Omnia/Azure-Dell-BIOS-Password-Solution
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Updates to requirements

Browse Source
This commit is contained in:
samsamfin
2026-05-05 10:27:57 +00:00
parent 49ac7e4a44
commit 2487fcc969
1 changed files with 53 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files
readme.md
+53 -18
View File
@@ -1,28 +1,63 @@
# Requirements
- **Dell Command | Monitor** or **Dell Command | Update** deployed to the endpoints.
# Dell BIOS Admin Password Management via Intune
# Instructions
Create an Azure storage account, and a new container inside it. Generate SAS url for it. Inside the container, you will upload two Base64 encoded .txt files - one containing the current BIOS password, and the other with all known previous passwords, and one blank line to handle devices without BIOS password. As passwords change over the years, the new and old ones will be updated to both of the .txt files in the storage account.
Manages Dell BIOS Admin password across the fleet using Intune Remediation scripts and Azure Blob Storage. No third-party Dell software required.
Intune will handle the logic with a remediation script pair.
## How it works
The solution uses Dell's native WMI security interface (`root\dcim\sysman\wmisecurity`), specifically the `PasswordObject` and `SecurityInterface` WMI classes. These are exposed directly by Dell UEFI firmware via Windows' built-in ACPI WMI bridge driver (`wmiacpi.sys`) — **no Dell Command | Monitor or Dell Command | Update installation is needed**.
> **Note:** The `root\dcim\sysman\wmisecurity` namespace will **not** be present on generic virtual machines (Hyper-V, Azure, VMware) that lack a real Dell UEFI firmware profile. The solution targets physical Dell endpoints only.
## Requirements
- Physical Dell endpoint with UEFI firmware (modern Dell business/consumer hardware)
- Windows 10/11 (wmiacpi.sys included by default)
- Network access to Azure Blob Storage from the endpoint
- Intune Remediation (requires Intune P1 license or Intune Suite)
~~Dell Command | Monitor or Dell Command | Update~~ *(not required)*
## Instructions
Create an Azure storage account and a new container inside it. Generate a SAS URL for it. Inside the container, upload two Base64-encoded `.txt` files:
- `current-content.txt` — the current BIOS Admin password (Base64 encoded)
- `old-content.txt` — all known previous passwords, one per line (Base64 encoded), plus one blank line to handle devices with no BIOS password currently set
As passwords change over the years, update both files in the storage account accordingly.
Intune handles the enforcement logic via a detection/remediation script pair.
## Azure configuration
First, create a storage account and generate the SAS for it. Upload both of the files and figure out the URL for both of them.
### SAS url
`https://stitbiosmgmt.blob.core.windows.net/mgmt?sp=r&st=2026-02-26T08:55:03Z&se=2036-02-26T17:10:03Z&spr=https&sv=2024-11-04&sr=c&sig=lBtObK2UmF3nzLvN4%2Biu1X9H6nC0Tc%2BRgvW0hM4eq9U%3D`
Create a storage account and generate a SAS token scoped to the container with at least **read** (`sp=r`) permissions. Upload both password files and note the full blob URLs for each file (used directly in the scripts).
### Example SAS URL (container level)
```
https://stitbiosmgmt.blob.core.windows.net/mgmt?sp=r&st=2026-02-26T08:55:03Z&se=2036-02-26T17:10:03Z&spr=https&sv=2024-11-04&sr=c&sig=lBtObK2UmF3nzLvN4%2Biu1X9H6nC0Tc%2BRgvW0hM4eq9U%3D
```
## Intune configuration
### Remediation script
|Setting|Value|
### Remediation script pair
| Setting | Value |
|:--|:--|
|Name|Dell BIOS Admin Password|
|Detection script|Detect-BiosPassword.ps1|
|Remediation script|Remediate-BiosPassword.ps1|
|Run this script using the logged-on credentials|No (run as System)|
|Enforce script signature check|No (unless you sign your scripts)|
|Run script in 64-bit PowerShell|Yes|
|Schedule|Daily or every 1 hour depending on urgency|
| Name | Dell BIOS Admin Password |
| Detection script | `Dell-BIOSPassword-Detection.ps1` |
| Remediation script | `Dell-BIOSPassword-Remediation.ps1` |
| Run this script using the logged-on credentials | No (run as System) |
| Enforce script signature check | No (unless you sign your scripts) |
| Run script in 64-bit PowerShell | Yes |
| Schedule | Daily, or every 1 hour depending on urgency |
### Entra ID Group for deployment
Intune - Azure Dell BIOS Password Solution
`Intune - Azure Dell BIOS Password Solution`
This group should be scoped to Dell physical endpoints only. A dynamic device group rule filtering on manufacturer can be used:
```
(device.deviceManufacturer -eq "Dell Inc.")
```