved even if a device is deleted.
Deleting a device is probably not a good idea as the BIOS password is left in place and cannot be removed manually, so make sure you lifecycle management have all necessary steps.

Make sure to test everything before deploying it in production.

Some additional reading:
Manuals and Documentation for Dell Command | Endpoint Configure for Microsoft Intune Support for Dell Command | Endpoint Configure for Microsoft Intune | Documentation | Dell US

Are you using Dell device? It is time to test it out.