Omnia/Azure-Dell-BIOS-Password-Solution
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
094c575f8aec93a53514bb7a2b5ddfbe212d7027
Azure-Dell-BIOS-Password-So…/readme.md
T
samsamfin 094c575f8a Update readme.md
2026-05-05 10:31:12 +00:00

2.8 KiB
Raw Blame History

Dell BIOS Admin Password Management via Intune

Manages Dell BIOS Admin password across the fleet using Intune Remediation scripts and Azure Blob Storage. No third-party Dell software required.

How it works

The solution uses Dell's native WMI security interface (root\dcim\sysman\wmisecurity), specifically the PasswordObject and SecurityInterface WMI classes. These are exposed directly by Dell UEFI firmware via Windows' built-in ACPI WMI bridge driver (wmiacpi.sys) - no Dell Command | Monitor or Dell Command | Update installation is needed.

Note: The root\dcim\sysman\wmisecurity namespace will not be present on generic virtual machines (Hyper-V, Azure, VMware) that lack a real Dell UEFI firmware profile. The solution targets physical Dell endpoints only.

Requirements

  • Physical Dell endpoint with UEFI firmware (modern Dell business/consumer hardware)
  • Windows 10/11 (wmiacpi.sys included by default)
  • Network access to Azure Blob Storage from the endpoint
  • Intune Remediation (requires Intune P1 license or Intune Suite)

Instructions

Create an Azure storage account and a new container inside it. Generate a SAS URL for it. Inside the container, upload two Base64-encoded .txt files:

  • current-content.txt - the current BIOS Admin password (Base64 encoded)
  • old-content.txt - all known previous passwords, one per line (Base64 encoded), plus one blank line to handle devices with no BIOS password currently set

As passwords change over the years, update both files in the storage account accordingly.

Intune handles the enforcement logic via a detection/remediation script pair.

Azure configuration

Create a storage account and generate a SAS token scoped to the container with at least read (sp=r) permissions. Upload both password files and note the full blob URLs for each file (used directly in the scripts).

Example SAS URL (container level)

https://stitbiosmgmt.blob.core.windows.net/mgmt?sp=r&st=2026-02-26T08:55:03Z&se=2036-02-26T17:10:03Z&spr=https&sv=2024-11-04&sr=c&sig=lBtObK2UmF3nzLvN4%2Biu1X9H6nC0Tc%2BRgvW0hM4eq9U%3D

Intune configuration

Remediation script pair

Setting Value
Name Dell BIOS Admin Password
Detection script Dell-BIOSPassword-Detection.ps1
Remediation script Dell-BIOSPassword-Remediation.ps1
Run this script using the logged-on credentials No (run as System)
Enforce script signature check No (unless you sign your scripts)
Run script in 64-bit PowerShell Yes
Schedule Daily, or every 1 hour depending on urgency

Entra ID Group for deployment

Intune - Azure Dell BIOS Password Solution

This group should be scoped to Dell physical endpoints only. A dynamic device group rule filtering on manufacturer can be used:

(device.deviceManufacturer -eq "Dell Inc.")
Reference in New Issue View Git Blame Copy Permalink